Skip to main content

How bank hackers beat Barclays

High-tech bank robbers pulled off a heist from right under the noses of data security guards at the world's third largest bank.

The robbers were so quick off the mark that they broke through Barclays' security while its top people were working to keep them out.

Patrick Romain, head of information security at Barclays, told the story of daring-do at the annual meeting of the Internet Society in London.

Some might think, in an age of fat cats, private jets and worthless working-class pensions, that this was an act of subversive brilliance. Not Barclays. The bank chased these hackers down and had them thrown in prison.

And good thing too. Because before we hear how these hackers did it, we've got to get one thing straight: unless you're Michael Caine, Clint Eastwood or Faye Dunaway, robbing banks is bad. You shouldn't do it. Some people work hard to get rich. They think they have a right to keep their cash to themselves.

Zero-day hokum
The blighters who got at Barclay's did it with a zero-day attack. That's the trade name for a hack the bank didn't know about. By definition, any decent hack will be one the victim doesn't know about. But the security industry has had to come up with another word for hacking because hackers have started to become folk heroes.

A zero-day attack is just like any decent hack, except it sounds like a cross between ground zero and doomsday. 'Zero day' is a stupefacient drug of a phrase, concocted (most probably) by artful marketing executives to make you think that hacking is not merely breaking and entering but singularly evil.

Most of us have swallowed 'zero-day' hook, line and sinker. It sits lurking in an ill-defined corner of our minds, in a fearful soup of uncategorised horrors and other computer jargon.

The Barclays hack
The Barclays hackers used their zero-day attack (or hack) to get round the security gate timers the bank's engineers had put in its website software.

It was the hacking equivalent of sitting outside the bank in a Ford Cortina, and checking your watch every time the rent-a-cop does his rounds and the bank manager pops out for his lunch-time massage.

Barclays thought it was prepared for this sort of reconnaissance, said Romain. The bank's security team had reviewed the software behind its website payment system and got everything ship-shape.

They checked how their banking software handled internet transactions. Real people tend to fumble and faff about at their computers. It can take some old timers half a day just to enter their card number.

Yet automated software bots designed by hackers can spit out instructions as fast as the bank computer will receive them. Software like this pretends to be a bank customer, but is far too efficient to be a real person at all.

They're just questions, Leon
The software that processed Barclay's internet transactions didn't insist check for a human-like time delay. "So it was really open to an automated attack that just said, 'make payments, make payments, make payments'," said Romain.

He set his team on rewriting Barclay's software so it detected anyone doing their Internet business faster than was humanly possible.

(This does make one wonder why banks can't also simply have one computer tell another, 'No, there's not enough money this account to process that direct debit' and then only take the money when it is available, instead of fining customers £35 for not having any money. Whoever thought it was a good idea to fine someone for not having money? Really, its daylight robbery. But that's another story).

"It took us a while," said Romain. "It took us about three or four months to recode it, to have specific time delays to match how a fraudster would work. When we finally got attacked we saw it coming and shut it down.

"We shut it down immediately because the automated attack hacked into the system and was executing commands through payment in 4.1 seconds. Impossible for a human to do," he said.

It was a "big success," said Romain. "We won."

False dawn
He barely had time to whoop it up with his banking buddies before the hackers were back.

Romain told the London conference how the hackers had duped the bankers into thinking their vault door had held firm.

"Four hours later I got a call from my fraud team. 'They're back. They executed a payment'. I went, 'How is that possible?'."

The hackers had rewritten their hacking software.

"They realised what we were doing and they put in delays 30 to 40 seconds between each step. It took them four hours to change their code to counter my counter measure," said Romain.

It had taken Barclays four months to change its banking software. It took the hackers just four hours to check out how it operated, reprogramme their hacking software and pull off their heist when nobody was looking. It was a classic case of misdirection.

"That's the kind of people we are dealing with out there," said Romain.

The sky hadn't quite fallen down. The vault door wasn't hanging off its hinges. But the robbers had got all they needed: one transaction. Romain didn't say how much they got away with.

Neither did he say who they were, but his story did conjure the archetypal image of an alarm sending security guards running in all directions, while the burglar strolls in through the front door wearing fake hair and comedy glasses.

This may explain why Romain later retracted his story. He said it was just a hypothetical example. There had been no hack attacks on Barclays. Well, reader, make up your own mind on that one. Who do you believe - Romain, or Romain?

False positives
More importantly, how did the hackers get in to make their transaction in the first place? One way they do it is by spoofing banking websites and asking customers for personal details that might then be used to open those same bank accounts by strolling right through the front door with legitimate pass-codes.

Romain displayed a fake Barclays web-page the bank had discovered. He showed it alongside a Barclay's original on a screen overlooking the conference hall in London's Park Lane Sheraton Hotel.

It was hard to tell the difference. Barclays customers, it must be presumed, thought the same, gullibly handing over pass-codes and personal information to salivating hackers.

"This just popped up," said Romain. "And it was effective."

That is the defining problem in the security game: picking out the scoundrels amongst the throng of decent people, and stopping them before they make off with everyone's money.

Romain's team too can't rest on their laurels. His security software may now be able to detect a computer behaving like a human, but it may not be able to spot a banker behaving like a computer.

False leaders
This may be a problem for banks because the bankers themselves can be indistinguishable from the automatons hackers design to filch money from the system when nobody's looking. That is not to say that bankers filch money.

It has merely been said that your average pinstripe has a brain that operates so efficiently that he could perform a money transfer 0.00001 seconds faster than a bot designed by the best Brataslavan hackers.

There is therefore a risk that innocent bankers might jam their own security software just by being so hot at totting numbers at a keyboard. They'd be flagged them as what are called false positives - when the security software thinks a transaction is fraudulent when it's not. It may look like daylight robbery, but it would actually stand up in a court of law.

Heck, bankers are so hot that if you set one against a replicant in a bank telling competition, neither Philip K Dick nor Alan Turing would be able to tell the difference.

If the security boys can solve that one, they'll have done their job protecting the status quo we all know and love so well: the one in which crime doesn't pay; and in which if you want more money than you need its wiser to become a banker than a robber, if not as much fun.