Thursday, February 12, 2015

Focus on the Threat: Bank Heists

Thief Retrieves Cash, from Bloomberg Businessweek
The February 2nd issue of Bloomberg Businessweek featured a story titled Boom: Inside a British Bank-Bombing Spree. The article describes how "five men, dressed all in black" used "crowbars, power tools, coils of flexible tubing, and two large tanks of explosive gas" to blow apart ATMs in the UK, then retrieve cash inside.

The story opens by describing a raid that netted "almost £250,000, or about $375,000" and

was the group’s biggest score in a single night yet. Their MO, using cheap, common, and legal gas, was nearly impossible to trace, and they left precious little forensic evidence for the police. To stop the rampage, there was little Britain’s banks could do.

What is the history of this sort of attack? The article states:

Bank security experts think the first ATM gas attack may have been in Italy in 2001. Early statistics are shaky, but by 2005 there were almost 200 across the continent, according to EAST, or the European ATM Security Team. (Their figures include physical explosives, but gas dominates.) In 2013 there was a 31 percent increase from the year before, to 696 attacks in eight countries. Gas bomb gangs have struck in Australia (2008), Brazil (2010), and Chile (2014), but they’re primarily a European phenomenon. 

Now, I know how many of my readers think. They jump immediately to consider technical approaches for countering this attack pattern. Indeed, the Bloomberg article includes the following:

The rise in gas attacks has created a market opportunity for the companies that construct ATM components. Several manufacturers now make various anti-gas-attack modules: Some absorb shock waves, some detect gas and render it harmless, and some emit sound, fog, or dye to discourage thieves in the act.

This is the standard reaction from the tech community: treat every problem as an engineering challenge, preferably to be solved by a start-up!

Thinking in terms of the risk equation (R = V x T x A), the engineers want to reduce the Vulnerability, or V, and consequently reduce Risk, or R.

(It might also be possible to reduce A, or Asset value, by having less money in ATMs. As we move to a cash-deficient society, that's possible. However, it doesn't address the immediate problem -- dozens of crime scenes, with more expected.)

Suspects and Convicts: Bloomberg Businessweek
However, despite the friendly engineer's desire to refactor the environment, the article spends only the three sentences cited earlier on technical solutions. Instead, and appropriately here, the article explains how law enforcement worked on identifying and arresting the threat actors (T), eliminating them from the risk equation.

Now, it's entirely possible that other threat actors could take on the ATM-exploding mantle, replacing those who have been arrested. However, the police have demonstrated that they have the capability to perform threat attribution and containment. We will have to see if this sort of crime continues in the UK, or if it shifts elsewhere.

Incidentally, it may have been the introduction of better digital security that resulted in a rise of physical crime. The article says:

It’s a low-tech, low-investment, more immediate alternative to modern thievery involving card skimmers, PIN–capturing cameras, and malware. ATM fraud is declining steeply in Europe, EAST says, down 42 percent in the first half of 2014 compared with the same period in 2013, while physical attacks—explosions, plus crowbar jobs, “ram raids,” etc.—are up 3 percent.

What does this mean for the US?

As far as anyone knows, there has never been a gas attack on an American ATM. The leading theory points to the country’s primitive ATM cards. Along with Mongolia, Papua New Guinea, and not many other countries, the U.S. doesn’t require its plastic to contain an encryption chip, so stealing cards remains an effective, nonviolent way to get at the cash in an ATM. 

Encryption chip requirements are coming to the U.S. later this year, though. And given the gas raid’s many advantages, it may be only a matter of time until the back of an American ATM comes rocketing off.

The bottom line for me is this: it's entirely appropriate for engineers to develop more secure products to reduce vulnerabilities. However, it's also entirely appropriate for law enforcement to identify, arrest, and prosecute threat actors. That requires attribution and forensics. In other words, identifying the threat is a necessary and critical aspect of security, as it has been in the physical world and is finally being recognized as such in the digital world.

And for the record, I still like engineers and start-ups, including engineers who work at start-ups.

No comments: