This year a bank robber stole £1.3 million without touching a penny. Today's master criminals are swapping shotguns for software – here's how they do it

So last century… (Image: Rex Features)

Earlier this year, a man walked into a branch of Barclays in north London and stole £1.3 million without touching a single bank note. Instead, he posed as an IT technician and installed a device to siphon off the cash electronically.

News of the robbery emerged last month when eight men were arrested, a week after police foiled a similar plot against Santander. It seems that bank robbers are giving up shotguns for software. Here’s how they do it.

Bogus tech support


The Barclays and Santander plots involved installing a device called a keyboard video mouse switch. These are commonly used in data centres to control multiple computers from a single terminal, and by connecting it to a 3G router the crooks were able to remotely access Barclays’ machines over the cellphone network. They used this to transfer money to their own accounts, but Barclays noticed and reported the theft a day later.

“The hard part is not getting in the bank to do the transfer, but getting the money out of the bank into some form you can spend without getting caught in the process,” says Steven Murdoch, a security researcher at the University of Cambridge.

Go phishing

If you can’t rob a bank directly, go after its customers. These days most of us know not to open suspicious emails claiming to be from their bank, but people do still fall for such phishing attempts, inadvertently handing over their passwords to crooks by logging in to fake websites. Many banks now issue physical tokens that provide secondary authentication designed to foil these attacks, but not all do.

Convert your way to wealth

One unlikely way to take a bank’s cash involves currency conversion. Swap $10 for pounds through your online account and you will receive £6.22 at current rates – your bank rounds to the nearest penny. But if you exchange 1 cent, the rounding means you will get 1 pence, a significant profit. Set software to do this over and over, and soon you will be sitting on a tidy sum.

Banks prevent this by setting a minimum conversion amount or limiting the number of exchanges per day, but some have only realised they were under attack once it was too late. “Two of our banking customers have lost money through currency-rounding attacks,” says Mitja Kolsek of Acros Security in Maribor, Slovenia. “One of them lost around €30,000 before it noticed and blocked it.”

Clone cards

Credit and debit cards are often targeted by criminals, either by stealing individual cards or modifying ATMs to record card details and PINs. The account details are copied on to blank cards and then used to withdraw money or buy goods to sell on.

Many countries use a chip and PIN system to prevent this, so criminals have got into the habit of taking cloned cards to the US, where the system is not yet in widespread use.

Some take this even further. Earlier this year, eight people were arrested in New York for cloning cards and hacking bank systems to raise each card’s account limit, before withdrawing nearly $45 million from ATMs around the world.

Distract with a DDoS

Bank robbers can knock out CCTV and disable alarms before they break into the bank. The electronic equivalent is a distributed denial-of-service attack (DDoS), in which large volumes of network traffic hammer a bank’s systems, giving criminals the cover they need. “While the bank’s IT staff is scrambling to keep its servers online and running, criminals are transferring money from users’ accounts,” says Kolsek. Last year the FBI warned that criminals could get their hands on millions using software costing just $200.