back to article How police busted UK's biggest cybercrime case

The story of the investigation into the failed multi-million pound cyberheist at Sumitomo Bank can finally be told, following the recent conviction and sentencing of its perpetrators. The audacious Mission Impossible-style scam, which brought a pair of hackers and a bent insider together with other fraudsters, sought to spirit …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

  2. Anonymous Coward
    Black Helicopters

    Doesn't seem that hard..

    I think I could do a better job than they did. No need to be a computer expert, just be reasonably competent.

    Black heli and anon just in case I decide to do it better than them.

  3. Stef
    Paris Hilton

    Insert witty title here

    Still using the word "Cyber" are we? Feels like 1985 all over again.

    Paris because she cyber Paris something cyber something something Paris.

  4. Hans

    Spot the difference?

    OK, full marks to the Police team for diligence and tenacity rarely seen in their usual blunderings.

    However, herein lies the evidence of the difference between Police attitudes to crimes against corporate bodies and those against typical members of Joe Public - who may well be the victims of corporate crime, but happily ignored.

    "Oi Vey, money talks, my boy"

  5. Lol Whibley
    Thumb Up

    quite

    interesting. and it has an it angle for a change..

  6. Anonymous Coward
    Thumb Up

    Brilliant

    This appears to be a good example of excellent old school detective work. So there was after all no need for a DNA database or a fingerprint register - that is good to know that there still are detectives who can do a proper job without excuses pointing at technological solutions. The cameras were used yes - but this could have been done even in countries where the detectives would have had to request a court order for viewing old recordings...

    So good stuff - our government should take note - no need at all for a database including the whole DNA database of the population.

  7. Anonymous Coward
    Boffin

    There to play cards?

    "When challenged by other workers, O'Donoghue claimed the pair were there only for a card game."

    Why didn't the other workers report this? Since when is inviting you buddies over to your work place to play cards acceptable behavior?

  8. Chris Miller

    And the moral is

    Even the best IT security is useless if the bad guys can gain physical access to sensitive equipment.

  9. Juan Inamillion
    Alert

    Shame...

    ... the banks weren't so quick off the mark when it came to their own directors contributing to a 'loss' of £20 bastard billion. These crims didn't get away with a red cent but get banged up. The banks (although not AFAIA, Sumitomo) even rewarded their directors for the rip-off.

    But don't get me started...

    Grrrrr gnash....

  10. John Smith Gold badge
    Joke

    14 bods over 2 years

    No wonder they could'nt investigate Phorn then.

    Now how many UK (not the UK arm of a foreign bank) banks would actually noticed something had been tried?

    How many UK banks would have reported it if they had?

    How many UK banks would have written off the loss if it worked as "It would undermine confidence in the banking system if we were known to have been taken"

    There is a UL of a small merchant bank in the City of London where over time 1 operator was given all necessary keys to run SWIFT transfers. One Friday morning his fellow operator called in sick. The banks entire cash base hinged on one man's integrity, wheather he had any offshore bank accouts and a valid passport. It held that time. But you got to wonder has it ever failed?

  11. Danny

    Admin access

    I presume the security expert had admin access. Even in my place we have strict GPO along with whitelist of executables. If anything other than the whitelist are executed on the machines then this flags up on our monitoring - easy to spot in an investigation!

  12. DR

    @AC iOpus Starr *is* malware

    umm.. I don't use, (and therefore don't want IE).

    by your definitions this is malware and all computers running windows are infected?

    Virus scanners report malware and viruses, not legitimately installed software...

    if you started tagging all legitimately installed software as a virus or malware then you'd only serve to put people in a position where they are told it's OK to ignore the messages from the virus scanner because it's probably ok, just another false positive, something that you need on there...

  13. thefutureboy

    Afghanistan Bananistan

    They should've just hypnotised the manager to open up the safe when told a magic phrase.

  14. Ted Treen
    Coat

    @Hans

    My money talks:- it says "Goodbye".

    Mine's the one with the poem on the back:-

    "Whack a Jacqui a day

    Keep the miseries away"

  15. Tom Chiverton Silver badge

    Repeat after me...

    Repeat after me "there is no such thing as an legitimate key logger".

  16. Simon B
    Pirate

    Fail and get slap on wrist, succeed and take £229m - Worth a go innit!

    4 years in prison fo failing to nick £229m? Barely a slap on the wrists and hardly a deterant is it!! Hmmm, fail and get 4yrs in prison, succeed and walk with £229 Million !!! Sounds like a risk worth talking to many a crook!

  17. Anonymous Coward
    Stop

    COTS software and security

    I'm impressed that an international money transfer system that can shift billions around the world works using just username and password (no two factor authentication?) over a WEBSITE, and that the bank's staff just use bog standard Windows boxes (not even locked down enough to prevent or detect the installation of unauthorised apps!) to access this.

    This bank almost deserved to get ripped off, and then go down when it's customers played hell and withdrew their funds!

  18. Anonymous Coward
    Anonymous Coward

    formatting

    formatting the pcs was daft

    evidently there's no time to properly format them either

    why did they not just remove the hard disks and then dispose of them afterwards?

    also - i think using a key-logger is a bit high-tech isn't it?

    most place i've worked, you'd be able to find those usernames/passwords on post-it notes and the backs of notepads on the users desks

  19. Anonymous Coward
    Paris Hilton

    Not a police win, more a crime loss

    Looks like a bad bodge job to me...

    "Security supervisor Kevin O'Donoghue" needed to spend 5 mins looking at how to fill in the form properly and he'de have had millions!

    Doh.

    Paris, because only she would manage the same error.

  20. go
    Coat

    Once again.....

    Passwords are proved to be the most secure form of auth, cripes, when will people running stuff as important as this wake up?

  21. Anonymous Coward
    Thumb Up

    This isn't

    General Sir Kevin O'Donoghue is it? I mean that would explain why he needs the money- it'd help pay for those F-35Bs he's just bought!

    Of all the names in the known universe, that's an odd one to crop up twice in a day on a single website. Within a couple of hours of each other.

    Anyways, well done Police! Actually detecting and spending time on things rather than just saying "Meh, I wish we had a DNA database. Then we could catch them all".

  22. pc
    Flame

    Malware vs Greyware

    I suggest that the issue here is perhaps that the anti-virus software was not set to detect Spyware/Greyware, but only known Malware (i.e. containing a pattern matched to a known virus signature).

    I have seen a number of organisations where the 'Greyware' option was switched off. Common arguments include 'user privacy', 'too many false alerts', 'poor performance'.

    Common results when switching it on include detection of lots of interesting software installed on IT department PCs...

  23. ian

    ".. staff subjected to .. robust questioning."

    Were they sent to Guantanamo for a bit of water-boarding or stress positioning?

    Playmobil reenactment, or it never happened!

  24. Anonymous Coward
    Thumb Down

    Re: COTS software and security

    SWIFT transfers are not executed through a website. Banks generally use terminal software. In the bank I had the pleasure of working for a significant period of time (a prominent British bank), several operators could use the terminal software, but it still required approval from supervisors in the treasury department to execute the transfer.

    Hence the requirement from the crims to need a "normal" user and a "supervisor" to execute the SWIFT transfers. And if everything's not perfectly in order, SWIFT won't accept the transfer and flag it up.

    If you think that counter staff in a local branch are allowed to execute SWIFT transfers via Intranet sites, think again. Their requests are only queued and only executed once the written signature of the transferrer (the person requesting the transfer, i.e. the customer) is received (via scan or other managerial approval). They tend to go into batches anyway and a batch is executed.

    It's not all just username and password. If it was, a LOT of people would be tempted to "just do it" and simply not come back to work that afternoon...

  25. Stef
    Thumb Up

    @ thefutureboy

    "Afghanistan Bananistan "

    Nice. I love that film

  26. Anonymous Coward
    Dead Vulture

    "Hacker" indeed

    Please don't call them hackers. They've done nothing to deserve the term. It was a clever, if botched, high-tech theft. But installing a commercial key logger hardly qualifies as hacking.

  27. Anonymous Coward
    Anonymous Coward

    Hmm...

    Having worked in UK finance (banks/pensions and finance companies) for well over 10 years, I have never seen a system that uses the internet to make payments, I have however seen various intranet hosted terminal apps.

    Payments _always_ require to be authd, so single person can make a payment. This is two factor authentication, just because there isn't an RSA tag involved doesn't mean to say it isn't two factor. The sytems that make these payments were almost certainly around before RSA tags were an option.

  28. Throatwobbler Mangrove

    at the risk of being a pedant...

    ...it seems to me that it wasn't "the police" that busted UK's biggest cybercrime case, it was the bank itself. Am I misunderstanding?

    Can El Reg clarify who exactly it is that employs our smiling friend in the photo on the first page - Sumitomo Bank, Sumitomo's consultants, or the police? The article says that he *used* to be employed by the state.

    Also: IME, police forces outside London are often not interested or skilled enough to prosecute a range of frauds, regardless of who they happen to. One of the ways companies are able to still get their frauds seen to (which is rare, but that's a different story) is by having private investigators put together what is essentially a "ready-made" package of evidence statements etc for the cops to look at and hopefully make arrests on. This is obviously an avenue open to ordinary punters too, but it's easier if your boss is the Chief Inspector's old golf buddy or you employ 300 people in the town etc.

  29. b166er

    George

    and Bungled.

    Makes me wonder how much does get pinched by more intelligent outfits. No wonder the banks are in trouble, lending us more than we can repay and at the same time charging us plenty for covering incidents like this.

  30. Kieron McCann
    Coat

    In light of recent events...

    I'd say this isn't the biggest crime to have been committed in the City of London. £200-odd million is chicken feed in comparison to the billions lost in 'legitimate' business, pension swindles and extravagant bonuses. They could do a lot worse than having the odd 'cyber criminal' fleecing them once in a while rather than their own employees.

    Mine's the one with the taxpayer funded golden parachute on the back

  31. Niall Campbell
    Stop

    FAIL!!!!

    "Hackers my arse", as Jim Royle would say.

    Real hackers don't screw up big time like these guys. If they wanted to leave no trace of their passing they would have done but they were so incompetent, they left a readily available key-logger on the machines. Numptys!

    They should have been sentenced to 30 years, just for being so useless!!

  32. The Fuzzy Wotnot
    Thumb Up

    Swift!

    Always wondered if anyone would finally cotton on to trying to use the Swift system to rake out cash in a similar method to the Richard Pryor character in Superman 3. A penny here a penny there, soon adds up.

    Moral is as usual, the security is only as good as the weakest link, usually the link with the boney fingers sitting in front of the keyboard!

  33. Anonymous Coward
    Heart

    Laptop and Ponytail

    I can't believe the good people of The Reg missed the comedy gold of Laptop and Ponytail. It sounds like the set up for a multi-million dollar publishing industry spanning seven thick popular novels.

    If you ever cover this again, please mention Messeurs Laptop and Ponytail in the title so that I will know to read it.

  34. spam

    7 - 14 officers over 2 years

    All fine work, but I wonder how much manpower and resources would have been devoted to a murder or rape investigation. Seems the justice system always puts extra effort (and usually longer prison sentances) into solving cases where there's money involved.

  35. Anonymous Coward
    Unhappy

    How were they able to install the keylogger?

    How were they able to install the keystroke logging software on the machines? Presumably these were machines running some flavor of Windows. (or perhaps xNIX) Even the laxest security policy should require a company's workstations to 'lock' the screen after some timeout period, and 'normal' users shouldn't have admin rights. And/or if some flavor of Linux or Unix, the root passwords should be unknown. So how was it done? A pw reset disk would work with Windows, if you could boot off of media on restarting the workstations, but this too could/should have been locked out on these, and while somewhat trivial to bypass, it would have required much more of a time investment. So despite a traitorous security guard, just how lax was the internal security to allow installation of a keylogger? You can of course get the type that plug between a keyboard and the workstation, and some are quite small, but the article says software was used. So how was this accomplished? Inquiring minds want to know...

  36. Anonymous Coward
    Anonymous Coward

    not detecting legitimate technology

    "Returning to work after the weekend break, Sumitomo staff noticed that PCs had been tampered with"

    "The use of legitimate technology meant the software was not picked up by anti-virus scanners. And there was no traffic going into or out of the network so it couldn't be detected that way"

    This doesn't make technological sense. The ability to install any software meant the so called anti-virus scanners failed. As is demonstrated in the Cornflicker infestation. And if the bank is relying on 'anti-virus scanners' to protect the network it begs the question as to the quality of security at the bank.

  37. John Smith Gold badge
    Happy

    @The Fuzzy Wotnot

    "to rake out cash in a similar method to the Richard Pryor character in Superman 3."

    I have't' thought of that in years. Robert Vaugh saying how dare the Columbians disrupt a free market, after he'd cornered it.

    It's called a salami fraud. SWIFT, IIRC is was restricted to transfers quite a lot above that.. When I last looked at the system it was about £15k minimum, but I imagine it's gone up

    Salamini frauds are (AFAIK) only really possible with compuererised accounting systems. You might use a SWIFT transfer to get the money out of the company once it had accumulated in a holding account, but not to remove less than pennies per transaction.

    Mine will be the one with the half eaten sandwich of dry processed meat products in.

  38. Glen Turner
    IT Angle

    WTF is a "digital fingerprint"

    Sure "digital fingerprint" sounds convincing, but El Reg is a technical publication. Since it seems unlikely that the PCs did a MD5 hash of every inserted USB stick, did they mean nothing more than the "make, model and serial number" of the USB stick?

This topic is closed for new posts.

Other stories you might like