"The use of legitimate technology meant the software was not picked up by anti-virus scanners."

It's not legitimate technology if you don't want it. What scanners will pick up this crap?

I think I could do a better job than they did. No need to be a computer expert, just be reasonably competent.

Black heli and anon just in case I decide to do it better than them.

Still using the word "Cyber" are we? Feels like 1985 all over again.

Paris because she cyber Paris something cyber something something Paris.

interesting. and it has an it angle for a change..

This appears to be a good example of excellent old school detective work. So there was after all no need for a DNA database or a fingerprint register - that is good to know that there still are detectives who can do a proper job without excuses pointing at technological solutions. The cameras were used yes - but this could have been done even in countries where the detectives would have had to request a court order for viewing old recordings...

So good stuff - our government should take note - no need at all for a database including the whole DNA database of the population.

"When challenged by other workers, O'Donoghue claimed the pair were there only for a card game."

Why didn't the other workers report this? Since when is inviting you buddies over to your work place to play cards acceptable behavior?

... the banks weren't so quick off the mark when it came to their own directors contributing to a 'loss' of £20 bastard billion. These crims didn't get away with a red cent but get banged up. The banks (although not AFAIA, Sumitomo) even rewarded their directors for the rip-off.

But don't get me started...

Grrrrr gnash....

No wonder they could'nt investigate Phorn then.

Now how many UK (not the UK arm of a foreign bank) banks would actually noticed something had been tried?

How many UK banks would have reported it if they had?

How many UK banks would have written off the loss if it worked as "It would undermine confidence in the banking system if we were known to have been taken"

There is a UL of a small merchant bank in the City of London where over time 1 operator was given all necessary keys to run SWIFT transfers. One Friday morning his fellow operator called in sick. The banks entire cash base hinged on one man's integrity, wheather he had any offshore bank accouts and a valid passport. It held that time. But you got to wonder has it ever failed?

My money talks:- it says "Goodbye".

Mine's the one with the poem on the back:-

"Whack a Jacqui a day

Keep the miseries away"

4 years in prison fo failing to nick £229m? Barely a slap on the wrists and hardly a deterant is it!! Hmmm, fail and get 4yrs in prison, succeed and walk with £229 Million !!! Sounds like a risk worth talking to many a crook!

I'm impressed that an international money transfer system that can shift billions around the world works using just username and password (no two factor authentication?) over a WEBSITE, and that the bank's staff just use bog standard Windows boxes (not even locked down enough to prevent or detect the installation of unauthorised apps!) to access this.

This bank almost deserved to get ripped off, and then go down when it's customers played hell and withdrew their funds!

Looks like a bad bodge job to me...

"Security supervisor Kevin O'Donoghue" needed to spend 5 mins looking at how to fill in the form properly and he'de have had millions!

Doh.

Paris, because only she would manage the same error.

Passwords are proved to be the most secure form of auth, cripes, when will people running stuff as important as this wake up?

General Sir Kevin O'Donoghue is it? I mean that would explain why he needs the money- it'd help pay for those F-35Bs he's just bought!

Of all the names in the known universe, that's an odd one to crop up twice in a day on a single website. Within a couple of hours of each other.

Anyways, well done Police! Actually detecting and spending time on things rather than just saying "Meh, I wish we had a DNA database. Then we could catch them all".

I suggest that the issue here is perhaps that the anti-virus software was not set to detect Spyware/Greyware, but only known Malware (i.e. containing a pattern matched to a known virus signature).

I have seen a number of organisations where the 'Greyware' option was switched off. Common arguments include 'user privacy', 'too many false alerts', 'poor performance'.

Common results when switching it on include detection of lots of interesting software installed on IT department PCs...

SWIFT transfers are not executed through a website. Banks generally use terminal software. In the bank I had the pleasure of working for a significant period of time (a prominent British bank), several operators could use the terminal software, but it still required approval from supervisors in the treasury department to execute the transfer.

Hence the requirement from the crims to need a "normal" user and a "supervisor" to execute the SWIFT transfers. And if everything's not perfectly in order, SWIFT won't accept the transfer and flag it up.

If you think that counter staff in a local branch are allowed to execute SWIFT transfers via Intranet sites, think again. Their requests are only queued and only executed once the written signature of the transferrer (the person requesting the transfer, i.e. the customer) is received (via scan or other managerial approval). They tend to go into batches anyway and a batch is executed.

It's not all just username and password. If it was, a LOT of people would be tempted to "just do it" and simply not come back to work that afternoon...

"Afghanistan Bananistan "

Nice. I love that film

Please don't call them hackers. They've done nothing to deserve the term. It was a clever, if botched, high-tech theft. But installing a commercial key logger hardly qualifies as hacking.

I'd say this isn't the biggest crime to have been committed in the City of London. £200-odd million is chicken feed in comparison to the billions lost in 'legitimate' business, pension swindles and extravagant bonuses. They could do a lot worse than having the odd 'cyber criminal' fleecing them once in a while rather than their own employees.

Mine's the one with the taxpayer funded golden parachute on the back

"Hackers my arse", as Jim Royle would say.

Real hackers don't screw up big time like these guys. If they wanted to leave no trace of their passing they would have done but they were so incompetent, they left a readily available key-logger on the machines. Numptys!

They should have been sentenced to 30 years, just for being so useless!!

Always wondered if anyone would finally cotton on to trying to use the Swift system to rake out cash in a similar method to the Richard Pryor character in Superman 3. A penny here a penny there, soon adds up.

Moral is as usual, the security is only as good as the weakest link, usually the link with the boney fingers sitting in front of the keyboard!

I can't believe the good people of The Reg missed the comedy gold of Laptop and Ponytail. It sounds like the set up for a multi-million dollar publishing industry spanning seven thick popular novels.

If you ever cover this again, please mention Messeurs Laptop and Ponytail in the title so that I will know to read it.

How were they able to install the keystroke logging software on the machines? Presumably these were machines running some flavor of Windows. (or perhaps xNIX) Even the laxest security policy should require a company's workstations to 'lock' the screen after some timeout period, and 'normal' users shouldn't have admin rights. And/or if some flavor of Linux or Unix, the root passwords should be unknown. So how was it done? A pw reset disk would work with Windows, if you could boot off of media on restarting the workstations, but this too could/should have been locked out on these, and while somewhat trivial to bypass, it would have required much more of a time investment. So despite a traitorous security guard, just how lax was the internal security to allow installation of a keylogger? You can of course get the type that plug between a keyboard and the workstation, and some are quite small, but the article says software was used. So how was this accomplished? Inquiring minds want to know...

"to rake out cash in a similar method to the Richard Pryor character in Superman 3."

I have't' thought of that in years. Robert Vaugh saying how dare the Columbians disrupt a free market, after he'd cornered it.

It's called a salami fraud. SWIFT, IIRC is was restricted to transfers quite a lot above that.. When I last looked at the system it was about £15k minimum, but I imagine it's gone up

Salamini frauds are (AFAIK) only really possible with compuererised accounting systems. You might use a SWIFT transfer to get the money out of the company once it had accumulated in a holding account, but not to remove less than pennies per transaction.

Mine will be the one with the half eaten sandwich of dry processed meat products in.

Sure "digital fingerprint" sounds convincing, but El Reg is a technical publication. Since it seems unlikely that the PCs did a MD5 hash of every inserted USB stick, did they mean nothing more than the "make, model and serial number" of the USB stick?