Massive Computer-Assisted Fraud
Assorted business pages have been buzzing for the last several days about massive fraud at Société Générale, a major French bank. A mid-level trader allegedly exceeded his authorized access and cost the bank about €4.9 billion (~US$7.2 billion) via fraudulent and risky trades. Some analysts suspect that unwinding the mess contributed to the European stock market woes on 21 January.
What makes this story relevant to this blog is the computer angle. The person blamed had good computer skills:
Colleagues described him as a "computer genius" who was allegedly able to hack into the bank’s computers to hide his trading, until a basic slip-up on Friday, when he failed to disable the bank’s automatic alert system and his irregular trading suddenly showed up.It might not be technically sophisticated hacking; other references say that he wasn’t that good with computers. What he did, it appears, was use other people’s passwords.
There were other issues:
Even before his massive alleged fraud came to light, Kerviel had apparently triggered occasional alarms at Société Générale — France’s second-largest bank — with his trading, but not to a degree that led managers to investigate further."Our controls basically identified from time to time problems with this trader’s portfolio," Mustier said.
But Kerviel explained away the red flags as trading mistakes, Mustier added.
There are thus (at least) three issues. First, he was able to use other people’s passwords. The obvious security guy reaction to that is to say that some form of one-time password system should have been used. That would certainly be a good idea, but it isn’t clear that it would have solved the underlying problem. How common was sharing accounts or making improper trades at the bank? Did the corporate culture tolerate or even encourage such behavior? That’s a management failure, not a technical issue.
There’s a second reason to wonder about management. The Wall Street Journal reports that the fraudulent trades started a year earlier than had been reported. He deflected management inquiries in a variety of ways; sometimes he’d "fabricate email messages from nonexistent trading partners to deflect supervisors’ concerns about unusual trades, a police official said." There are technical mechanisms that can guard against forged emails, but these have their limits; in particular, someone who creates a dummy company can "forge" email from it. The recipients would have to know that the company was fake to detect the problem.
The third issue concerns the knowledge that he used. A bank executive said that Kerviel had used "knowledge of the bank’s risk-control software systems that he had gained from a previous back-office position". Ideally, security systems should work even against a knowledgeable attacker. But if he knew that procedures weren’t, in fact, followed — and again, that’s a management issue — he could easily have exploited it.