Lax security processes may have aided rogue trader

Management rather than procedures may be to blame
  • Jeremy Kirk (Unknown Publication)
  • 10 February, 2008 22:00

The huge losses reported by French bank Société Générale, apparently caused by a rogue trader with inside knowledge of the bank's procedures, don't necessarily point to an IT systems failure, but rather to poor management of those systems, analysts say.

The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent trading position in the bank's computers that ultimately caused it to lose around €4.9 billion (NZ$9.2 billion).

Kerviel achieved this by, among other things, misappropriating computer passwords, the bank says. It has revealed few other technical details of what caused the losses.

Management of passwords, including rescinding the old passwords of employees who move to different positions within the bank, or modifying the level of access those passwords allow, is often a task given to the lowest-level IT worker.

"It's dull and routine 99% of the time, but a vital backstop," says Bob McDowall, senior analyst at the TowerGroup. Senior IT managers should conduct more frequent reviews of password policies, he says.

In some cases, it may not have been the security of the passwords themselves that posed a problem, but rather the access those passwords allowed, says Ian Walden, professor of information and communications law at Queen Mary, University of London.

Organisations tend to think of access as being binary in nature: you get access to it all, or you don't, Walden says. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated," he says.

To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk.

IT departments and business managers have yet to find a way to wrap security into business processes in such a way that it is not an impediment, Walden says.

"IT in a company is not given a sufficient status," Walden says. "What's shocking is you would have thought that the financial sector was more sophisticated than this, but it still tends to be the case that security is an add-on and a block, something you've got to live with but you don't have to like, rather than being viewed as an integral part of the business structure."

Workers should be able to do their job without having to share passwords when someone goes on holiday, and the IT department should not make it harder for people to perform their duties, Walden says.

In one extreme example at telecommunications company BT, one employee didn't have the right to use a computer at all, but he found it helped him do his job, Walden says.

"By the time he was found, he had 90 passwords of different employees," Walden says.

It's possible that financial institutions could use biometric systems, such as fingerprint scanners, to provider an added layer of security, McDowall says. Those systems, however, are expensive. Also, the sometimes-finicky fingerprint scanners may not be appropriate in a frantic trading environment, McDowall says.

Questions remain about how Kerviel's losses could be so high given his job as relatively low-level trader. But Kerviel's career progression in 2005 from the bank's back office to the front office — where he would have had access to client accounts — is also troubling, since he would have gained greater knowledge on the bank's inner controls, McDowall says.

As an arbitrage trader, Kerviel made money off price differences between different financial products. Société Générale says Kerviel balanced real and fake trades in order to avoid setting off internal alarms.

Kerviel has been described in some press reports as a computer genius. However, most attackers used unsophisticated methods for exploiting systemic vulnerabilities in applications, processes and procedures, according to the 2005 Insider Threat Study by the Carnegie Mellon Software Engineering Institute.

That report notes that sophisticated tools are also used in some attacks, which implies that internal financial systems need to be designed on a more defensive footing.

Programmers should code under the assumption that a hacker or employee will use every means in order to break in, says Ben Rothke, senior security consultant at BT's International Network Services.

"The underlying issue is that many systems are designed to stop honest people from making mistakes, but do not take into account those with malicious intent," Rothke says.

It makes insider jobs one of the toughest to defend against. The psychological profile of an insider tends to be a disgruntled employee who feels wronged by the company, according to the Insider Threat Report.

That in turn can lead to a suspicious behaviour such as staying late at work, which paradoxically might only signal a committed employee.

"It's always the insider," Rothke says. "It's often harder to steal US$10,000 from a bank than $10 million."