French bank could have a thwarted $7 billion insider fraud with better password, workstation controls: analysts
Societe Generale might have been able to prevent a year-long binge of fraudulent transactions by one of its mid-level traders - which the French banking giant confirmed this week has cost it more than $7 billion in losses - simply by instituting stricter password controls and applying available software that tracks transactions to individual workstations, according to analysts.
“If the reports are correct that this individual was using other employees' passwords and covering his tracks by taking reverse positions in the bank's reconciliation system, smartcard [log-in] authorization and software that tracks keystrokes to workstations probably would have stopped him,” said Avivah Litan, Gartner vice president and director of research.
An article in today's Wall Street Journal, based on interviews with executives at Societe Generale, reported that alleged rogue trader Jerome Kerviel used usernames and passwords of colleagues in the bank's trading unit and technology section to mask the scope of his fraudulent activities.
The 31-year-old trader, who specialized in stock-index futures and allegedly began creating bogus transactions in an effort to cover his early losses, also concealed the magnitude of his activity from the bank's reconciliation and auditing systems by entering fictitious trades of opposing values in tandem with the reconciliation date for earlier trades, effectively zeroing them out in the system, the Journal reported.
Strict authentication procedures requiring the use of smartcards or “tokens” with chips to log in for transactions would have prevented the re-use of passwords, Litan told SCMagazineUS.com.
Also, the deployment of software tracking the volume of transactions from individual workstations, which is available but apparently not yet widely in use at major banks, would have exposed Kerviel despite his alleged manipulation of the reconciliation system, Litan said.
According to reports, Kerviel also deployed an intimate knowledge of the French bank's five levels of computer security controls that he obtained as a “back office” employee prior to becoming a trader at Societe General, and he may have been able to use this knowledge to hack into the system periodically to probe it for weaknesses.
Gartner VP and Senior Fellow John Pescatore told SCMagazineUS.com that Kerviel's systems expertise, if put to use in obtaining colleagues' passwords, highlights the importantance of maintaining strict barriers preventing IT system administrators from having access to user passwords.
“IT administrators should be able to change the passwords, if necessary, but they shouldn't know [the employees'] passwords,” he said.
Pescatore also said that the fact that Kerviel's yearlong cascade of fraudulent transactions – said to be the largest alleged fraud in financial services history – apparently escaped the scrutiny of internal auditors does not necessarily mean that the bank's auditing procedures were inadequate.
“Unfortunately, when times are good and profits are booming, there is a tendency not to look for [this type of fraud], he told SCMagazineUS.com. “The lesson here is that vigilance is needed before the upswing ends and losses become apparent.”