Mr Kerviel appears to have built up his losses over a short period using accounts and passwords belonging to colleagues.[From FT.com / In depth – The rogue trader who cost SocGen €5bn]
Well, well. And there was me thinking that investment banks with extremely valuable data to protect would have used some form of 2FA or even 3FA to protect themselves against losses that could extend into billions. Perhaps they decided against smart cards on the grounds of cost, or doing proper risk analysis on the grounds that it was waste of money, or something like that.
Just reflect on the sum of money for a moment: five billion euros. (Compare this to the median identity theft loss of $31,000 according to a U.S. survey last year.) Jerome is surely going down because of this:
The bank has filed a legal complaint against the trader accused of defrauding the bank which led to a loss of 4.9bn euros ($7.1bn; £3.7bn).[From BBC NEWS | Business | SocGen scandal broadens in scope]
I have to say, though, that while no-one would argue with the general principle of sending investment bankers to jail, I wonder if it helps much in the long run? After all, our boy Nick got three-and-a-half years in chokey, but that doesn’t seem to have been much of a deterrent: they aways think that this time they’ll get away with it. But being a technological determinist, I also wonder if there was a proper risk analysis undertaken when SocGen specified their single sign-on system for traders? Having work on risk analysis in a varietty of different environments — it’s one of Consult Hyperion’s areas of serious competitive advantage — I’d say I can imagine the kind of conversation that went on:
Boring security expert: You know, we really should have some kind of identity management system in place to provision and monitor access to all of these systems. If the wrong person gets in, they could really do some damage!
Dynamic go-ahead trader: Screw you. I won’t use anything that means it takes 200 milliseconds more to log in to anything. And I won’t remember any more passwords, so I want to use the same one for all the systems. And I want to store it on the Blackberry I leave lying around all the time, and because I might forget it I want it glued to the back of my laptop on a piece of laminated card.
Finance director (ie, accountant): Identity management? That sounds expensive, and besides I’ve already spent the next three years IT budget on implementing a compliance system recommended by the management consultants / auditors / system integrators / software resellers.
Senior manager of some description: Well, I’ve got my bonus to think about, so I’ll side with the traders.
It seems inconceivable to me that with all of the money spent on risk management, no-one knew that a system compromise wouldn’t lead to a serious problem. If they didn’t, then what was the point of the risk management? If they did, then what was the point of management. And, by the way, I’m not having a go for the sake of it: there’s a human cost to this sort of thing, and we shouldn’t forgot it: people will be losing their jobs because of this.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]