Quoted from the Article.

"Jerome Kerviel used his colleagues' access codes and sent fraudulent email in order to create fictitious accounts"

----------------------------------------------------------------------------------------

I would love to know how he got the access codes..I'm pretty sure that there would have been a policy against telling everyone what codes people have. Seems the policies didn't work very well.

Paris..- seems like his colleagues have her amount of brain cells. (harsh i know)

... or is this another example of too much reliance on systematic controls?

By putting in place systems and mechanisms for overseeing transaction, I bet nobody ever did a visual check.

I despair. accreditations, CRB checks, automatic safeguards etc are no substitute for the use of sound judgement.

How did he get them? I wonder if the co-workers will face disciplinary action?

Paris Hilton as this happened in France.

I'm afraid you'll find that passwords are passed about a lot. Usually because there might be a 4hr turn-around of a password reset when someone needs to get something out that morning.

Often the a byzantine access request process will make this more common. Do you really hire in a contractor on £Ouch per day and leave him reading El Reg for a fortnight while his permissions are sorted out. It's not right, but it is how it goes.

Still there was a major problem here - there should have been controls to spot this even if trades were booked using other accounts and the overall appeared flat.

Like many of the other commenters I am not surprised he found it easy to get other peoples codes. Probably a mix of rubbish processes meaning there were "valid" reasons for it occasionally (like that passowrd reset time mentioned above), simple laxity (sure, he's a pal it won't hurt just once) and perhaps even over zealous passowrd policies making people write things down lest they forget. Often places with the "strictest" security like banks and financial institutions make the computer systems so hostile to actually use they almost actively encourage people to go round them.

SImple examples like insisiting on too long pass phrases with wierd restrictions on make up of case and special characters that need changing too often encourages things to be written down at best or people to treat the whole thing with contempt at worst.

Agreed,

I do hope that SocGen do take some action against his colleagues who basically helped him do it. And perhaps stuck their own names in the "i wanna be sacked, plxplx" pot.

And regarding the systems, how could they not check...well if they did, then the checks are clearly not good enough. So whoever made them should be wary of losing their position too.

Sackings all around!

I would like to know, having listened to all of the moaning and winging,what the heck the internal and external auditors are playing at.

As an ex-IT Auditor for one of the big four, this situation should be an immediate shot at the auditors and see the trading floor fired at once, plus the heads of the senior management. Instead of that, the employees are in front of the HQ in Paris "in support of the PDG"......... They have a direct responsibility to the shareholders, regardless of who caused the loss, to instigate, maintain and prove that controls functions

Remember the 5B Loss is the RESULT of a 50B of fraudulent positions, cleared by the bank leading up to the 23rd Jan.

Using Excel sheets for controls, and I have seen this often, is a categoric stupidity in any business.

and the markets had risen, and this all paid off, he'd be worshipped as a hero. No mentions of the illegality or immorality of his activities.

Makes you wonder, how many times in the past, or even currently, in how many companies worldwide, does this sort of thing go on, where the losses are "too small" to be noticed, or the rewards too great to complain about?

I detest gambling, which is all the various futures and stocks and money markets really are, except you can ruin a million lives instead of your own when you screw up. Oil isn't expensive now because of supply, or demand, or war or politics, but from speculation and blatant profiteering on the shares of the resource, not the actual resource itself. When politicians use the price of a commodity to support the push for an agenda, speculation becomes even more dangerous-where enough money not only buys the politicians, but also sets the conditions to force the people to follow along.

Artificial numbers, artificial profits, artificial maintenance of a class/caste system worldwide.

"Makes you wonder, how many times in the past, or even currently, in how many companies worldwide, does this sort of thing go on"

From what I heard on Radio 4 this morning, he said he'd been doing this for years, posting profits that could not have been achieved with the checks and balances in place but his bosses never questioned it. The idea that this bloke is a one-off is frankly laughable!

It's only a crime if you lose!

A bit hard to swallow,

What's the point of using others' access codes if you want to be noticed. I'm sure he could have needed an access code to get access to restricted/classified info but to place a trade that another may get a bonus for ... ????

Security, aren't banks use smart cards rather than scribbled down passwd on a sticky note left at the bottom of the screen? Sorry mate I'm gonna need your access card tonite so I can clone it ... I'm worried ... admitting it's happening at large banks, as mentioned in an earlier post, how about a guy logging in twice at the same time, I worked for a bank and one session was the best you could get.

Reporting, daily, weekly & monthly trends ... blahh ... long term trend & immediate visibility ... don't get your input from a single source. Looks to me the guys above can't read a chart and can't put one together to get a view of their own.

Basically he must have done all that with the hierarchy's blessing ... nothing in writing I'm sure, how convenient!!!

If, really, it's a one man thing, it's a bit worrying and I assume many will take their business elsewhere, if it's a group ... they might as well do the same.

VB, spreadsheets and the process reviewed and approved as part of the IT 5900 audit.

For the layman the French banking establishment is exonerated because our attention seeking countryman was equipped as only a thief would be. The truth is that someone with the routine Microsoft skill to use an Excel spreadsheet combined with knowledge that Excel comes bundled with VB could do some magical things...or so it would appear. Not magical in the sense of code-red or slammer but out of the norm. The cost of setting up this control system from a bank perspective would have been nominal and appropriate if management were neophytes. Which they were in this case.

The IT audit, that misnomer whose embodiment is the 5900 form and is administered by auditors for the most part, is as flimsy as the evidence that declares Jerome a 'hacker'. I agree with the earlier writer that states that the Internal Auditors and/or the security auditors should be fired. The problem is not that simple however.

There are many types of economic thievery of which this is only one of the most embarrassing. While we focus on this guy who was 'only making $ 100,000 euros a year and did not benefit', management has relied on a security plan that funds the best peripheral security protection available.

The real problem is the lack of drive for security audits with teeth which would mean removing IT audits from the willing, controlling hands of the financial auditors. Rather make them the advisors or resources for financial guidance and technical people the real keepers of the keys.

The SOX IT Audit conducted by the big four and documented within the 5900 supports a financial objective and not a security one. The people that conduct them including yours truly may be technical experts but our opinions are of secondary concern to the budget and billings of our employers. The 5900 protects management, and if the SG leaders are lucky their IT auditor didn't even list reliance on the spreadsheet as an IT financial control deficiency.

I wonder which of the big 4 will get sued.

Jerome has set back egalitarianism in France by a generation.

If he is jailed make sure you take away any and all access to spreadsheets.

Or more like greedy bank directors tapping into to over inflated you can't lose US very high risk sub prime discount notes all the Yank banks were flogging like there was no tomorrow and unfortunate trader became the unwitting victim of a scam by these directors in order to con the French Treasury to bail them out of that folly and hide all their losses !

Truth is always stranger then fiction .

The question arises will the real truth ever show up outside the propaganda and hearsay released to date ?

It will be an interesting court case to follow at some future date prior to 2012 .

I won't name them for obvious reasons. But they are pretty big in Holland and Belgium.

Anyway, I was given root access to their systems, and they didn't even interview me before I started. That should be enough to horrify anyone here, but it actually gets worse. There was a universal login that also gave you root privileges on the system - and everyone had the password to it - so if you wanted to sabotage anything, you were assured of perfect anonymity. You could also, being root, switch to being anyone else on the system - and there was no defence implemented against this. Perfect for impersonation...

The pay for a position of such responsibility was surprisingly low. I won't go into details, but it was low. I was not going to complain, but there were plenty of people there who were not happy about it. Their systems were a real eye-opener, too. We basically had to fire-fight, continually - the worst problem was the trading application logs: They were set up on filesystems that were pitifully small (~100MB) and usually had to be cleared every day.

On about 90% of their systems, there wasn't enough disk space to hold much more than 1 day's worth of logs - certainly not 2 days worth (and since you couldn't archive logs while they were being written to, it meant you were very restricted in how - and when - you could manage the problem, which made proactive management damn near impossible). You had to have someone in front of the system 24/7, because just 4-5 minutes of inattention was enough to allow something major to come crashing down - at a cost of millions, or even billions, of euros.

None of this was scripted, by the way - internal bank policy forbade all scheduled scripts via cron, at, etc, because they are "unsafe" (never mind that once written and tested, they don't err like humans do). So instead they relied on hiring poor schmucks off the street for a pittance (without entry interviews, let alone background checks), giving them instant root access (and to think we worry about terrorists?!?) - and relying on these people to do things perfectly every time. I personally witnessed someone deleting the wrong log files by accident. This brought down one of the major trading applications and cost the bank nearly half a billion euros. Amazingly, the guy kept his job.

With IT policy like this, I'm not surprised people like Jerome Kerviel have managed to subvert security to their own ends. What DOES amaze me is that it took this long! If most people knew how unsafe their bank's' IT systems were, there would be a mass run on every bank, and we would all be stashing our lolly in our pillows and under our beds. If I were a saver, I'd certainly want to be examining my options - gold looks pretty good right now. As things stand, I'm pretty glad the only thing I have in my bank account right now is debt.

Absolutely agree with the access request comments above. I work for a large investment bank managing and administering trading systems (in various markets, including the arb markets that Socgen were trading in) through which obscene amounts of heavily leveraged capital flow. In my capacity I have full administrative level access to all of these systems. The bank I work for have swallowed the draconian password policy hook, line and sinker meaning that their employees cannot possibly hope to mentally stay on top of the thirty or so constantly changing alphanumeric passwords they need to remember. In addition, the security team that enforce this are in a different continent and are about as much use as a chocolate teapot - they rarely answer phones, and it can take literally days for a password to be reset if locked or lost. Consequently, most people have a cheat cheet of passwords which are stored in a variety of places - from scraps of paper in unlocked desk drawers, to the password protected spreadsheet of them which I have on my computer desktop (excel spreadsheet passwords ain't exactly hard to break.) I used to work as a sysadmin, I understand why these policies are in place, but some security people go too far - the people that enforce these password policies to such a level have clearly never had to try and remember them all for a wide range of systems that they need access to at a moments notice, usually while a trader is screaming at you about why his P+L is out or suchlike....

Consequently I don't mind admitting I'm a security time bomb, you can do whatever you like to our trading, risk and margining/limits systems using the administrative access level I have. To be honest I don't care, if I did everything these security prats tell me I should do I'd never get any work done, and frankly I resent anyone who makes me look inefficient.) However, as mentioned above some of my colleagues have these passwords on bits of paper so I'm far from the worst.

Now we know what they think of us who have a measly savings account and / or credit card.

Squander 5 Billion € - No problem, just hike up all the transaction fees and squeeze it out of the retail customers. Then we have the audacity to question why we get taken for a ride by our banks and simple things cost an arm and a leg!

BTW - Fingerprint scanners to replace everchanging user passwords are about 20€ per system. (I asume that the encyption / security software is already in place - taking for granted that they are not just using windows security). Smart Card readers & ID badges with integrated Smart Card Chips are about the same price and can be used in combination with finger scan.

So for 50€ per system inclusive of a centralised management consol, SocGen could of saved 5 Billion€!

Any Sales people reading this?

Coz

Fraud crimes will continue to grow until the government and banks exploit ID KEY system described on website www.xwave.co.uk which will make both signature and PIN systems reliable and foolproof.

Current signature and PIN systems are the root cause of the problem because fake documents have made signature system unreliable while skimmers and pin-hole cameras have made PIN system unreliable.

It is obvious that it is virtually impossible to stop fraudsters from obtaining our personal details and hence the need to deter fraudsters from misusing these stolen details via use of ID KEY system is a must to deter fraud crimes.

Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals.