The French software developer turned rogue trader who cost French bank Société Générale an estimated €4.9bn ($7.2bn) used co-workers' access codes to set up fraudulent transactions. Jerome Kerviel used his colleagues' access codes and sent fraudulent email in order to create fictitious accounts to take risky positions in the …
Access Code issues.
Quoted from the Article.
"Jerome Kerviel used his colleagues' access codes and sent fraudulent email in order to create fictitious accounts"
I would love to know how he got the access codes..I'm pretty sure that there would have been a policy against telling everyone what codes people have. Seems the policies didn't work very well.
Paris..- seems like his colleagues have her amount of brain cells. (harsh i know)
Is it just me ...
... or is this another example of too much reliance on systematic controls?
By putting in place systems and mechanisms for overseeing transaction, I bet nobody ever did a visual check.
I despair. accreditations, CRB checks, automatic safeguards etc are no substitute for the use of sound judgement.
it wan't me - he must've hacked my access codes!
Ahh, the old "someone got my password" excuse.
Well, maybe they did crack/guess/spot other people's passwords, that should not necessarily remove blame from this guy's colleagues. How did he get these access codes? "Hey Jean-Paul, can I borrow your access code for a second" "Mais Oui, Jerome it's ...."
It's very convenient for the bank to point the finger and say it's all the work of one single "evil genius" (lone gunman comes to mind here). I would expect the truth is much harder to swallow and will lead to an accusation of a general lack of security, both in the bank's processes and in staff mentality
used co-workers' access codes to set up fraudulent transactions.
How did he get them? I wonder if the co-workers will face disciplinary action?
Paris Hilton as this happened in France.
I'm afraid you'll find that passwords are passed about a lot. Usually because there might be a 4hr turn-around of a password reset when someone needs to get something out that morning.
Often the a byzantine access request process will make this more common. Do you really hire in a contractor on £Ouch per day and leave him reading El Reg for a fortnight while his permissions are sorted out. It's not right, but it is how it goes.
Still there was a major problem here - there should have been controls to spot this even if trades were booked using other accounts and the overall appeared flat.
Too much "security" can be a bad thing
Like many of the other commenters I am not surprised he found it easy to get other peoples codes. Probably a mix of rubbish processes meaning there were "valid" reasons for it occasionally (like that passowrd reset time mentioned above), simple laxity (sure, he's a pal it won't hurt just once) and perhaps even over zealous passowrd policies making people write things down lest they forget. Often places with the "strictest" security like banks and financial institutions make the computer systems so hostile to actually use they almost actively encourage people to go round them.
SImple examples like insisiting on too long pass phrases with wierd restrictions on make up of case and special characters that need changing too often encourages things to be written down at best or people to treat the whole thing with contempt at worst.
I do hope that SocGen do take some action against his colleagues who basically helped him do it. And perhaps stuck their own names in the "i wanna be sacked, plxplx" pot.
And regarding the systems, how could they not check...well if they did, then the checks are clearly not good enough. So whoever made them should be wary of losing their position too.
Sackings all around!
Auditors and Information Risk Management
I would like to know, having listened to all of the moaning and winging,what the heck the internal and external auditors are playing at.
As an ex-IT Auditor for one of the big four, this situation should be an immediate shot at the auditors and see the trading floor fired at once, plus the heads of the senior management. Instead of that, the employees are in front of the HQ in Paris "in support of the PDG"......... They have a direct responsibility to the shareholders, regardless of who caused the loss, to instigate, maintain and prove that controls functions
Remember the 5B Loss is the RESULT of a 50B of fraudulent positions, cleared by the bank leading up to the 23rd Jan.
Using Excel sheets for controls, and I have seen this often, is a categoric stupidity in any business.
How could he ever know that?
Well, I work in the IT departement of one of the largest european banks, same league as SocGen, and I personally know the passwords the cash equity and derivatives traders use for each of their trading platforms. And so do the traders! Is it against company policy? Sure! Will anyone do anything about it? No way, it's the way it's allways worked... Maybe if something like that happened here there would be chages, but only AFTER the trouble.
You only lock the door after the house has been robbed...
Well there is peek and poke
Does seem to have done a 180 on the, developer turned trader, hacks system he created.
He obviously had a hand in the design or at least the operation of the financial system, perhaps user testing.
Still, it did originally remind me of the tale about the king who wanted the most secure fortress. He hired the best builders and architects in the land, then upon completion of his citadel had them all executed, just for that bit of added security.
Whilst I cannot advocate killing the developers after the job is complete, it did raise the now hypothetical question of someone with build knowledge of a financial system being allowed to operate that system as a day to day user. Even with this latest development of his ninja like VB macro skills, I still think it is prudent not to let the designers of a financial system operate it, if anything they should be moved to monitoring, or ++version.
Oh, and yeah it does look like they are trying to make him carry the can for this, the security dept are the ones who the banks should be looking to now, it is either going to turn out that they were not given enough powers of enforcement, or were grossly incompetent, either way, the bank as a whole is most likely at fault.
but, if it had worked...
and the markets had risen, and this all paid off, he'd be worshipped as a hero. No mentions of the illegality or immorality of his activities.
Makes you wonder, how many times in the past, or even currently, in how many companies worldwide, does this sort of thing go on, where the losses are "too small" to be noticed, or the rewards too great to complain about?
I detest gambling, which is all the various futures and stocks and money markets really are, except you can ruin a million lives instead of your own when you screw up. Oil isn't expensive now because of supply, or demand, or war or politics, but from speculation and blatant profiteering on the shares of the resource, not the actual resource itself. When politicians use the price of a commodity to support the push for an agenda, speculation becomes even more dangerous-where enough money not only buys the politicians, but also sets the conditions to force the people to follow along.
Artificial numbers, artificial profits, artificial maintenance of a class/caste system worldwide.
"Makes you wonder, how many times in the past, or even currently, in how many companies worldwide, does this sort of thing go on"
From what I heard on Radio 4 this morning, he said he'd been doing this for years, posting profits that could not have been achieved with the checks and balances in place but his bosses never questioned it. The idea that this bloke is a one-off is frankly laughable!
It's only a crime if you lose!
It is all Microsoft's fault (obviously!)
If someone is "manipulating the production of Excel spreadsheets" they DESERVE to be found out. Anyone who relies on computer produced spreadsheets to do audits is out of their mind. Back long ago (a previous life) the person who was doing the books needed a summary, and got ahold of a spreadsheet program (it was Spectaculator for the Radio Shack Color computer) and just fudged the numbers until it worked out. Then with a simple "print" command a nice "Computer Printout" happened. The boss looked at it and said "all is good". What a fool, as he believed anything that was a computer printout. It could have said that the company was actually making money (sadly it wasn't). To this day it amazes me that people believe a computer printout, when all you can say is that "it appears that the printer was working that day".
Sad, but true!
Security & Blame game
A bit hard to swallow,
What's the point of using others' access codes if you want to be noticed. I'm sure he could have needed an access code to get access to restricted/classified info but to place a trade that another may get a bonus for ... ????
Security, aren't banks use smart cards rather than scribbled down passwd on a sticky note left at the bottom of the screen? Sorry mate I'm gonna need your access card tonite so I can clone it ... I'm worried ... admitting it's happening at large banks, as mentioned in an earlier post, how about a guy logging in twice at the same time, I worked for a bank and one session was the best you could get.
Reporting, daily, weekly & monthly trends ... blahh ... long term trend & immediate visibility ... don't get your input from a single source. Looks to me the guys above can't read a chart and can't put one together to get a view of their own.
Basically he must have done all that with the hierarchy's blessing ... nothing in writing I'm sure, how convenient!!!
If, really, it's a one man thing, it's a bit worrying and I assume many will take their business elsewhere, if it's a group ... they might as well do the same.
Low tech hack takes the pressure off management to act
VB, spreadsheets and the process reviewed and approved as part of the IT 5900 audit.
For the layman the French banking establishment is exonerated because our attention seeking countryman was equipped as only a thief would be. The truth is that someone with the routine Microsoft skill to use an Excel spreadsheet combined with knowledge that Excel comes bundled with VB could do some magical things...or so it would appear. Not magical in the sense of code-red or slammer but out of the norm. The cost of setting up this control system from a bank perspective would have been nominal and appropriate if management were neophytes. Which they were in this case.
The IT audit, that misnomer whose embodiment is the 5900 form and is administered by auditors for the most part, is as flimsy as the evidence that declares Jerome a 'hacker'. I agree with the earlier writer that states that the Internal Auditors and/or the security auditors should be fired. The problem is not that simple however.
There are many types of economic thievery of which this is only one of the most embarrassing. While we focus on this guy who was 'only making $ 100,000 euros a year and did not benefit', management has relied on a security plan that funds the best peripheral security protection available.
The real problem is the lack of drive for security audits with teeth which would mean removing IT audits from the willing, controlling hands of the financial auditors. Rather make them the advisors or resources for financial guidance and technical people the real keepers of the keys.
The SOX IT Audit conducted by the big four and documented within the 5900 supports a financial objective and not a security one. The people that conduct them including yours truly may be technical experts but our opinions are of secondary concern to the budget and billings of our employers. The 5900 protects management, and if the SG leaders are lucky their IT auditor didn't even list reliance on the spreadsheet as an IT financial control deficiency.
I wonder which of the big 4 will get sued.
Jerome has set back egalitarianism in France by a generation.
If he is jailed make sure you take away any and all access to spreadsheets.
He splatted an odd seven billion dollars because he knew some passwords and fiddled a spreadsheet? And no one noticed? Come on! Pull the other one.
A couple of hundred grand, maybe. A couple of million, perhaps. But billions? All on his lonesome? Merde!
I love a fairy tale as much as the next guy and I'm not into conspiracies, but if I were the fuzz français I would have a long hard look at les patrons.
I do and have worked for large financial companies in the UK for the last ten years or so. If I shared my ID/password with someone I would be liable for whatever happened with my account while operated by someone else.
This is why greater use of single sign-on technology and 2 factor sign on (RSA tags etc) should be used. If you (as is offen the case) can logon to your workstation then have to logon separately to other systems, that makes it very easy for people to logon to other systems mainframe/minis/unix etc.
He previously worked in the back office. So what?
"I still think it is prudent not to let the designers of a financial system operate it"
Are we advocating security by obscurity here? Either the designers of the system did a decent job, in which case it is perfectly safe to let them onto the trading side, or they didn't and it is naive to imagine that no others will never figure out the weak points.
Or more like
Or more like greedy bank directors tapping into to over inflated you can't lose US very high risk sub prime discount notes all the Yank banks were flogging like there was no tomorrow and unfortunate trader became the unwitting victim of a scam by these directors in order to con the French Treasury to bail them out of that folly and hide all their losses !
Truth is always stranger then fiction .
The question arises will the real truth ever show up outside the propaganda and hearsay released to date ?
It will be an interesting court case to follow at some future date prior to 2012 .
I worked for a bank last year...
I won't name them for obvious reasons. But they are pretty big in Holland and Belgium.
Anyway, I was given root access to their systems, and they didn't even interview me before I started. That should be enough to horrify anyone here, but it actually gets worse. There was a universal login that also gave you root privileges on the system - and everyone had the password to it - so if you wanted to sabotage anything, you were assured of perfect anonymity. You could also, being root, switch to being anyone else on the system - and there was no defence implemented against this. Perfect for impersonation...
The pay for a position of such responsibility was surprisingly low. I won't go into details, but it was low. I was not going to complain, but there were plenty of people there who were not happy about it. Their systems were a real eye-opener, too. We basically had to fire-fight, continually - the worst problem was the trading application logs: They were set up on filesystems that were pitifully small (~100MB) and usually had to be cleared every day.
On about 90% of their systems, there wasn't enough disk space to hold much more than 1 day's worth of logs - certainly not 2 days worth (and since you couldn't archive logs while they were being written to, it meant you were very restricted in how - and when - you could manage the problem, which made proactive management damn near impossible). You had to have someone in front of the system 24/7, because just 4-5 minutes of inattention was enough to allow something major to come crashing down - at a cost of millions, or even billions, of euros.
None of this was scripted, by the way - internal bank policy forbade all scheduled scripts via cron, at, etc, because they are "unsafe" (never mind that once written and tested, they don't err like humans do). So instead they relied on hiring poor schmucks off the street for a pittance (without entry interviews, let alone background checks), giving them instant root access (and to think we worry about terrorists?!?) - and relying on these people to do things perfectly every time. I personally witnessed someone deleting the wrong log files by accident. This brought down one of the major trading applications and cost the bank nearly half a billion euros. Amazingly, the guy kept his job.
With IT policy like this, I'm not surprised people like Jerome Kerviel have managed to subvert security to their own ends. What DOES amaze me is that it took this long! If most people knew how unsafe their bank's' IT systems were, there would be a mass run on every bank, and we would all be stashing our lolly in our pillows and under our beds. If I were a saver, I'd certainly want to be examining my options - gold looks pretty good right now. As things stand, I'm pretty glad the only thing I have in my bank account right now is debt.
I'm living proof
Absolutely agree with the access request comments above. I work for a large investment bank managing and administering trading systems (in various markets, including the arb markets that Socgen were trading in) through which obscene amounts of heavily leveraged capital flow. In my capacity I have full administrative level access to all of these systems. The bank I work for have swallowed the draconian password policy hook, line and sinker meaning that their employees cannot possibly hope to mentally stay on top of the thirty or so constantly changing alphanumeric passwords they need to remember. In addition, the security team that enforce this are in a different continent and are about as much use as a chocolate teapot - they rarely answer phones, and it can take literally days for a password to be reset if locked or lost. Consequently, most people have a cheat cheet of passwords which are stored in a variety of places - from scraps of paper in unlocked desk drawers, to the password protected spreadsheet of them which I have on my computer desktop (excel spreadsheet passwords ain't exactly hard to break.) I used to work as a sysadmin, I understand why these policies are in place, but some security people go too far - the people that enforce these password policies to such a level have clearly never had to try and remember them all for a wide range of systems that they need access to at a moments notice, usually while a trader is screaming at you about why his P+L is out or suchlike....
Consequently I don't mind admitting I'm a security time bomb, you can do whatever you like to our trading, risk and margining/limits systems using the administrative access level I have. To be honest I don't care, if I did everything these security prats tell me I should do I'd never get any work done, and frankly I resent anyone who makes me look inefficient.) However, as mentioned above some of my colleagues have these passwords on bits of paper so I'm far from the worst.
Security is made better with obscurity
In truth all security is obscurity, but yeah it is an added layer to encryption. Obviously you don't rely on obscurity only but the more you have the better as far as being secure.
I am not sure where the idea of obscurity being bad came from, it is a cherry on the top of the cake.
It normally comes up when discussing if an encryption algorithm should be public or private, and even there obscurity is given a positive value, it is just outweighed by the measure of proof that the public algorithm gets from not getting broken.
But, say you had 100 of the top maths minds in the world, and they developed an encryption algorithm which they tested amongst themselves over a couple of years, would it make sense to open the encryption algorithm to the public, just for the added exposure?
The NSA hold secret patents because of the value of obscurity, and it would be naive to think that they would gain more security by opening up their security secrets, if they had their way they would have all the cryptographers working for them on life long contract.
Cryptographers like to live in the perfect world of mathematics. But security involves people, and a whole load of competing propositions, if a system is to be operational and economical.
Move the development team to the trading team and I think you are asking for problems.
IT + Banking = ??
In France there is a thing called "raison d'etat" which basically means when the sh*t hits the fan the french state doesn't have to obey the law and can manipulate whatever they want to ensure that France continues to maintain it's position, economically, militarily or diplomatically.
If there has been a systemic failure in the French banking system, expect Mr Kerviel to be the fall guy while the mess is quietly cleaned up away from the public eye.
A while ago I worked in a mid range UK bank developing web banking systems. Despite the technical nature of the work the senior managers were technically illiterate... However there was a section looking at the risks involved and checking things against the banks rules on customer security.
Another web job, another big financial, only this time there wasn't any assessment of risk.....just a get the job done as fast as possible. That bunch were just unbelievable....running the default install of IIS 4 on internet facing webservers connecting to mainframes manipulating millions of pounds worth of customers cash.
Another bank......another system.....hows this for security....customer requests PIN for telephone banking....bank sends form on which the customer has to write his name, address account details, signature, AND PROPOSED PIN NUMBER before sending it through the post to the bank mailroom where it is opened and passed to the data entry clerks. This system saved the bank having to buy a secure PIN printing system.
The words secure, financial organisation and IT system should never be used together.
Now we know what they think of us who have a measly savings account and / or credit card.
Squander 5 Billion € - No problem, just hike up all the transaction fees and squeeze it out of the retail customers. Then we have the audacity to question why we get taken for a ride by our banks and simple things cost an arm and a leg!
BTW - Fingerprint scanners to replace everchanging user passwords are about 20€ per system. (I asume that the encyption / security software is already in place - taking for granted that they are not just using windows security). Smart Card readers & ID badges with integrated Smart Card Chips are about the same price and can be used in combination with finger scan.
So for 50€ per system inclusive of a centralised management consol, SocGen could of saved 5 Billion€!
Any Sales people reading this?
Alone, yeah right!
According to the BBC today:
"Bankers have confirmed that at the end of last year, Jerome Kerviel had generated a colossal hidden profit for the bank of 1.4bn euros"
"Among the great mysteries of the Kerviel affair is how the French bank could have failed to notice a profit of that size."
I smell a scapegoat, and a blind eye turned when things were going the bank's way...
Lone hacker... oh really
The story in yesterday's Independent is more believable - it suggested that his bosses knew what he was doing but because he was making shedloads of money they turned a blind eye.
ID KEY system will deter all fraud crimes.
Fraud crimes will continue to grow until the government and banks exploit ID KEY system described on website www.xwave.co.uk which will make both signature and PIN systems reliable and foolproof.
Current signature and PIN systems are the root cause of the problem because fake documents have made signature system unreliable while skimmers and pin-hole cameras have made PIN system unreliable.
It is obvious that it is virtually impossible to stop fraudsters from obtaining our personal details and hence the need to deter fraudsters from misusing these stolen details via use of ID KEY system is a must to deter fraud crimes.
Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals.
citations and evidence please ..
Dear John, do you have citations or any evidence for the following:
01. Jérome Kerviel was a software developer
02. used co-workers' access codes to set up fraudulent transactions
03. sent fraudulent email
04. helped to develop the bank's trading systems
05. disabled warning system
Since when did a certificate in Visual Basic make you a software developer .. :)
"could have been as simple as manipulating the production of Excel spreadsheets that are used to provide trading updates to bosses, according to City experts.
What was the name of these 'experts'. How does allegidly faking data in a spreadsheet translate into hacking, using access codes and sending fraudulent email. Do you have any samples of these emails?
"A copy of Kerviel's CV found circulating on the net"
EDUCATION MASTERS in Finance .. Bachelor Degree in Finance
University of Nantes, 1996 1999
SKILLS Microsoft Office Packge - Visual Basic
"The photos of you and the girl will be recycled for proletarian use", 1984