Weak security controls have been partly blamed for the rogue trader scandal at Société Générale that cost the bank €4.9bn ($7.2bn). Preliminary findings (pdf) from an internal investigation found that stronger security systems, including biometric authentication of trading personnel, were needed to prevent a reoccurrence of the …
Assessors find that Bank needs lots of new security measures. What's the bet that said assessors can provide the changes if they are taken on as highly paid consultants.
What utter tosh
It wasnt't weak IT controls that allowed him to do this, it was not having someone else confiming his trades. Standard practice - you are not allowed to confirm your own trade, so that you can't hide those trades.
I don't suppose PWC also markets a super-duper new biometric security device and wants some nice quick sells before year end.
The Politician's Syllogism
Biometrics have become the latest "this":
We must do something.
This is something.
Therefore we must do this.
(with thanks to Jonathon Lynn and Anthony Jay)
Weren't they using Excel to track trades!?
"Oh dang it's froze again. Im sure it'll come back up in a second.
Oh no! it hasn't. What about all those trades that lost millions of Euros? <lightbulb> he he he.... what about them..."
Note. This dramatisation may be real or imaginary, characters depicted may or may not bare any resemblance to real or fictional characters baring names such as Nick Leeson, John Rusnak or Jérôme Kerviel. <cough>
Oh biometrics that's where we went wrong! Doh!
the fallacy of "security through obscurity"
The trader used his knowledge of the bank's IT system. They depended on traders not knowing where the holes were, to stop them from doing this kind of thing. As soon as a trader with the knowledge and the inclination came along, they got dropped in the brown stuff.
Compare this to how hackers gain access to peoples' PCs. They have both the skill and the inclination. The O/S vendor (no names!) stamps on people who publicise bugs and security holes in their beloved software, so faults don't get reported and don't get fixed. It's just another example of security through obscurity: if people don't know about a security problem, they cant use it.
Sadly no-one will learn this lesson. IT will continue to be a steel-armoured front door, with a side window left open. To conceal that fact, O/S manufacturers and financial institutions will simply disguise the open window, or prosecute anyone who points it out.
This won't be the last time a bank suffers a huge loss. The only surprising things are that nothing was learned after Nick Leeson's little escapade and that neither that, not this debacle was motivated by personal gain. I would expect that in many banks there are less scrupulous individuals quietly exploiting their own security holes and squirreling the money away for themselves.
I love it - again a system instead of humans..
I really like the audacity of recommending some piece of fashionable technology to "solve" (I use the term loosely) a problem that has everything to do with management. Their systems DID flag issues, but nobody checked them. People should get 'last logon time' on screen (standard item in most banks but I bet nobody told the wetware to heck it).
No, now they're getting some biometric crap so that the traders have to learn new skills (mainly based on superglue fumes and gelatin) and the real cause (lack of proper supervision and audit) is left alone. Let's blame technology so we're asked back for some more analysis.
Lovely, reminds me of a certain government. Now, where was that again, involved a guy called Blair and excellent days to bury bad news. Hmm..
You don't need biometrics to achieve security. You can have 100% security even with unprotected spreadsheets:
- you must know what your organisation is suppposed to be doing
- you must ensure proper segregation between front, middle and back office.
- you must not employ morons
- you must verify your positions against third party confirmations at least daily
- you must maintain proper forward curves and valuation procedures (hello Credit Suisse!)
Of course, it is always the fault of the computers !!
Silly people !! How can humans *ever* be wrong ?? Didn't you ever learn the two Laws of Management ??
1) The management is always right !!
2) When the management is wrong, see Law 1
Seriously, the interesting fact about this case is why was there no noise made when Jerome Kerviel was making a profit, despite his doings being suspected/known to the management ?? I smell yet another instance of the good Jewish practice of letting a goat run off into the desert !!
I think the icon is right on the button this time because the question is whether IT is ever at fault in all this !!
Re: What utter tosh
Four eyes verification was probably required but since Jerome is said to have come from the BO and to have had his colleagues' passwords, you can imagine that he bypassed that very quickly. I do it myself when testing.
Biometrics might actually have prevented him from using someone else's ID to confirm his own trades. But not for long I suspect.
So now it is official
Kerviel is really going to go down for this, but the morons who shrugged off the warnings, didn't check the logs, or weren't assed enough to actually follow the accounts, those people who were supposedly "in charge", they go scot-free. As does the HR drone who put the wolf in the sheep pen in the first place.
"Hey boss, I've got a first-rate safe cracker applying for a position as vault guardian. Do you think we can take him on ?"
"Why of course, what ever could go wrong ?"
And yes, I love how a $5 billion management mistake is going to be covered up by a thumbprint reader. We all know how good thumbprint readers are at balancing accounts.
This space intentionally left blank
Please can someone explain how it is secure to use something that you leave on everything you touch (fingerprint) as a method of ID? I've always puzzled about that one.
As for banking security you need a few things:
Single sign on to ALL systems, based on ID, Password/PIN and some sort of token (RSA tag/ID Card etc) This way, you can't be logged on to your desktop and signing in and out of apps on mini/mainframe/unix with other's IDs.
Effective (human based) approvals of transactions.
A massive datawarehouse that has everything in it, crunching away to look for 'risks'. (Most, if not all, banks have something like this already.)
Oh yeah, and don't employ morons.
I call shenanigans
No way in the world biometrics will improve the situation in any way.
Traders are notorious for sharing passwords, bypassing security, removing all impediments to them doing things quickly and easily.
Biometrics (if they worked, and frankly they don't really - too many false positives and false negatives) would temporarily end the endemic password sharing that exists amongst traders and trader support staff but as soon as that gets in the way of trading (the business that actually makes money) it will be removed. And as that would be day one it will never happen.
Of course they're motivated by personal gain, big profits = big bonus and when making a profit everyone's a winner bigger profits = bigger bonus pool.
What's the Paris angle - the banks full of money driven idiots and Paris is certainly that.