IT security controls partly blamed for SocGen debacle

The Politician's Syllogism

Biometrics have become the latest "this":

We must do something.

This is something.

Therefore we must do this.

(with thanks to Jonathon Lynn and Anthony Jay)

the fallacy of "security through obscurity"

The trader used his knowledge of the bank's IT system. They depended on traders not knowing where the holes were, to stop them from doing this kind of thing. As soon as a trader with the knowledge and the inclination came along, they got dropped in the brown stuff.

Compare this to how hackers gain access to peoples' PCs. They have both the skill and the inclination. The O/S vendor (no names!) stamps on people who publicise bugs and security holes in their beloved software, so faults don't get reported and don't get fixed. It's just another example of security through obscurity: if people don't know about a security problem, they cant use it.

Sadly no-one will learn this lesson. IT will continue to be a steel-armoured front door, with a side window left open. To conceal that fact, O/S manufacturers and financial institutions will simply disguise the open window, or prosecute anyone who points it out.

This won't be the last time a bank suffers a huge loss. The only surprising things are that nothing was learned after Nick Leeson's little escapade and that neither that, not this debacle was motivated by personal gain. I would expect that in many banks there are less scrupulous individuals quietly exploiting their own security holes and squirreling the money away for themselves.

Rubbish

You don't need biometrics to achieve security. You can have 100% security even with unprotected spreadsheets:

- you must know what your organisation is suppposed to be doing

- you must ensure proper segregation between front, middle and back office.

- you must not employ morons

- you must verify your positions against third party confirmations at least daily

- you must maintain proper forward curves and valuation procedures (hello Credit Suisse!)

Re: What utter tosh

Four eyes verification was probably required but since Jerome is said to have come from the BO and to have had his colleagues' passwords, you can imagine that he bypassed that very quickly. I do it myself when testing.

Biometrics might actually have prevented him from using someone else's ID to confirm his own trades. But not for long I suspect.

So now it is official

Kerviel is really going to go down for this, but the morons who shrugged off the warnings, didn't check the logs, or weren't assed enough to actually follow the accounts, those people who were supposedly "in charge", they go scot-free. As does the HR drone who put the wolf in the sheep pen in the first place.

"Hey boss, I've got a first-rate safe cracker applying for a position as vault guardian. Do you think we can take him on ?"

"Why of course, what ever could go wrong ?"

And yes, I love how a $5 billion management mistake is going to be covered up by a thumbprint reader. We all know how good thumbprint readers are at balancing accounts.

This space intentionally left blank

Please can someone explain how it is secure to use something that you leave on everything you touch (fingerprint) as a method of ID? I've always puzzled about that one.

As for banking security you need a few things:

Single sign on to ALL systems, based on ID, Password/PIN and some sort of token (RSA tag/ID Card etc) This way, you can't be logged on to your desktop and signing in and out of apps on mini/mainframe/unix with other's IDs.

Effective (human based) approvals of transactions.

A massive datawarehouse that has everything in it, crunching away to look for 'risks'. (Most, if not all, banks have something like this already.)

Oh yeah, and don't employ morons.