Business Daily from THE HINDU group of publications
Monday, Feb 04, 2008
ePaper | Mobile/PDA Version
eWorld
Features
Stocks
Cross Currency
Shipping
Archives
Google

Group Sites

 eWorld - Security
Money & Banking - Economic Offences
Columns - Security Musings
It’s ‘ShockGen’

The breach of security controls at the venerable French bank reinforces the need for stricter surveillance in cyberspace.

It’s a little bit like becoming a thief with training in locksmithing….If you’re good at being a locksmith, then to steal is easier.

Andre’ Tiran, Dean of Faculty,

University of Lyon

R.K.Raghavan

Investors across the world have been shocked by the massive fraud of nearly $7.2 billion at France’s second largest bank Societe Generale, also known as SocGen. According to a public admission by the bank on January 27, one of its junior traders, Jerome Kerviel (31), who holds a Master’s degree from Lyon University, had been systematically hiding the losses suffered by him in derivatives trade for several months.

He was alleged to have breached almost all financial controls imposed on junior employees like him and exposed the bank to a much higher risk than what he was authorised.

According to initial reports, Kerviel, who has been with SocGen since 2005, was rash and negligent rather than dishonest, because there is no evidence as yet that he made any money in the process.

The French Police have taken cognizance of the colossal fraud by detaining Kerviel and interrogating him for two days.

There are at least three charges — breach of trust, falsifying and using falsified documents, and breaching IT controls access codes — that are likely to be pressed against Kerviel, whom his bosses described as no remarkable star but an undistinguished ordinary bank executive, who earned 1,00,000 Euros, which is peanuts for an investment banker.

Apart from using the codes allotted to colleagues, he created fraudulent mails by means of which he bet on risky investments that exceeded the bank’s net worth. He also entered fake and offsetting trades in SocGen’s computer system with a view to minimising his losses.

Another misdeed was the creation of fictitious customer accounts to balance books. He hacked into the bank’s computer network in order to alter existing data on the system and thereby cover up some bad investments.

As one observer puts it, Kerviel set up a ‘virtual company at the heart of SocGen.’ It is said that his sound insider knowledge of the bank helped him to hide his indiscretions. While no accurate reports are available, we must presume that Kerviel had an impressive computer prowess that lulled him into supreme confidence at his ability to cover up misdeeds.

In fact, he was in an IT function before he was shifted to trading responsibilities. Initial losses, therefore, did not seem to have demoralised him. He went on expanding the investments in the hope that he would somehow regain lost ground. This recklessness proved to be his undoing and that of his bank’s.

Control system in focus

There is public furore over the loss suffered by the bank and President Sarkozy has been critical that SocGen did not brief the French government on time.

Several inconvenient questions have been raised over the bank’s control system. Foremost of the issues is how one sole individual could commit the bank to a mind-boggling sum, unassisted and unsupervised by any other employee of the bank.

Second, how is it that he was not found out for more than a year?

Third, how secure was the IT system that allowed Kerviel to steal access codes of other bank employees? Finally, was the bank’s IT network ever subjected to a vulnerability test?

SocGen’s bosses may duck these questions for a while when the focus is still on Kerviel. Once the heat is off him, it is the bank leadership that will have to bear the brunt of the criticism aimed at lax internal controls.

Preventive steps

While the police investigation will concentrate on Kerviel’s misconduct, the bank’s supervisory ranks will have to do a post-mortem on how things went wrong and what can be done to prevent a repeat of the fraud. Several issues will have to be addressed.

Although Kerviel does not have a criminal background, it may be necessary to subject every new recruit to a stiffer character verification process than the one that exists now.

This is all the more important for those like Kerviel who have access to sensitive bank information and are also authorised to trade on the stock market without being subjected to close day-to-day scrutiny.

Next comes the question of how to build a system whereby every dealer is made to share information up the hierarchy on speculative transactions he had entered into. This would no doubt amount to handcuffing those who should be given enough autonomy for resorting to risk-taking, a necessary adventure that accompanies success. Building controls could be laborious and expensive.

There is one conjecture that SocGen had tried to save money by allowing lax controls.

This is difficult to believe. In any case the damage to its reputation as a trustworthy bank is immeasurable.

It is here that financial institutions will have to learn from Kerviel’s misadventure. Any attempt to save costs while building computer controls for a financial institution could prove ruinous.

Irony indeed!

Moving to something more hilarious, but still on hacking and associated issues, a recent report from Florida refers to the indiscretion of a 41-year-old Cooley, employed by a firm of architects.

When the woman saw an advertisement calling for applications to fill a position at her office that closely resembled her own, she somehow got it into her mind that she was going to be eased out.

Actuated by malice and vengeance, she walked into her office on a Sunday night, tampered with the computer system there and deleted $2.5 million worth files. Little did she realise that the alarm company of the premises tipped off the owner of the firm next morning.

Not only was the latter able to reconstruct the data with the help of a local software company but he also handed over the case to the police.

Cooley has since been released on bail but charged with misdemeanour of causing damage worth more than $1,000.

Her job is also on the firing line! The irony is that the position advertised was not Cooley’s but one that the architect’s wife was trying to fill for her office!

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Economic Offences | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
This bin ain’t laden

With you, wherever you go
Saving password setting
A ‘Lucid’ effort
Package IT right
It’s ‘ShockGen’
Have your say
Quiz
A ‘ground floor’ view of Silicon Valley
Cartoon
Image-perfect
BYTEBACK

BusinessLine E-paper
The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | The Hindu ePaper | Business Line | Business Line ePaper | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2008, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line