Guide to the TechWeb Network


The InformationWeek -- Blogs
Security

Topics:   Security

  • Email this page E-mail this page
  • |  Print this page Print this page
  • |   Bookmark and Share

Whoops: $73 Billion In Fraudulent Trades Just Slipped By Us


Posted by George Hulme, Jan 28, 2008 10:09 PM

While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.

In this case, the alleged fraudster, Jerome Kerviel, built an unauthorized futures position on several stock markets totaling about $73 billion. The bank lost $7 billion unwinding the bogus trades. The $73 billion far exceeded what Kerviel was permitted to trade. So how did that happen?

We don't know much, yet. But when all is said and done, if Kerviel is found guilty -- and that's still a big if -- the fraud will not have been perpetrated through sophisticated IT hacks.

What we do know, according to news reports, is that the prosecutor and the bank say that the suspect used other employees' access credentials and falsified documents to create his real trade positions. He also created a "Fictitious" series of trades that were crafted in such a way as to evade internal daily checks and balances and hide the actual fraudulent trades under way. Somehow, the rogue trader then used his knowledge of the system to raise his trading limits.

I can see how one could slip unnoticed with forged documents -- for a while. Even the ability to gain access to others' accounts without detection is quite possible -- for a while. You'd think that, eventually, someone would notice a document that was apparently signed by them, but they didn’t sign it. Or that the IT systems would detect two concurrent sessions, or log-on attempts, by the same username and password.

What strikes me as unfathomable is how the bank didn't detect the amount of cash needed to build $73 billion worth of futures positions -- without noticing that the funds were flowing to an unauthorized account. Likewise, why didn't the bank notice the fictitious account was never actually funded?

And if these trades were done in the names of others, whether other traders or customers of the bank's: how is it that they didn't notice the transactions that were placed in their names?

Clearly, there was a significant breakdown in internal controls. Seeing how Kerviel allegedly circumnavigated these as the case is prosecuted will be worth following. And while the alleged rogue trader Kerviel obviously "hacked" the bank's risk management controls, his hacks probably didn't involve any technical wizardry.

That shouldn't be much of a surprise. Most of these types of cases do not. A study conducted by CERT and the U.S. Secret Service found that these types of cases typically involve the "exploitation of nontechnical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network)."

Kerviel, if found guilty, will not be different.

« Perplexing Nexus | Main | Press Release Roundup »



Tomorrow's CIO: Do you have what it takes?
Find out at the 2008 InformationWeek 500 Conference
Sept. 14-16, St. Regis Resort, Monarch Beach, Calif.


Sign up now for the weekly InformationWeek Blog Newsletter.


This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.






  1. Google Chrome: Browser Or Cloud Operating System?
  2. You Thought Vista Was Bad?
  3. Windows Vista: The OS About Nothing
  4. Apple Nixes 'Pull My Finger' App, Even Though It's A Gas
  5. Walt Mossberg Posts In-Depth Review Of Google's Chrome


  1. Microsoft Virtualization Products Due In Thirty Days
  2. Radical Desktops Deliver Power To The People. But What About IT?
  3. Need Disaster Recovery On The Cheap? Think Virtualization
  4. No Virtualizing Without A License
  5. Smart Stuff: The State Of Business Intelligence 2008
  6. Down To Business: Are Technology Leaders Focusing Too Much On The Small Stuff?

 
 

  Ars Technica
Boing Boing
Channel 9 Forums
CRN Blogs
Dr.Dobb's Portal: Blogs
Engadget
Gizmodo
GrokLaw
  Lifehacker
Schneier on Security
Slashdot
TechCrunch
Techdirt
Techmeme
Valleywag

  FEBRUARY 2008
JANUARY 2008
DECEMBER 2007
NOVEMBER 2007
OCTOBER 2007
SEPTEMBER 2007
AUGUST 2007
JULY 2007
  JUNE 2007
MAY 2007
APRIL 2007
MARCH 2007
FEBRUARY 2007
JANUARY 2007
DECEMBER 2006
NOVEMBER 2006