Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/28/2008
10:09 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Whoops: $73 Billion In Fraudulent Trades Just Slipped By Us

While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.

While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.In this case, the alleged fraudster, Jerome Kerviel, built an unauthorized futures position on several stock markets totaling about $73 billion. The bank lost $7 billion unwinding the bogus trades. The $73 billion far exceeded what Kerviel was permitted to trade. So how did that happen?

We don't know much, yet. But when all is said and done, if Kerviel is found guilty -- and that's still a big if -- the fraud will not have been perpetrated through sophisticated IT hacks. What we do know, according to news reports, is that the prosecutor and the bank say that the suspect used other employees' access credentials and falsified documents to create his real trade positions. He also created a "Fictitious" series of trades that were crafted in such a way as to evade internal daily checks and balances and hide the actual fraudulent trades under way. Somehow, the rogue trader then used his knowledge of the system to raise his trading limits. I can see how one could slip unnoticed with forged documents -- for a while. Even the ability to gain access to others' accounts without detection is quite possible -- for a while. You'd think that, eventually, someone would notice a document that was apparently signed by them, but they didn't sign it. Or that the IT systems would detect two concurrent sessions, or log-on attempts, by the same username and password.

What strikes me as unfathomable is how the bank didn't detect the amount of cash needed to build $73 billion worth of futures positions -- without noticing that the funds were flowing to an unauthorized account. Likewise, why didn't the bank notice the fictitious account was never actually funded?

And if these trades were done in the names of others, whether other traders or customers of the bank's: how is it that they didn't notice the transactions that were placed in their names?

Clearly, there was a significant breakdown in internal controls. Seeing how Kerviel allegedly circumnavigated these as the case is prosecuted will be worth following. And while the alleged rogue trader Kerviel obviously "hacked" the bank's risk management controls, his hacks probably didn't involve any technical wizardry. That shouldn't be much of a surprise. Most of these types of cases do not. A study conducted by CERT and the U.S. Secret Service found that these types of cases typically involve the "exploitation of nontechnical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network)."

Kerviel, if found guilty, will not be different.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0565
PUBLISHED: 2020-02-25
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
CVE-2020-9393
PUBLISHED: 2020-02-25
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.
CVE-2020-9394
PUBLISHED: 2020-02-25
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
CVE-2019-3999
PUBLISHED: 2020-02-25
Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
CVE-2020-8809
PUBLISHED: 2020-02-25
Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker ...