Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/28/2008
10:09 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Whoops: $73 Billion In Fraudulent Trades Just Slipped By Us

While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.

While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.In this case, the alleged fraudster, Jerome Kerviel, built an unauthorized futures position on several stock markets totaling about $73 billion. The bank lost $7 billion unwinding the bogus trades. The $73 billion far exceeded what Kerviel was permitted to trade. So how did that happen?

We don't know much, yet. But when all is said and done, if Kerviel is found guilty -- and that's still a big if -- the fraud will not have been perpetrated through sophisticated IT hacks. What we do know, according to news reports, is that the prosecutor and the bank say that the suspect used other employees' access credentials and falsified documents to create his real trade positions. He also created a "Fictitious" series of trades that were crafted in such a way as to evade internal daily checks and balances and hide the actual fraudulent trades under way. Somehow, the rogue trader then used his knowledge of the system to raise his trading limits. I can see how one could slip unnoticed with forged documents -- for a while. Even the ability to gain access to others' accounts without detection is quite possible -- for a while. You'd think that, eventually, someone would notice a document that was apparently signed by them, but they didn't sign it. Or that the IT systems would detect two concurrent sessions, or log-on attempts, by the same username and password.

What strikes me as unfathomable is how the bank didn't detect the amount of cash needed to build $73 billion worth of futures positions -- without noticing that the funds were flowing to an unauthorized account. Likewise, why didn't the bank notice the fictitious account was never actually funded?

And if these trades were done in the names of others, whether other traders or customers of the bank's: how is it that they didn't notice the transactions that were placed in their names?

Clearly, there was a significant breakdown in internal controls. Seeing how Kerviel allegedly circumnavigated these as the case is prosecuted will be worth following. And while the alleged rogue trader Kerviel obviously "hacked" the bank's risk management controls, his hacks probably didn't involve any technical wizardry. That shouldn't be much of a surprise. Most of these types of cases do not. A study conducted by CERT and the U.S. Secret Service found that these types of cases typically involve the "exploitation of nontechnical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network)."

Kerviel, if found guilty, will not be different.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6486
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6487
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6488
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6489
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6490
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.