We don't know much, yet. But when all is said and done, if Kerviel is found guilty -- and that's still a big if -- the fraud will not have been perpetrated through sophisticated IT hacks. What we do know, according to news reports, is that the prosecutor and the bank say that the suspect used other employees' access credentials and falsified documents to create his real trade positions. He also created a "Fictitious" series of trades that were crafted in such a way as to evade internal daily checks and balances and hide the actual fraudulent trades under way. Somehow, the rogue trader then used his knowledge of the system to raise his trading limits. I can see how one could slip unnoticed with forged documents -- for a while. Even the ability to gain access to others' accounts without detection is quite possible -- for a while. You'd think that, eventually, someone would notice a document that was apparently signed by them, but they didn't sign it. Or that the IT systems would detect two concurrent sessions, or log-on attempts, by the same username and password.
What strikes me as unfathomable is how the bank didn't detect the amount of cash needed to build $73 billion worth of futures positions -- without noticing that the funds were flowing to an unauthorized account. Likewise, why didn't the bank notice the fictitious account was never actually funded?
And if these trades were done in the names of others, whether other traders or customers of the bank's: how is it that they didn't notice the transactions that were placed in their names?
Clearly, there was a significant breakdown in internal controls. Seeing how Kerviel allegedly circumnavigated these as the case is prosecuted will be worth following. And while the alleged rogue trader Kerviel obviously "hacked" the bank's risk management controls, his hacks probably didn't involve any technical wizardry. That shouldn't be much of a surprise. Most of these types of cases do not. A study conducted by CERT and the U.S. Secret Service found that these types of cases typically involve the "exploitation of nontechnical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network)."
Kerviel, if found guilty, will not be different.