While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.

2 Min Read

While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.In this case, the alleged fraudster, Jerome Kerviel, built an unauthorized futures position on several stock markets totaling about $73 billion. The bank lost $7 billion unwinding the bogus trades. The $73 billion far exceeded what Kerviel was permitted to trade. So how did that happen?

We don't know much, yet. But when all is said and done, if Kerviel is found guilty -- and that's still a big if -- the fraud will not have been perpetrated through sophisticated IT hacks. What we do know, according to news reports, is that the prosecutor and the bank say that the suspect used other employees' access credentials and falsified documents to create his real trade positions. He also created a "Fictitious" series of trades that were crafted in such a way as to evade internal daily checks and balances and hide the actual fraudulent trades under way. Somehow, the rogue trader then used his knowledge of the system to raise his trading limits. I can see how one could slip unnoticed with forged documents -- for a while. Even the ability to gain access to others' accounts without detection is quite possible -- for a while. You'd think that, eventually, someone would notice a document that was apparently signed by them, but they didn't sign it. Or that the IT systems would detect two concurrent sessions, or log-on attempts, by the same username and password.

What strikes me as unfathomable is how the bank didn't detect the amount of cash needed to build $73 billion worth of futures positions -- without noticing that the funds were flowing to an unauthorized account. Likewise, why didn't the bank notice the fictitious account was never actually funded?

And if these trades were done in the names of others, whether other traders or customers of the bank's: how is it that they didn't notice the transactions that were placed in their names?

Clearly, there was a significant breakdown in internal controls. Seeing how Kerviel allegedly circumnavigated these as the case is prosecuted will be worth following. And while the alleged rogue trader Kerviel obviously "hacked" the bank's risk management controls, his hacks probably didn't involve any technical wizardry. That shouldn't be much of a surprise. Most of these types of cases do not. A study conducted by CERT and the U.S. Secret Service found that these types of cases typically involve the "exploitation of nontechnical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network)."

Kerviel, if found guilty, will not be different.

About the Author(s)

George V. Hulme, Contributing Writer

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights