Monday, January 28, 2008

A $7.2B password mistake?

In case you haven’t heard, Société Générale was the target of a fraud perpetrated by an employee. That fraud, so far, has amounted to $7.2B – yes, that’s a “b” for billion. You can read up about it here, here, and the European Central Bank’s call for additional controls here.

The news broke on Thursday afternoon. So what does this $7.2B fraud have to do with passwords? Well, it appears, a lot. Here’s what was reported in the Wall Street Journal:

“…Mr. Kerviel (the fraudster) used the computer log-in and passwords of colleagues both in the trading unit and the technology section” to help cover his tracks.

I translate this to mean the following:

  • SocGen did not have a password or security policies that enforced frequent changes or other related safeguards (password length, reuse, etc.)

  • SocGen did not use two-factor authentication otherwise Kerviel would not have been able to use a colleagues log-in and password

  • SocGen did not audit their logons effectively

  • SocGen did not audit logons against building access (i.e., logged on inside the building but already keyed out of the building)

The next time you talk about ROI to a potential customer also ask them about the cost of doing nothing. Might they be the next Société Générale?

Technorati Tags:

No comments: