The news broke on Thursday afternoon. So what does this $7.2B fraud have to do with passwords? Well, it appears, a lot. Here’s what was reported in the Wall Street Journal:
“…Mr. Kerviel (the fraudster) used the computer log-in and passwords of colleagues both in the trading unit and the technology section” to help cover his tracks.
I translate this to mean the following:
- SocGen did not have a password or security policies that enforced frequent changes or other related safeguards (password length, reuse, etc.)
- SocGen did not use two-factor authentication otherwise Kerviel would not have been able to use a colleagues log-in and password
- SocGen did not audit their logons effectively
- SocGen did not audit logons against building access (i.e., logged on inside the building but already keyed out of the building)
The next time you talk about ROI to a potential customer also ask them about the cost of doing nothing. Might they be the next Société Générale?
identity management, passwords