Société Générale - update

Earlier, I posted on how lax password security was one of the ways that Mr. Kerviel thwarted "the system" and managed to perpetrate a $7.2B fraud against Société Générale. There have been a number of good reports on the fraud that I thought I'd point out in case you want to know a bit more about what went on:

Societe Generale: A cautionary tale of insider threats

Poor IT Security Blamed for Bank Fraud

Some of the other specific areas that have been cited as problematic - and identity management, security or compliance related - include:

1. Periodic reviews of their user access rights not being done. (aka "attestation")
2. The use of fake e-mail messages to justify missing trades. (aka "digital signature or non-repudiation")
3. The use of instant messaging for trading. (aka "inadequate audit")

Bob Blakeley over at Burton Group is quoted as follows:

...there must be a process of dual control, where no one trader is allowed to act alone. Important transactions should always be proposed by one individual and approved by another so that a conspiracy of at least two people would be necessary to do the company harm.

Unfortunately, Mr. Kerviel already thwarted dual-control by having the passwords of some of his fellow traders. You need more than dual-control - you also need two-factor authentication. Also, I'm willing to bet that even a few seconds of having someone else authorize a transaction could lead to a trading loss. I don't think these companies are willing to put security that high on their list so that impacts their profits!

Technorati Tags:
identity management, passwords, authorization, biometrics, compliance