Societe Generale: A cautionary tale of insider threats
Poor IT Security Blamed for Bank Fraud
Some of the other specific areas that have been cited as problematic - and identity management, security or compliance related - include:
- Periodic reviews of their user access rights not being done. (aka "attestation")
- The use of fake e-mail messages to justify missing trades. (aka "digital signature or non-repudiation")
- The use of instant messaging for trading. (aka "inadequate audit")
Bob Blakeley over at Burton Group is quoted as follows:
Unfortunately, Mr. Kerviel already thwarted dual-control by having the passwords of some of his fellow traders. You need more than dual-control - you also need two-factor authentication. Also, I'm willing to bet that even a few seconds of having someone else authorize a transaction could lead to a trading loss. I don't think these companies are willing to put security that high on their list so that impacts their profits!
...there must be a process of dual control, where no one trader is allowed to act alone. Important transactions should always be proposed by one individual and approved by another so that a conspiracy of at least two people would be necessary to do the company harm.
identity management, passwords, authorization, biometrics, compliance