Poor password management may have led to bank meltdown

Huge losses reported by Société Générale were apparently enabled by forgotten low-level IT chores such as password management

The huge losses reported by French bank Société Générale, apparently caused by a rogue trader with inside knowledge of the bank's procedures, don't necessarily point to an IT systems failure, but rather to poor management of those systems, analysts say.

The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent trading position in the bank's computers that ultimately caused it to lose around €4.9 billion ($7.3 billion).

Kerviel achieved this by, among other things, misappropriating computer passwords, the bank said. It has revealed few other technical details of what caused the losses.

Management of passwords, including rescinding passwords of employees who move to different positions within the bank, or modifying the level of access those passwords allow, is often a task given to the lowest-level IT worker.

"It's dull and routine 99 percent of the time, but a vital backstop," said Bob McDowall, senior analyst at the TowerGroup. Senior IT managers should conduct more frequent reviews of password policies, he said.

In some cases, it may not have been the security of the passwords themselves that posed a problem, but rather the access those passwords allowed, said Ian Walden, professor of information and communications law at Queen Mary, University of London.

Organizations tend to think of access as being binary in nature: you get access to it all, or you don't, Walden said. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated."

To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk.

IT departments and business managers have yet to find a way to wrap security into business processes so that it is not an impediment, Walden said.

"IT in a company is not given a sufficient status," Walden said. "What's shocking is you would have thought that the financial sector was more sophisticated than this, but it still tends to be the case that security is an add-on and a block, something you've got to live with but you don't have to like, rather than being viewed as an integral part of the business structure."

Workers should be able to do their job without having to share passwords when someone goes on holiday, and the IT department should not make it harder for people to perform their duties, Walden said.

In one extreme example at telecommunications company BT, one employee didn't have the right to use a computer at all, but he found it helped him do his job, Walden said.

"By the time he was found, he had 90 passwords of different employees," Walden said.

It's possible that financial institutions could use biometric systems, such as fingerprint scanners, to provider an added layer of security, McDowall said. Those systems, however, are expensive. Also, the sometimes-finicky fingerprint scanners may not be appropriate in a frantic trading environment, McDowall said.

Questions remain about how Kerviel's losses could be so high given his job as relatively low-level trader. But Kerviel's career progression in 2005 from the bank's back office to the front office -- where he would have had access to client accounts -- is also troubling since he would have gained greater knowledge on the bank's inner controls, McDowall said.

As an arbitrage trader, Kerviel made money off price differences between different financial products. Société Générale said Kerviel balanced real and fake trades in order to avoid setting off internal alarms.

Kerviel has been described in some press reports as a computer genius. However, most attackers used unsophisticated methods for exploiting systemic vulnerabilities in applications, processes and procedures, according to the 2005 "Insider Threat Study" by Carnegie Mellon Software Engineering Institute.

That report notes that sophisticated tools are also used in some attacks, which would demand that internal financial systems need to be designed on a more defensive footing.

Programmers should code under the assumption that a hacker or employee will use every means in order to break in, said Ben Rothke, senior security consultant at BT's International Network Services.

"The underlying issue is that many systems are designed to stop honest people from making mistakes, but do not take into account those with malicious intent," Rothke said.

It makes insider jobs one of the toughest to defend against. The psychological profile of an insider tends to be a disgruntled employee who feels wronged by the company, according to the Insider Threat Report.

That in turn can lead to a suspicious behavior such as staying late at work, which paradoxically might only signal a committed employee.

"It's always the insider," Rothke said. "It's often harder to steal $10,000 from a bank than $10 million."

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies