Poor password management may have led to bank meltdown

The huge losses reported by French bank Société Générale, apparently caused by a rogue trader with inside knowledge of the bank's procedures, don't necessarily point to an IT systems failure, but rather to poor management of those systems, analysts say.

The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent trading position in the bank's computers that ultimately caused it to lose around €4.9 billion ($7.3 billion).

Kerviel achieved this by, among other things, misappropriating computer passwords, the bank said. It has revealed few other technical details of what caused the losses.

Management of passwords, including rescinding passwords of employees who move to different positions within the bank, or modifying the level of access those passwords allow, is often a task given to the lowest-level IT worker.

"It's dull and routine 99 percent of the time, but a vital backstop," said Bob McDowall, senior analyst at the TowerGroup. Senior IT managers should conduct more frequent reviews of password policies, he said.

In some cases, it may not have been the security of the passwords themselves that posed a problem, but rather the access those passwords allowed, said Ian Walden, professor of information and communications law at Queen Mary, University of London.

Organizations tend to think of access as being binary in nature: you get access to it all, or you don't, Walden said. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated."

To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk.

IT departments and business managers have yet to find a way to wrap security into business processes so that it is not an impediment, Walden said.

"IT in a company is not given a sufficient status," Walden said. "What's shocking is you would have thought that the financial sector was more sophisticated than this, but it still tends to be the case that security is an add-on and a block, something you've got to live with but you don't have to like, rather than being viewed as an integral part of the business structure."

Workers should be able to do their job without having to share passwords when someone goes on holiday, and the IT department should not make it harder for people to perform their duties, Walden said.

In one extreme example at telecommunications company BT, one employee didn't have the right to use a computer at all, but he found it helped him do his job, Walden said.

"By the time he was found, he had 90 passwords of different employees," Walden said.

It's possible that financial institutions could use biometric systems, such as fingerprint scanners, to provider an added layer of security, McDowall said. Those systems, however, are expensive. Also, the sometimes-finicky fingerprint scanners may not be appropriate in a frantic trading environment, McDowall said.

Questions remain about how Kerviel's losses could be so high given his job as relatively low-level trader. But Kerviel's career progression in 2005 from the bank's back office to the front office -- where he would have had access to client accounts -- is also troubling since he would have gained greater knowledge on the bank's inner controls, McDowall said.