The recent €5 billion rogue trading scandal at the French bank Societe Generale appears to have been successful due to compromised passwords. According to the Washington Post the rogue trader in question Jerome Kerviel (pictured left) was able to commit the fraudulent trades by having knowledge of control systems from previously working in that section previously and “by using his colleagues’ computer access codes and falsifying e-mails“.
This raises a number of major issues that most companies face and which many still fail to address out of fear of “offending” the staff members involved.
Firstly we have the issue of the trusted insider. Those that have successfully committed fraud are able to do so because they are familiar with the systems and corresponding controls that are in place. The fraudster knowing how the system works, can use this knowledge to his or her advantage to conduct and hide their activities. Special attention should be paid to all users who are placed in positions of trust with regular audits of their activity carried out. Simple measures such as ensuring staff take 2 weeks holidays is not only good for staff morale but can be an effective means of noticing any unusual activity that occurs when that person is out of the office.
Remember the adage, “those that you trust the most will hurt you the most”, when you are planning your own internal control systems and alter those plans accordingly.
The other major issue in this case is the use of compromised accounts by Jerome Kerviel. Apparently he was able to access the control systems using the access IDs of former colleagues he worked with. This raises the question as to how effective the access control systems in place in SocGen?
- Did these ex-colleagues share their passwords with Kerviel? If not, how did he manage to compromise them?
- Were they written down somewhere for anyone to see? Were they easy to guess?
- Or indeed, had they been changed since he last worked in that area?
To protect secure systems one cannot simply rely on users to pick and use secure passwords. A number of options to consider when looking to protect sensitive systems include;
- Look at two factor authentication systems. Do not simply rely on a password to protect your company’s crown jewels.
- Monitor valid and invalid login attempts. Your system logs are a rich vein of information that can show suspicious activity. For example by correlating this data with real world facts, such as someone logging on when they are on holidays, you may discover misuse of the system.
- Implement complex passwords and regularly audit the system to ensure users are complying with this policy.
- Force passwords to change on a regular basis so that old passwords are no longer valid.
- Maintain a history of old passwords and ensure they cannot be reused again.
- Configure your systems to lock an account if an invalid password is used a number of times within a short period, e.g. 3 times in 15 minutes.
- Ensure sessions on secure applications are logged out of the system if they remain inactive for a period of time.
- Review your security awareness program and ensure people are aware why they should not share their passwords and the consequences of doing so.
- Ensure your security awareness program educates and encourages users to report suspicious activity.
Too often our focus in defending our systems has been on the outsider. As this case demonstrates the insider can cause much more damage. We should ensure we design our systems to not only protect from the outsider but also from the trusted outsider who either deliberately or accidentally compromises our systems.