About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« A new law | Main | Federation is about trust »

Is this the world's biggest identity fraud?

By Dave Birch posted Jan 25 2008 at 3:19 PM

[Dave Birch] No doubt you will all have choked on your cornflakes this morning hearing about the sorry tale of Jerome Kerviel, the so-called "rogue trader" (I thought they all were!) who threw away FIVE BILLION EUROS of Societe Generale's money and, in passing, may have left the world financial system on the brink of collapse. Now Societe Generale (amusingly, the "Global Equities Derivatives House of the Year") must have had an army of compliance-wallahs, ticking boxes here and there, and spent a fortune on management consultants and auditors to comply with Basel II and every other directive under the sun. And yet, as the FT tells us,

Mr Kerviel appears to have built up his losses over a short period using accounts and passwords belonging to colleagues.

[From FT.com / In depth - The rogue trader who cost SocGen €5bn]

Well, well. And there was me thinking that investment banks with extremely valuable data to protect would have used some form of 2FA or even 3FA to protect themselves against losses that could extend into billions. Perhaps they decided against smart cards on the grounds of cost, or doing proper risk analysis on the grounds that it was waste of money, or something like that.

Just reflect on the sum of money for a moment: five billion euros. (Compare this to the median identity theft loss of $31,000 according to a U.S. survey last year.) Jerome is surely going down because of this:

The bank has filed a legal complaint against the trader accused of defrauding the bank which led to a loss of 4.9bn euros ($7.1bn; £3.7bn).

[From BBC NEWS | Business | SocGen scandal broadens in scope]

I have to say, though, that while no-one would argue with the general principle of sending investment bankers to jail, I wonder if it helps much in the long run? After all, our boy Nick got three-and-a-half years in chokey, but that doesn't seem to have been much of a deterrent: they aways think that this time they'll get away with it. But being a technological determinist, I also wonder if there was a proper risk analysis undertaken when SocGen specified their single sign-on system for traders? Having work on risk analysis in a varietty of different environments -- it's one of Consult Hyperion's areas of serious competitive advantage -- I'd say I can imagine the kind of conversation that went on:

Boring security expert: You know, we really should have some kind of identity management system in place to provision and monitor access to all of these systems. If the wrong person gets in, they could really do some damage!

Dynamic go-ahead trader: Screw you. I won't use anything that means it takes 200 milliseconds more to log in to anything. And I won't remember any more passwords, so I want to use the same one for all the systems. And I want to store it on the Blackberry I leave lying around all the time, and because I might forget it I want it glued to the back of my laptop on a piece of laminated card.

Finance director (ie, accountant): Identity management? That sounds expensive, and besides I've already spent the next three years IT budget on implementing a compliance system recommended by the management consultants / auditors / system integrators / software resellers.

Senior manager of some description: Well, I've got my bonus to think about, so I'll side with the traders.

It seems inconceivable to me that with all of the money spent on risk management, no-one knew that a system compromise wouldn't lead to a serious problem. If they didn't, then what was the point of the risk management? If they did, then what was the point of management. And, by the way, I'm not having a go for the sake of it: there's a human cost to this sort of thing, and we shouldn't forgot it: people will be losing their jobs because of this.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


The flip side of the secure identity discussion is that the dream ID system could be put in place, and the traders would simply find another way to bypass it. E.g., insist that the managers have super-sign-on-cards and they become the norm (c.f., hospitals). The problems we are facing here are more socialogical and cultural than they are technical, which leaves the technologist scrambling to implement the tools.

The only way a pure-cost-ID-scheme will ever be accepted is because it also comes with a free improvement in some other fashion, compelling enough to attract traders to use the package. Possibly, you could probably offer the "compelling improvement" without the ID scheme, and get a better ROI ... calling for sleigh-of-hand on the part of the consultant, and thus a measure of luck in making the right judgement call.

"The problems we are facing here are more socialogical and cultural than they are technical"

I'm sure that's true, but I can't help feeling that raising the technological bar might help a little. Shouldn't an alarm have started ringing when the value-at-risk exceeded the bank's total capital?

Here are my opinions:

Nowadays, online business transactions can be easily hacked by illegal perpetrators. In the field of banking industry, financial transactions stored in computers can be affected by that crime. It only shows how intelligent people are. Their wisdom, knowledge and learning are being applied in their curiosity in discovering ways and illegal acts for their own earnings and even causing damage to others.

Business venture is really risky. Even there is better feasibility study and risk management; still it is unavoidable to encounter related problems. Investment analysis and management sometimes are wrong and inconsistent in this challenging world.

I believe that honesty of employees and confidentiality of all transactions are being implemented in banks. They are just less fortunate and victims of those civil law violations conducted by ambitious bad person.

How about some issues of No Fax Payday Loan in this site: http://personalmoneystore.com/moneyblog/ in which based on real experiences of people? Are they conducting predatory lending practices? How do you like it to be outlawed? Are they big threats to banking industry? Better read in that site for more understanding and conclusions.

The comments to this entry are closed.