(Photo courtesy of Zorg at Flickr)
Jerome Kerviel -- who may have cost his employer somewhere around $7 billion -- might prove that no security system is flawless, especially when the person compromising it has been given access to it.
Molly Moore of the Washington Post reports:
For five years, Jérôme Kerviel toiled in the back offices of Societe Generale, learning the intricacies of the six-layer security system that France's second-largest bank used to protect its money, investors and customers from fraud, according to bank officials here.Of course, no exact details (they seldom are for obvious reasons) are being given as to how Jerome pulled this off, but he is being described as a "computer genius."
Kerviel then made an unusual career move. He was promoted to trader -- becoming one of the very employees the security systems are designed to oversee and keep honest.
I did notice in the Washington Post article that Jerome was keeping two sets of books, which is an age-old method of committing white collar crime. Jerome was also voiding transactions to cover up questionable transactions, which is hardly a new method of fraud, either.
The trader maintained two sets of books, one in which he kept accounts of his successful investments, and a secret parallel book where he was "voiding his losing positions," Bouton said.Most high tech fraud is based on tried and true (even historical) methods of deception. Too often, organizations rely on computerized detection systems that might be a little too predictable. This is especially true when dealing with someone, who has been given access to them and understands how they work.
"He knew when controls were going to take place," Bouton said, because "over the years he had become an expert in controls." Bouton said Kerviel managed to outmaneuver six levels of controls and firewalls intended to detect and prevent fraud.
All too often, organizations are sold one form of technical protection only to find out that in a given period of time, someone has figured out how to circumvent them. Once this occurs, they need to buy another system, which might be circumvented over time, also.
Human beings are very adept at figuring out how to circumvent (hack) systems. In fact, there seems to be communities of people dedicated to hacking whatever new technology comes out.
If Jerome was able to cost his employer $7 billion dollars, he has set a new record. The person, who set the previous record is mentioned in the Post artice, and even made a quote from prison:
If confirmed, the losses at the bank would be the largest ever caused by an individual trader. They are far higher than the $1.4 billion run up by trader Nick Leeson in the mid-1990s in Singapore. His fraud caused the collapse of the institution where he worked, Britain's 233-year-old Barings Bank.
Leeson, now living in Ireland after serving a prison sentence in Singapore, told the BBC that he was not shocked such a fraud had happened again, but that "the thing that really shocked me was the size of it."
Maybe we shouldn't be so shocked? Perhaps the problem is an over reliance on systems to prevent fraud without enough human interface? Computers only do what they are told to do and it takes a human being to circumvent them.
Technology is a wonderful thing and a great tool, but when it comes to protecting anything, common sense and the human factor need to be considered carefully, also!
The Washington Post article also has some interesting speculation on how this might have had an effect on global markets. The article can be seen, here.