Passwords Fail

By Paul Foote and Reena Hora  |  Posted 2008-10-06 Print this article Print

There are many ways to gain access to passwords, which include simple means such as casual conversations to using more sophisticated software. Data and systems security cannot be dependent on passwords. In certain work environments, such as banks or financial institutions, multiple users share a computer with their individual log-in credentials to do their jobs. If a user forgets to log out of the system, the next user could misuse this to create fraudulent transactions or trades using the previous user's log-in. The ERP system would only have the record of the transaction being carried out by the first user under his log-in.

Biometrics authentication: The reliable solution for security

SAP users can mitigate fraud by using bioLock (from realtime North America), the certified biometric solution using fingerprints. Even if log-in passwords were obtained, the fraudster would not be able to do anything with the passwords because the biometric authentication system would deny him access to perform transactions. Even if an ERP system uses multiple passwords for each user to control access to specific modules, that approach is no match for a biometric system able to control access even to the transaction, field or data level. The biometric approach is crucial for maintaining segregation of duties when employees gain new responsibilities.

Societe Generale Bank: A case study in what went wrong

The fraud at Societe Generale Bank is a classic example of how compliance with IFRS and Basel II was not enough to prevent the fraud that could have been prevented (had they used SAP and a biometric system such as bioLock to protect them).

Jerome Kerviel worked in the back office (and in the middle office) from 2000 to 2005, prior to becoming a trader. He had in-depth knowledge of their systems and procedures. (Reference 9 and 10)

The middle office monitored and managed the bank's risk exposures. In 2002, Kerviel was promoted to assistant trader, managing risk analysis and hedging. In 2004, he was promoted to the elite Delta One desk as trader and market maker. His job was to make bets on small price differences between contracts. He needed to make the transactions in pairs by buying and selling similar assets and taking advantage of the minute differences which exist in markets. 

Kerviel crossed his limits and made one-way bets by faking the other half of the bets. He also started making unauthorized bets on the market's direction. Encouraged by the success of these bets, he continued betting on the direction of the market and making one-way bets and faking the other half. He was extremely successful doing this. For the year 2007, Kerviel generated a positive gain of 1.4 billion Euros. As he was not authorized to do these trades, he hid this from the bank by creating an offsetting fictitious operation. (Reference 11)

The winning streak ends

In January 2008, for the first time, Kerviel experienced an extended losing streak. He started making larger and larger bets that the market would turn around. He started doubling down, which is a strategy where he started doubling his bet after every loss. By Jan. 16, 2008, he had bet about 50 billion Euros--which was more than the bank's total market capitalization. At this point, Eurex started sending inquiries to Societe Generale's compliance people regarding Jerome Kerviel's trading patterns. (Reference 12)

Kerviel went to great lengths to make sure his fraudulent trades were undetected by the system. He used fake e-mail messages for justifying missing trades, borrowed colleagues' log-in credentials by using their passwords to conduct trades in their name, forged documents (he created a fictitious Profit and Loss statement for 2007, reflecting the bogus hedges he had created for this period), and he manipulated the bank's proprietary system Eliot by deleting transactions and re-entering them after reconciliation.

Paul Foote, Ph.D., is a Professor of Accounting at California State University, Fullerton. His courses and publications cover accounting information systems, auditing, forecasting, accounting standards, and the use of SAP R/3 and of bioLock. Paul can be reached at***********************************************************Reena Hora is a graduate of California State University, FullertonÔÇÖs Master of Science in Information Technology (MSIT) program, and works as an IT professional for a software company. Reena can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel