IT Security Must Be Strengthened
To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems, or by replacing their legacy systems with SAP and bioLock. Most biometric systems are used for access control. Realtime North America's bioLock is the only biometric system which goes beyond access control and is even able to control a field, function or value within the ERP system--such as the amount of an outgoing wire transfer. The technology offers control for changes to transactions within SAP R/3 and will prevent unauthorized changes. The special committee for investigating Societe Generale's fraud recommended that, to prevent traders from using one another's accounts, the bank should use a stronger biometric authentication system. A system like bioLock could have prevented Societe Generale's Kerviel problem for the following five reasons:
1. When Jerome Kerviel was promoted from middle office to front office, bioLock could have been used to change his role and deny him access to the backend systems in SAP R/3.3. bioLock would have also restricted access to Kerviel from deleting records of his trade transactions from the system before reconciliation. 4. There would have been high accountability, as the system would have shown that Kerviel tried to use others' passwords to enter his trades in their name. 5. As a result, a technology such as bioLock would deter fraudster's from trying to commit fraud since they would be uniquely identified. Thus, a biometric system such as bioLock can protect SAP R/3 by restricting access and controlling who can make changes to transactions within SAP R/3. If SAP interacts with a trading system, and only SAP users can link to the trade system from SAP, then bioLock can be used to control that only authorized users log on to the user profile that connects to the trading system. The connection to the trade system would be established and ask for biometric authentication again. The bioLock log file will give a log of who connected to the trading system, and also prevent unauthorized users from connecting. Conclusion In today's world, banks are required to comply with regulations and standards to protect the banks and financial institutions from fraud. To mitigate fraud, these banks and financial institutions need to supplement their internal controls compliance with biometric authentication. Biometrics will prevent data breaches of security. Fraudsters will not limit their fraudulent activities trying to perpetrate frauds using only an ERP system. Users of ERP systems must also secure e-mail systems and any trading systems interfacing with an ERP system. This would tighten security and improve accountability. Paul Foote, Ph.D., is a Professor of Accounting at California State University, Fullerton. His courses and publications cover accounting information systems, auditing, forecasting, accounting standards, and the use of SAP R/3 and of bioLock. Paul can be reached at firstname.lastname@example.org. Reena Hora is a graduate of California State University, Fullerton's Master of Science in Information Technology (MSIT) program, and works as an IT professional for a software company. Reena can be reached at email@example.com.
1. When Jerome Kerviel was promoted from middle office to front office, bioLock could have been used to change his role and deny him access to the backend systems in SAP R/3.
2. An SAP system requiring biometric identification using bioLock would not have allowed Kerviel to use others' log-in credentials to post his fraudulent trades in their name.