Sunday, January 27, 2008

Is Jerome Kerviel Hacking?

If you read the headline of today's Washington Post story French Bank Says Trader Hacked Computers you might get the impression that Société Générale trader Jerome Kerviel is some kind of shellcoding ninja, Web 2.0 JavaScript samurai, or at the very least a script kiddie who can run Metasploit with the best of the certified ethical hackers. The truth of the matter is probably mixed. Kerviel is most likely a fraudster who took advantage of trading processes and controls.

The best source I've found so far is the Reuters article FACTBOX: Rise and fall of the SocGen rogue trader. It outlines the fraud thus:

* The alleged fraud, as outlined by the bank, included a genuine long position in regulated stock market index futures, contracts bought in the hope that prices would rise.

* Usually an arbitrageur hedges such a long position with an equal and opposite sale, or short position, reaping a profit from any gaps between the values of the two transactions.

* The SocGen trader did hedge the first position with a second, but the trades in that portfolio were fake. So the bank was unwittingly holding long futures positions without cover, leaving it exposed to the risk that prices would fall.

* To evade controls, for the second portfolio he chose unregulated over-the-counter derivatives which do not need a downpayment, including forward contracts.

* Because there was no downpayment, or margin, these trades were not subject to the same immediate checks as the real futures positions held in the first portfolio.

* Since the real and fake trades balanced each other out, SocGen says its computers perceived "low residual risk" overall.

* As the market turned against him, he sought to cover up mounting losses to avoid further tiers of compliance checks.


The only "computer" angle (besides tricking the controls which measure risk) involved the following:

* The bank alleges that he misappropriated computer passwords and faked documents.

"Misappropriating computer passwords" could be accomplished by using shared accounts, accounts on sticky notes, or any of the other poor practices used in group settings.

Lending credence to the computer angle is this Wall Street Journal story:

According to Mr. Bouton, the Société Générale chairman, Mr. Kerviel began conducting fraudulent trades sometime in 2007. People familiar with Mr. Kerviel's behavior believe he worked late into the night, essentially burrowing into Société Générale's computers, as he allegedly built a multilayered way to hide his trades by hacking into the computer systems.

Société Générale's computer systems are considered some of the most complex in banking for handling equity derivatives, that is, investment contracts whose value moves with the value of other assets. Officials of the bank believe Mr. Kerviel spent many hours of hacking to eliminate controls that would have blocked his super-sized bets. Changes he is said to have made enabled him to eliminate credit and trade-size controls, so the bank's risk managers couldn't see his giant trades on the direction of indexes.


If we focus on what Kerviel is alleged to have done, rather than how it is described, it's possible the "elimination of controls" via "changes" could be considered "hacking."

Let's see what happens! The only good aspect of this intrusion is that the investigation report should be public, because the offender is going to be prosecuted.

5 comments:

Edouard said...

wow. can't believe this non-event is going this far.

kerviel is being loaded like a damn, just to hide the fact that his management couldn't care less as long as it was working. (hard hide 50 billions € of positions, not to the 'controls system' (which are no more than a dumb ruleset) but to your fellow traders)

he certainly didn't hack in anything, as he was coming from back office, and knewing the date of audits, and the procedures.

the massive media FUD over here with this non-affair will certainly lead to more security BS like in germany, or UK.

this was a small story, which has been shouted as loud as possible to enforce a coming "anti-hacking law" (due spring 2008 in france) whose only point is to make the whining major happy.

want to bet the kerviel story will be a major argument in the debate ?

Chris said...

The French judicial system may allow for certain matters to remain hidden, despite the prosecution.

Whether this is a hack is almost beside the point. It is a colossal controls failure.

Think of it, Rich: they had layers of controls (defense in depth), were (let's say) fully compliant with oodles of regulations, yet when it came time to actually prevent an attack, $7bn were lost.

Ian Grigg nailed it over at his blog:
https://financialcryptography.com/mt/archives/000997.html

DanPhilpott said...

You have described a social engineering attack. Now you want to know if that counts as hacking?

I'll respond with an emphatic yes.

Anonymous said...

In French newspapers it is said he has used passwords that he knew from when he was still working for the back office. That would be the more plausible explanation (for anything he did related to computer hacking) for me.

Nevertheless, several year old passwords ... They really need a good compliance tool !

h4ckem.blogspot.com said...

Cool