The -7 billion dollars man
(my post about botnets is postponed… again, sorry !)
I’m not going to talk about the TV series “The six million dollar man”, but about an incredible fact that happened today in one of the leading french banks, Société Generale.
This bank (which value is quoted around 35 billion Euros) just revealed today that a single employee organised a massive and extremely complex fraud system within the bank. He was ingenious enough to elude all internal controls and audits, and to make this fraud invisible. However, this operation was uncovered by a stupid mistake of his own, otherwise nobody could have ever known about it.
The amount of the vanished money is terribly impressive : 7.2 billion Dollars (4.9 billion Euros). All done by only one employee. And nobody knew it.
The CEO just expressed himself today, so all media are covering this incredible fraud, and his letter is even published on the main page of the corporate website. Obviously, he added that all the internal audit teams, managers and even their executives would be fired since they didn’t see this. On the other hand, he explained that this fraud operation was incredibly complex and brilliant.
The employee has been fired and sued. But now, what ?
- the internal auditors didn’t see anything,
- the guy did an extremely brilliant operation,
- based on what he has done, no other bank will never want to hire him, he’s probably blacklisted everywhere,
- the fired audit teams, and probably a lot more people will want his death,
So there are only a few options left :
- mafias will hire him, or
- anti-laundering government services will hire him.
This makes me think at the same time about the movie catch me if you can and the famous Frank Abagnale Jr. who became expert in counterfeit money.
As a Chief Security Officer, and since I’m also trained to check fraud and do internal audits, I could just say that it’s always possible to let such things happen. This article explained that the employee had a deep understanding and knowledge of all the internal audit processes, knew when and how they would occur, and was smart enough to hide or even move the operations he was covering to avoid detection. That’s what a would call a “prouesse”. Now, internal auditors in all banks are aware that this could happen, but think about it… how can mafias stay indifferent to such a talented guy…
Every single CSO or internal auditor should be worried about this kind of behaviour and about what happened today.
I am for sure, and can’t stop thinking about the fact that the unbelievable happened.
Bruno Kerouanton on janvier 24th 2008 in Fun and odd, IT Security
Ghost' responded on 28 jan 2008 at 17:44 #
Hi,
Bruno, I’m not surprised when I discovered your post ! You’re very reactive!
The “fraud” reveals the deficiencies of organisation and internal controls. Which are both Achille’s heel of French firms! Sorry for my generalization but I saw many lack of procedures and deficiencies on accounting and financial departments! They don’t want to allocate money for organization and internal or external audits! (and not only for IT processes but also for human and technical organization)
Ghost’
PS : sorry for my bad english… If you want to correct me…
Bruno Kerouanton responded on 28 jan 2008 at 18:45 #
Hi Ghost,
I’m feeling that I may have been unprecise in my post.
When I discovered the story, I was simply astonished. Then, I started to think about the reasons I could have happened. Lack of controls ? Seems not, the staff had to report daily about their operations. Lack of internal audits ? Seems not, thay had their own staff and they were trained. Lack of external audits ? Maybe, but I guess not.
The problem, as far as I know, is not that the controls weren’t present, but that they were documented in detail and that some people could know how to circumvent them. That’s one of the major failures. Although I’m not prone of security by obscurity, it’s obvious that if you give all the documents to attackers, there are more chances they’ll succedd in their forfeiture.
That was the reason why I mentioned that this guy now has chances to be hired by mafias or gvt agencies. He may not be a good trader, but as only few people are able to act, he behaved as a hacker. As Kevin Mitnick (or others), he isn’t the best but he’s got a different mind, he was able to see things differently.
One of the main concerns auditors (and security professionals) have, is that they are “narrow minded”. They have formal processes to audit, use standardized tools and methods, and most of the time aren’t able to settle into the mind that should be required in order to see “things that shouldn’t occur”.
A chief security officer will be good if he buy the latest security appliances, starts a 27001 certification and trains people.
A chief security officer will be brillant if, in addition, he can grasp the intruder’s mind and anticipate, by imaginating what, why, when, and how the intruder can act.
That’s what most audit teams cannot do… they aren’t trained to do so, they aren’t molded to act so.
Let’s compare with something totally different : Army. Traditional audit teams are like normal soldiers. They are trained to obey and fight (control) but they won’t be able to do anything when the ennemy is “abnormal”, like it’s more and more the case in asymetric wars and terrorism. To fight against terrorism, the only way is to train special forces, with extra knowledge that not only ables them to be stronger, but also and most of all ables them to “act like ennemies”, and think the same as them. This is the only way to gain victory.
In short, let’s summarize : audit teams and controls are useful, but they will only detect what they look for. If you want to “detect the undetectable”, you need a kind of “special forces” team that thinks like the ennemy to anticipate its moves…. Know your ennemy…
@bty, Ghost… This problem is not specific to french firms as you tend to say. I believe it’s common to all companies and structures.