Mime-Version: 1.0
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: 8bit
X-Mailer: Sohu Web Mail 2.0.13
X-SHIP: 124.78.66.135
X-Priority: 3
X-SOHU-UID: 30804.1203914132.37332.926
The SocGen fraud scandal
Mike Tracy |
February 01st, 2008 | Category: Uncategorized
A lot has been made of the SocGen trading scandal as a case of someone
cracking a computer system to defraud the bank.? I traded on the Chicago
Board Options Exchange before getting into software testing and security
full-time and anywhere the two intersect is interesting.
Reading the first outbreak of stories, you’d think the guy was slicing
through the bank’s access controls causing all sorts of unauthorized
mayhem (note the use of the word “unauthorized” for later on).? Sifting
through the follow-ups I came across
Reuters
which put a whole different spin on it.? Rich Bejtlich at
TaoSecurity
has a good write-up, sums it up pretty well in his first graph and
highlights some salient points. Paul
Waldie
has the most interesting article I have read on the subject.
So why bother writing about it?? Because, assuming the bank’s story is
true, this is a teachable moment in authorization versus authentication.
So what happened Mike?
According to news accounts, a junior derivatives trader (Jerome Kerviel)
who was recruited from the back office (what position he held isn’t
clear) concocted an incredibly clever scheme to lose the bank $7.2
billion.? The motive wasn’t money as he wouldn’t have been able to
profit if things had gone well.? Apparently he just wanted recognition
as a star trader and a bonus.
Is getting into a trading position from the back office really so
“unusual”?
In my experience with exchanges, no.? Getting onto a bank’s trading
floor is a different matter.? The spin by the bank, however, provides
fuel for their premise that Kerviel had inside knowledge that allowed
him to bypass authorization in their system.
So what exactly is a “derivative instrument?”
The simplest definition of a derivative is a financial instrument that
derives its value from another underlying financial instrument.? For
example, a futures contract is a derivative that bases its value on the
market price of the underlying commodity.? Specifically, a futures
contract guarantees the buyer to the right to purchase a set amount of a
commodity at a given price on a given date.? In this case we are
examining “regulated stock market index futures” which base their value
on an underlying index of stocks (DAX, EuroStoxx and FTSE to be exact).
A “regulated” derivative is normally referred to as an “exchange traded”
or “listed” derivative.? Listed futures contracts differ from other
types of forward contracts in that they can be bought and sold at any
time before their expiration date in a regulated marketplace, have terms
that are standardized by an oversight agency, are guaranteed by neutral
clearing entities and have a standardized settlement procedure.? In the
case of stock index futures, the settlement is normally in cash as
opposed to taking delivery of bushels of oranges or ounces of gold.
So an “over the counter” derivative is just like an “Over the Counter”
stock?
Not at all.? Over the counter derivatives are custom contracts priced
and negotiated to suit the particular purpose of the entity initiating
the contract.? They have no set parameters, are not subject to the same
regulatory oversight and have no guaranteed clearing or settlement
mechanism. Think of it as re-insurance or a bookie laying off one way
action with another book to reduce his exposure. They are normally (if
not always) traded between banks and used to hedge portfolio (forward
contracts or options) or interest rate (swaps) risk.? A premium is
normally written into the contract for providing the service.
If Kerviel’s job was to write over the counter forward contracts for the
bank and hedge them with listed futures, then he was clearly authorized
to enter the types of trades he allegedly entered into the bank’s
system.
OK, but what if that wasn’t his job?
Then it’s unlikely that Kerviel was authorized to negotiate (and have in
his position) over the counter trades.? It would also mean the over the
counter contracts were the “hedge” against his long futures positions.
Given the complexity of negotiating and premiums paid for over the
counter forward contracts, the probability of this being a winning
trading strategy asymptotically approaches zero.? In any case, it’s
certainly not an “arbitrage”.
But obviously Kerviel was putting fake trades in the system.? He must
have been hacking right?
Even lacking authorization by the bank to trade over the counter
securities, Kerviel may still have been able to enter these types of
trades into the bank’s order entry system without any other access to
the system than what he walks into work with every day.? That some of
his entered trades were fictitious and designed to hide the risk he was
carrying is no more elegant than kiting a check.? It certainly doesn’t
require any hacking skills.
So what’s the real issue here?
Simple.? The bank should have asked and answered one simple question,
“Is this trader’s position authentic?”
There are only two possible theories for the fraud.? One, as pointed out
in the Reuters article, is that Kerviel was removing the bogus over the
counter trades from his position before being checked and then
re-entering them.? This would have to take place on (at least) a daily
basis and with very precise timing.? The other is that no such
manipulation of the position took place.
If he were removing the “hedge” part of his position from the system,
the incredibly large amount of market risk in his position would have
been exposed.? If the position ended up losing $7.2 billion, how many
contracts was he actually long?? If the position was never changed in
the system, the bank apparently never got around to checking if the over
the counter trades were valid.? All someone in the clearing or risk
department had to do was pick up a phone and call the bank(s) on the
other side of the trade(s).
I’m still not quite clear how this teaches us anything about
authorization versus authentication…
Kerviel was obviously authorized to enter trades into the system.? He
was allegedly entering (and perhaps removing and re-entering) bogus
trades to cover the incredible amount of risk to which he was exposing
the bank.? Whether the fraudulent trades were entered through
unauthorized means is irrelevant.? The trades still appeared in (or
disappeared from) his position.? Despite (ostensibly) having controls in
place to either find the risk or expose the bogus trades, the bank
utterly failed to make sure Kerviel’s position was what he said it was.
“Trust but verify” takes on a whole new meaning.
1 Comment so far
yhbt February 1st, 2008
5:01 pm
According to Wikipedia (of which Tom seems to be particularly fond of lately): “A Hack is usually a technique used to subvert, misuse or subtly change a program, gadget or mechanism in such a way as to change, or add to, its functionality.”
So I don’t see why everyone disagrees with the media about this being a hack. Looks like the media got it right this time.
Leave a reply
name (required)
email (
will not be shown )
(required)
website
XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
New To Our Blog?
Start here for what we're all about, our "beat", and some of our favorite posts.
Search this site
People We Are
for this post
Leave a Reply