Data Security: A Little Comment On Password Safety and Société Générale.

If you’ve been following the news, you probably know that a “rogue” trader at the French bank Société Générale has cost the bank 7 billion dollars (4 billion Euros, if you hate exchanges).  While the details are slowly coming out (it’s day two of questioning by the French police for Jérôme Kerviel, the rogue trader), it seems that enough information has been leaked to understand how Kerviel was able to amass such a debt for the Red?and?Black?Rising financial group.  From the New York Times:

“The unions also want to address the possible loopholes in the bank’s internal security systems that may have allowed Mr. Kerviel to use log-ins and passwords of his colleagues to execute his fictitious trades.”

Let us assume that the above was a contributing factor to the 7 billion dollar loss.  Ah, yes.  Using the user names and passwords of colleagues.  Unfortunately, this kind of thing happens all the time.  I might have to taste my feet later for the following comment, but I’ll bet there’s nothing tremendously wrong going on at Société Générale, from a security standpoint.  Every air?tight security system falls victim to the weakest link in that system: the people.

Technically, you’re supposed to keep your user name and password private.  Let no one know it, including your mother.  In practice, it’s safe to say that a majority of the time this is not followed.  Busy day at the office?  Out to lunch with an important client?  Someone you trust needs access to something?  Oh, here’s my password…just don’t spread it around. (Right.  It won’t happen.  Revealing one’s password is like peeing in a pool:  no way to stop the spread…)


Or perhaps you are a C-level executive (or are darn close to becoming one), and commandeer a platoon of secretaries.  You let them take care of passwords.  Why not?  They take care of your bills as well.  What’s a password when they can already access your money and your 401K?  C-level, coming through!  Too busy to take care of my own phone bill or to establish a password!  Or remember a password, for that matter.


The problem with the above is that you never know when one of your trusted colleagues, agents, secretaries, or what?have?you will turn “rogue,” which is just the expression “turn bad” enveloped in a cloak of sensationalism for selling newspapers and keeping a story alive.  (I can only concede to using the word rogue for financial types if they handle explosives and are a killing machine—like Jason Bourne.  Oh, they exist.  That’s what NOCs are for.  Jérôme Kerviel?  Not rogue.  To begin with, he’s in prison.  No way Bourne?types being imprisoned could be public knowledge.)  When do people turn bad?  Why do they turn bad?  That’s a philosophical question without a perfect or permanent answer.  But for pragmatic purposes they turn bad when they screw up, like blowing your last wage on losing lottery tickets to pay off the loan shark.  So, now you have to turn to crime to ensure your bones are not broken by cousin Vinny.  Or something along those lines…


The best security system in the world is useless if people don’t do what they’re supposed to do.  Let’s take for example encryption for your computers.  Laptop encryption nowadays means RSA 128-bit, and this is what AlertBoot uses (among other strong encryption standards, if you prefer them over the original) to protect data storage devices.  Developed back in the late 1970s, RSA is to this day THE method for encrypting electronic data (note the emphasis).  It is so powerful, if used correctly, that it would take over a billion years to crack it using all the computing power in the world right now.  And even factoring in (incorrectly, may I add) Moore’s Law, it would still take several lifetimes to crack it.  This means you can take off a couple of zeros from a billion years—still a very long time.


Which is why anyone trying to crack the security system for an encrypted computer guns for the username and password, and not the encryption key.  The user name and the password is the key to accessing the data, so it’s necessary; and yet it is also the weakest link in your security chain because you rely on people to keep it safe.  If several people hold a user name and password for a critical piece of machinery, or worse yet, if one person holds several user names and passwords for critical pieces of machinery….well!  A guy could log onto several terminals and execute trades under different names to the tune of seven billion dollars in losses.  It doesn’t happen all the time, but look at what happens when it does.  And it’s not as if this type of stuff is uncommon—Nick Leeson bankrupted Barings over ten years ago, although the security flaw involved in that case was something else.


Keep your passwords safe and private.  A secret shared with another is a secret shared with the world.

Comments (0)

Let us know what you think