“The False Sense of Security – The Illusion of Automated Protection for Business Assets”

How many more cases of successful frauds have to take place before the IT industry, especially those that produce anti-fraud, security systems and auditing controls, are going to acknowledge (perhaps admit is a better choice of words) that their product is not a “total solution”? It is not, and never will be a total guarantee against frauds and threats, nor will guarantee the prevention of frauds and threats. That is a fact.

As a matter of point, companies that hard-sell and advertise that their “automated” solutions will truly detour and reduce potential financial attacks, or attacks on sensitive information on/against their businesses are creating a dangerously-proven illusion, which, in turn, companies will believe or are talked into believing with statistics and marvelous-looking matrix systems, reports, presentations, etc., etc…

In reality, the financial frauds that exist today constantly adapt faster and are smarter, more effective and WILL circumvent any automated system that is created or presently in existence. This too, is a statement of fact. Our statement is supported by the “billions” of dollars lost to frauds and scams where allegedly “best” automated protective systems were in place. It is just a matter of time before they were circumvented, compromised, or even “used” to help steal and commit financial frauds that range from a few thousand dollars, to billions.

From the top-ten world prime banks, including those in the EU, to numerous clearing houses throughout Asia, automated systems have provided a false sense of security and have tossed aside common-sense practices/approaches of “manual” systems and procedures. Why? Because of the claims of faster, more “efficient” systems with “techno-babble” jargon (talk), bells-and-whistles sales pitches and the constant use of the term “fraud matrixes and libraries” designed to spot and identify trends “before” it happens.

It is a great sales pitch, and looks even better on paper with a professional presentation that can raise eyebrows (which, if truly examined “proactively” would show that such presentations are nothing more than trying to predict the weather with 100% accuracy).

A sadder fact is that most potential buyers don’t even know that these “automated systems” are not even meeting the standards of compliance or governance requirements. Worse yet, they may meet specific standards, which in a week or two after installation, fall “out” of compliance.

How fast we forget the financial catastrophes that have taken place over a very short timespan. The billions upon billions of dollars lost ending up as front-page news, but a short time later, celebrity news has taken its place. Who-is-divorcing-who is more important than billions stolen from a top-ten bank and yet, the “cause” and “methods” of HOW the revenue/assets were taken becomes moot.

That is the first fatal error (as history repeats itself – guaranteed);

The inability to take responsibility and say “our automated systems failed” is the second fatal error; and

The third and most deadly fatal error is those companies that are manufacturing and developing anti-fraud/detection systems “continue” on the same path with the same methodology where they “believe” that they can design the ultimate system that will STOP fraud and financial/asset losses (e.g. including, but not limited to losses of classified documents, sensitive materials and correspondence, emails, key internal data, let alone plain currency and negotiable instruments (tangible or intangible).

More amazing, is we have performed on-going analysis and research of many of these companies and have found one of many disturbing common denominators. One of the biggest issues they have in common is they “don’t” understand the industries or nature of the client’s business. They are building it from “their” perspective, not the client’s actual needs based upon the true nature of the client’s business and the industry it exists in. Obviously you don’t go to an eye doctor to perform back surgery, but in reality that is exactly what is taking place. This is as logical as building the “classic” better mouse-trap to catch a tiger.

How many businesses remember October 5th, 2010? Just a few years ago… I asked that question to over thirty-eight major financial institutions and Fortune-500 companies which should know that date well. Even two of the companies that had very special interest in that date didn’t remember, or even know.

4.9 Billion Euros ($6,741,000,000+/- USD), yes, forty (6.741 billion United States Dollars was “used” (gambling actually) without the companies knowledge, and the person who did it, Jerome Kerviel.

Kerviel was formally charged on 28 January 2008 with abuse of confidentiality/non-disclosure and unauthorized access to computers.

The charges filed by the French Court had the potential of sentencing Mt. Kerviel to a maximum of three-years in prison.

On 29 January 2008 investigating judges Renaud van Ruymbeke and Françoise Desset “Dismissed with Prejudice” prosecutor Jean-Claude Marin’s motion to charge Kerviel with the more serious crimes of “fraud, attempted fraud, wire fraud and international money laundering” and to grant Kerviel be help without bail.

Mr. Kerviel’s trial began on June 8th, 2010. On October 5th, 2010, Mr. Kerviel was found guilty of the original charges of  disclosure and unauthorized access to computers, and sentenced to five years in prison, with two years suspended. He was also to be required to make “full restitution” of the $6.7+ billion Euros which was stolen (but the court referenced it in their transcripts as “lost”), and a lifetime ban working in any financial institution, whether it be public, private or governmental.

Caroline Guillaumin, Sub-Director of Public Relations for Bank Société Générale, was quoted, That the restitution was “symbolic”, and that the bank had no expectation that the monies “lost” would be recovered or paid back.”

Olivier Metzner, Kerviel’s 2nd lead attorney, was quoted “That the sentence against Mr. Kerviel was “extraordinary and unreasonable”, and immediately filed for appeal with the Paris Appeals Court.

Said appeal request was granted within ten (10) days, a record for the appeal process within the French legal system. During this appeal period, Mr. Kerviel’s sentence was suspended in it’s entirety until a decision would be rendered.

On October 24th, 2012, the Paris Appeals Court upheld the October 2010 sentence for three (3) years in prison (with another two suspended) Further, Mr. Kerviel was ordered to reimburse 4.9 Billion Euros to Bank Société Générale for the lose incurred.

In March of 2014 (yes, this year), the French High Court “sustained” Kerviel’s prison sentence but “over-ruled the previous sentence that Mr. Kerviel would have to reimburse the 4.9 Billion Euros to Bank Société Générale. In simple terms, Mr. Kerviel did not have to pay a Euro back.

Upon completion of Mr. Kerviel’s “reduced” prison term (for good behavior), he was immediately employed by “Lemaire Consultants & Associates“, known to be a IT information systems and computer security consulting firm. Last confirmed he was earning a high six-digit Euro salary with stock interests, major benefits and a paid home in Northern France.

End of story – Crime does pay.

Who were the victims?

French Bank Societe Generale. Yes, one of the top banks in the EU with the most up-to-date, most sophisticated electronic and automated financial security systems in place. It was claimed to be one of the greatest “state of the art” automated systems in existence. This was ALL compromised by ONE person. The charge Mr. Kerviel plead guilty to was “Computer Abuse” collateral financial lessor financial crime charges.

Investors.

Insurance companies to some degree

The Bank of France (Finance Division and not to be confused with the “actual” Bank of France”)

Yet, there should have been another “number” of companies that should have been standing there in the defendants’ box along with Mr. Kerviel. The software and hardware providers that sold a “bullet-proof system that could not be broken into”. They sold an illusion. But then again, is it a case of “buyer beware”?

When, at the trial, the question was raised about “manual protocols, systems and procedures”, there was the famous pregnant pause – no answer. When asked again, the response was nebulous at best. They truly had something in place, but no one really knew what it was and how it interfaced with the “bullet-proof” automated system. The fact is that it didn’t. The fact is that the manual systems were obsolete for over four years. The fact is there were only two personnel in charge of updating the manuals that dealt with the “manual” protective systems since they were told they were not needed anymore. That was an expensive $6,741,000,000+/- USD decision.

We would call this type of logic “Automated Titanic Logic” – Just like the ship that “could not sink”, ONE individual circumvented and cut through every single automated system in place like a hot knife through butter. For over three (3+) years since the installation of the “bullet-proof” automated system, the fraud(s) had continued on, un-noticed.

Think about this for a moment. Every automated system within Bank Societe Generale that cost “millions of dollars” to purchase, install and maintain, F-A-I-L-E-D.

Plain and simple – Failed.

Where were the manual policies, strategies and systems that could have worked “along” with the automated systems to give some credibility and teeth to a “protective” system (or better yet, should have been mandatorily included)? Where was the business planning and strategy to implement to “mitigate” damages WHEN the fraud(s) took place, not “IF”?

Most interesting, what has happened POST-loss?

The bank was quoted that the supervisors and staffing were totally caught “off guard” and were “totally unaware” of what was going on/what happened… for three (3+) years?

The manufacturers and providers of the security system referred to a single reply, and that was a finger pointing to their End User License Agreement (commonly referred to as “EULA” which exists with almost any software), and that is they do NOT guarantee almost anything, warranty anything and they are not responsible for almost everything that has to do with the product.

If you take the time to read a EULA Agreement, you will find it most enlightening. More important, IF you want to use the software, if you DON’T AGREE to it, it will NOT let you LOAD and USE the software. Simple as that.

No, Mr. Kerviel was not the only guilty party in this matter, and this is just ONE of hundreds upon hundreds of cases, all with a common denominator.

We must examine the “exceptional gross negligence” of how a financial institution could possibly put so much faith into its automated protective systems and procedures to have it fail so drastically. These financial institutions are responsible for the due diligence and validation of the investments of their clients, but it doesn’t apply to their own security of their client’s revenues once in their possession?!

Then the companies that sold the “Titanic” style automated anti-fraud software which were on the spot, ended with an interesting turn of events. There was only ONE of those companies that was found guilty of gross negligence. Not fraud, not a crime. A civil case is where the jury ruled “in favor” of the bank. Yet, so many involved and truly, collectively responsible faded like smoke into the wind. Security companies and providers disappeared, and shortly thereafter, new ones sprung up with the “same” people running them.

It makes no difference whether it would have been a thousand dollar loss, or billions. It is the “repeat” of the same mistakes, based upon the same blind-faith and ignorance of companies that will put that “blind-faith” into a 100% automated solution that have been CLEARLY PROVEN, beyond a reasonable doubt, to be absolutely vulnerable, exposed and open to exploitation. This is a reality and businesses, financial institutions and government agencies STILL support this “Titanic” logic.

How many more financial institutions, businesses and agencies have to incur losses such as these? A better question that can be easily answered is WHO does it ultimately affect? – Consumers, businesses and financial institutions of all types and within all industries as well as government agencies alike. From small enterprises to large corporations, from sole proprietorships to massive government contractors and their employees… the list grows.

Finally, what about the losses? Are they just “financial”? What about the trust, the “churn of clients”, the loss of confidence and loyalty of clients, vendors and those who are financing such companies that make such a “major” mistake? Well, the news on this loss we have used as a “sample” was replaced within two (2) days later with tabloid-style news that was far-more important. Divorces and dating habits of celebrities took center stage far, far longer than this news. What’s a few billion dollars lost anyway?

Is there a solution?

Yes, but we are not going to provide you with an alternative that is any kind of “guarantee” to END fraud and security breaches. It will not STOP frauds and threats either.

What is DOES do, is it integrates manual and automated, into a solution, the ONLY solution that will allow best, reasonable effort to protect the business against potential frauds and threats and will allow effective MITIGATION to take place expeditiously.

What it does do, is WHEN the fraud or threat takes place, it can be “mitigated” and quickly controlled reducing the impact on the company and its clients.

However, those questions and solutions are in our next article.

<<< Back