The recent loss from unauthorized trading at UBS was revised upward to $2.3 billion as announced Sept. 18, 2011: http://www.bloomberg.com/news/2011-09-18/ubs-estimates-loss-from-unauthorized-trading-at-2-3-billion.html
The actions of a single rogue trader are blamed, and UBS has disclosed that the magnitude of the risks taken by the trader was masked by “fictitious positions”. Everyone appears to agree this situation was caused by a lack of internal controls. The real question is, what is meant by internal controls? Usually, the term refers to internal policies, procedures and protocols. Sometimes these are a reflection of governmentally imposed requirements (for example Sarbanes-Oxley), but mostly these just refer to an organization’s own interpretation of what constitutes good governance. The concept of “checks and balances”, otherwise know as Segregation of Duties (SoD), is supposed to help safeguard good governance. Corporate policies should be reflected and enforced by its enterprise computer systems.
Unfortunately most internal policies depend on voluntary compliance by employees, otherwise known as an “honor system”. The deterrent against non-compliance is discipline or termination, again basing the control mechanism on human ethics and emotional drivers. Experience shows that this approach breaks down from time to time when a rogue individual chooses to circumvent approved processes. In the case of UBS, or the very similar €4.9 billion Société Générale case several years earlier, the individual may have been motivated not by personal gain but by the potential fame of achieving huge trading gains for their employer: http://www.bbc.co.uk/news/10259720 . In several recent fraud cases involving Citigroup and Bank of America, personal gain was the driver, where bank insiders embezzled large sums for their own use.
Regardless of motivation, these individuals were not prevented from their actions due to an absence of computer system controls.
Most users of corporate enterprise computer systems log on at the beginning of their work session with a profile consisting of username and password, and that is the extent of system control. Password use is a category of security techniques called “what you know”, in other words, a piece of information which could be acquired by anyone including an unauthorized user. The computer system has no way of knowing if the operator that has logged on is the designated user of the profile, or an impostor who has stolen or guessed the password combination. In other words, no true identity management takes place, only validation of a theoretical user profile. Given this inherent vagueness, even when insider fraud is discovered, it is often legally impossible to convict a suspect due to the circumstantial nature of password use.
From a computer system perspective, techniques are available to exert more stringent controls which are not based on voluntary compliance, and which use true identity management. This entails the use of biometric verification of the person logging on. A biometric credential such as a fingerprint is unique to an individual and cannot be guessed or stolen, because it is based on a person’s physiology. This category of security techniques is known as “who you are”. Organizations wishing to truly take charge of who has access to their enterprise system would be well advised to consider the use of biometrics instead of passwords.
Using biometric controls is not limited to the moment of logging on to a system, in fact, what happens inside the system is even more important. It should be possible to set up additional checkpoints inside the system whenever a critical activity is performed. This could mean anything involving sensitive data, or large amounts of money, or information that would be of value if stolen. For example, if a user is transferring a large sum of money, or setting up a new trading account, or opening a customer’s record with all their personally identifiable information (PII) visible, these activities are critical enough to require the operator to re-authenticate with a fingerprint. This can accomplish several goals:
a) Absolutely prevent a user from gaining access to unauthorized areas.
b) Create true accountability for a user’s actions.
c) Enforce any segregation of duties, or checks and balances, as deemed necessary by the organization’s business processes or government regulation (ex. HIPAA, ITAR, etc.)
d) Generate a robust audit trail of user activities, even failed attempts.
e) Provide employers with legal ammunition to pursue rogue employees.
UBS and Citigroup have doubtlessly pursued vigorous internal investigations, of which only few details have been released in news reports. However, we have learned from those news reports that the rogue insiders drastically overstepped their credentials and falsified accounting records, meaning they set up fake transactions, fake customers or fake vendors. This would only be possible in a system based on passwords, and would be impossible in a system using biometric re-authentication as described above. While the financial institutions affected by these losses have publicly announced re-examinations of their policies, and have appealed to their employees for higher professional and ethical standards, unless biometric controls are implemented within their computer systems it is only a matter of time before another employee gives in to temptation.
Biometric system controls can be enabled using commercially available software such as bioLock™ for SAP®. Such software also requires the presence of biometric scanners installed at users’ workstations or mobile devices. The most widely available, reliable and cost-effective devices are fingerprint scanners or biometrically enabled smart cards from various manufacturers. These devices transmit the scanned, encrypted biometric data back to the identity management software located in the entreprise host system, which then controls what a user is allowed to do according to their security credentials. This type of biometric control, based on “who you are”, is the most advanced security technology available today for enterprise systems.