IT security experts say audit technology could have helped stop the UBS rogue trader

According to Noa Bar Yosef, senior security strategist with Imperva, two things probably conspired to cause the rogue trading losses, the first of which is that the trader was probably given excessive account privileges and the second was the bank probably failing to monitor legitimate users of its systems.

Time, saif Bar Yosef, is constrained, resources are lacking and it’s just too plain easy to say 'well, we can’t start defining what’s allowed and what’s not to all users. Let’s just give a whole group of people the same privileges.'

“But it’s enough for just a single user to abuse these excessive privileges for an organisation to suffer a data breach. Consider the case at Diablo Valley Community College. For three years they had the [admins] there modifying student grades. When the breach came to light, they found that out of the 100 users who were granted excessive privileges, only 11 really required them”, he said.

On the subject of apparently failing to monitor legitimate users, Bar Yosef said that, once the access controls – setting the appropriate privileges for the different users – are set, it’s common enough to say that the work is done.

“Not quite… even those with legitimate privileges can abuse their rights. Consider, healthcare administrators in LA hospitals providing celebrity health medical records – George Clooney, Britney Spears, Tom Cruise etc. – to journalists”, he noted.

Over at Lieberman Software, Philip Lieberman, cheif exective of the privileged account security specialist, agreed with Bar Yosef's analysis on the excessive account privilege front. He said that there was clearly a problem with segregation of duties and the need for ‘dual-controls’, as well as attribution.

“This sounds a lot like they did not have any type of suspicious trading analysis software in place. The sad part is that all this technology exists, but UBS chose to save money on software and security to the detriment of its shareholder’s”, he said, adding that the case sounds a lot like that of infamous bank trader Nick Leeson – from which the term 'rogue trader' was coined.

“In that 1990s case, Leeson made a large number of unauthorised and speculative trades that initially made profits for his employers, Barings Bank, but later went sour costing the bank so much money that it eventually went bust. What was notable about Leeson's fraud was that he gained access to Barings' error accounts – which were used to soak up trades that cost the bank money – apparently without full authorisation”, he said.

“Of course, it's too early to say whether the UBS loss case has direct parallels with the downfall of the Barings Bank, but it's interesting to note that, as the news broke, it sent the bank's share price skittering in a downward spiral, as investors realised the ramifications – and probably remembered the Nick Lesson case”, he added.

The Nick Leeson fraud – which has since been turned into a movie – was notable, saic Lieberman, as the Barings banker used an account that was numbered 88888 – 8 being a number considered to be very lucky in Chinese numerology.

Leeson claimed that this account was first used to hide an error made by one of his colleagues – rather than buy 20 contracts as the customer had ordered, costing Barings £20,000 in the process, he explained.

The Barings Rogue trader, noted the Lieberman Software president, then misused his account to cover his subsequent bad trades, which gradually spiralled out of control as Leeson chased the bank's losses.

The Nick Leeson case was caused, said Lieberman, by the fact that Barings had allowed the trader to remain as chief trader, whilst he was also responsible for settling his trades – jobs usually carried out by two different people. Whilst this made it much simpler for him to hide his losses from his bosses, it also meant he had access to multiple accounts, which banks today – hopefully – now realise should not be allowed.

“It will be interesting to work out the methodology that the alleged UBS rogue trader used when placing his trades. I suspect that he probably had access to accounts that he should not have, and this allowed him to trade the [major] dollar loss”, he said.

“The tangible losses are one thing, as UBS now looks likely to generate a loss during its third quarter. But the 8% drop on the bank's share price when trading commenced after the news was released, is another thing. We are into reputational damage territory and that can be very expensive problem for a bank”, Lieberman added.

What’s Hot on Infosecurity Magazine?