In one of the banking world's most unsettling recent disclosures, France's Société Générale SA said Mr. [Jérôme] Kerviel had cost the bank €4.9 billion, equal to $7.2 billion, by making huge unauthorized trades that he hid for months by hacking into computers. The combined trading positions he built up over recent months, say people close to the situation, totaled some €50 billion, or $73 billion. ("French Bank Rocked by Rogue Trader" by David Gauthier-Villars, Carrick Mollenkamp, and Alistair MacDonald, January 25, 2008, p. A1)
Apparently, Kerviel essentially bet huge sums of Société Générale's money that major European stock indexes would rise. These bets were hugely in the money during 2007, but the market began to turn at the beginning of this year and Kerviel's positions turned negative. He apparently evaded the bank's risk controls by creating fictitious trades that appeared to offset the actual trades that he made. In addition,
According to Mr. Bouton, the Société Générale chairman, Mr. Kerviel began conducting fraudulent trades sometime in 2007. People familiar with Mr. Kerviel's behavior believe he worked late into the night, essentially burrowing into Société Générale's computers, as he allegedly built a multilayered way to hide his trades by hacking into the computer systems.
Société Générale's computer systems are considered some of the most complex in banking for handling equity derivatives, that is, investment contracts whose value moves with the value of other assets. Officials of the bank believe Mr. Kerviel spent many hours of hacking to eliminate controls that would have blocked his super-sized bets. Changes he is said to have made enabled him to eliminate credit and trade-size controls, so the bank's risk managers couldn't see his giant trades on the direction of indexes.
Mr. Citerne said the bank didn't notice the unauthorized trading until last week because the trader had "intimate and malicious" knowledge of its procedures and knew at what dates checks were conducted. "Each time he took a position one way, he would enter a fictitious trade in the opposite direction to mask the real one," Mr. Citerne said. According to one person familiar with the situation, Mr. Kerviel used the computer log-in and passwords of colleagues both in the trading unit and the technology section.
It's difficult to tell from this description exactly what Kerviel did, but it sounds to me that from his work in Société Générale's back office before his transfer to the trading desk, he formed an intimate understanding of their risk control computer applications and developed strategies for evading. Specifically, it appears that he used passwords of his colleagues to log into the risk control system and either approve his own trades or alter the configuration of the system so that his trades weren't flagged as risky. The keystone of this evasion strategy was him getting his colleagues' passwords. It's possible, of course, that he installed a password cracker or used keystroke loggers to intercept the passwords. I doubt it, though. If Société Générale is like every other corporation in the world, Kerviel would have had little trouble getting the passwords from Post-It notes on the sides of his coworkers' monitors or even from just asking them for them. If that's what he did, it can hardly be called hacking. Unauthorized access, certainly; but hacking implies a level of technical sophistication that copying passwords off Post-It notes doesn't require.