Poor password management may have led to bank meltdown

Jon Callas jon at callas.org
Wed Feb 6 16:44:20 EST 2008


On Feb 4, 2008, at 1:55 PM, Arshad Noor wrote:

> Do business people get it?  Do security professionals get it?
> Apparently not.
>
> Arshad Noor
> StrongAuth, Inc.
>
> Huge losses reported by Société Générale were apparently enabled
> by forgotten low-level IT chores such as password management.
>
> http://www.infoworld.com/article/08/02/04/Poor-password-management-may-have-led-to-bank-meltdown_1.html

Yes, but get what? "It" is a vague noun.

The reporter showed some wit by using the word "may."

This was an attack by an evil (or crazy) insider. Evil insider attacks  
are the hardest to protect against. If the insider decided that he was  
going to start making trades for whatever reason, then he'd find a  
weak point that would allow him to make trades, and use it, no matter  
what it is. (My personal hypothesis is a variant of a mad-scientist  
attacker -- "They laughed at me when I told them my trading theories!  
Laughed! But I'll show them! I'll show them ALL!!!")

If this person had worked for 1000 hours to get a hardware token, he  
would have just done the work. The result may have been an order of  
magnitude more. High-security procedures tend to be more brittle for  
psychological reasons. If you have the magic dingus, then you are  
authorized, and no one ever questions the dingus.

Also, one must look at the economics and psychology of the situation.  
Traders are prima-donna adrenaline junkies who trade vast sums of  
money all the time and are not shy about expressing their  
frustrations. Looking at the sheer economics first:

* A trader trades C units of currency every hour, with an average  
profit of P (for example 5% profit is P=1.05).

* There are T traders in the organization.

* The extra authentication produces a productivity drop of D. For  
example, let us suppose a trader has to authenticate once per hour,  
and it takes 10 seconds to authenticate. This gives us a D of .9972 or  
3590/3600.

So the operational cost of your authentication is (1-D)*T*C*P per  
hour. Divide €4.9G by that, and you get the number of hours for the  
raw break-even time on this.

Add to this the probability that the hassle will convince a trader to  
jump ship to another firm (J), times the number hours of trading lost  
until you find a replacement (H). We'll assume the replacement needs  
no spinup time to become as productive as the previous trader. That's  
an additional cost of J*H*T*C*P. This is the psychological factor. As  
I said, traders are prima donnas who are used to getting their own way.

People have criticized post-9/11 airline security on similar grounds.  
They observe that some number of people drive rather than fly, and  
calculate out the difference in deaths-per-passenger-mile. I've seen  
numbers that work out to a handful of 9/11s per year caused by traffic  
displacement. They also observe that large numbers of people spend  
extra time in lines, which works out to a "lost life" number. For  
example, if you assume that passengers spend 10 extra minutes clearing  
security and a life is 70 years, then roughly 6 million passengers  
represents one lost life.

There's always much to criticize in these models. I could write a  
reply to this message with criticisms, and so can you. Nonetheless,  
the models show that there's more than just the raw security to think  
about.

	Jon

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list