Biometrics would not have prevented SocGen incident

An early contender for the biggest load of security tosh of the year comes within the report produced by Société Générale in response to the recent trading fraud scandal. The report identifies a number of actions “as part of a structured plan”, and the very first one of those is described as follows:

Strengthening IT security through the development of strong identification solutions (biometry).

I cannot see anything to suggest that insufficient authentication and access controls were to blame for the incident. What we had was a breakdown in process, supervision, management and audit controls that should have worked together and flagged an issue long before it became newsworthy. Call me what you like but I just don’t see that biometrics would have mitigated any of the risk. Am I missing something?

For example, page 8 of the report (and here I will admit that I haven’t read it all, just the bits I can pick out in five quick minutes) lists a number of controls that were bypassed in order to “hide the fictitious nature” of the trading. Given that the purpose of biometrics is to determine identity, I do not see how using a fingerprint, blood sample or iris scan would have prevented the trader from not complying with the list of procedural controls listed such as “no confirmation for internal transactions.”

This is also a view shared by Kenneth Paterson of the Royal Holloway in this very insightful article published as part of the latest Computer Weekly Think-Tank on insider threats.

Read the full report here.