[SecurityRatty] tag: trader

Stop Me if This Sounds Familiar

Sun, 02 Nov 2008 19:30:30 +0000

My favorite book from last year was Charlie Munger's "Poor Charlie's Almanack", there are so many fascinating parts in the book I can't go into them all here. Charlie Munger is Warren Buffett's partner at Berkshire Hathaway, the book is a collection of a number of his speeches, and serves as a great backdrop for today's events, an investing education, and a way to think through complex problems ("invert! always invert!"). It goes without saying that I think you should buy this book.

Chapter Three is a collection of Munger's unscripted remarks at Berkshire Hathaway and Wesco annual meetings. The below sections were transcribed by Whitney Tilson, from annual meetings around the 2003-4 time period, and are pretty interesting given our current financial predicament.

Warnings About Financial Institutions and Derivatives
Risks of Financial Institutions
The nature of a financial institution is that there are a lot of ways to go to hell in a bucket. You can push credit too far, do a dumb acquisition, leverage yourself excessively---its not just derivatives [that can bring about your downfall].
Maybe it's unique to us, but we're quite sensitive to financial risks. Financial institutions make us nervous when they're trying to do well.
We're exceptionally goosey of leveraged financial institutions. If they start talking about how good their risk management is, it makes us nervous.
We fret way earlier than other people. We've left a lot of money on the table through early fretting. It's the way we are -- you'll just have to live with it.
Derivatives
The system is almost insanely irresponsible. and what people think are fixes aren't realy fixes. It's so complicated I can't do it justice here - but you can't believe the trillions of dollars involved. You can't believe the complexity. You can't believe how difficult it is to do the accounting. You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear.
People don't think about the consequences of the consequences. People start by trying to hedge against interest rate changes, which is very difficult and complicated. Then, the hedges make the [reported profits] lumpy. So they use the new derivatives to smooth this. Well, now you've morphed into lying. This turns into a Mad Hatter's Tea Party. This happens to vast, sophisticated corporations.
Somebody has to step in and say, "We're not going to do it - it's just too hard."
I think a good litmus test of the mental and moral quality at any large institutions [with significant derivative exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.
It's easy to see [the dangers] when you talk about [what happened with] the energy derivatives - they went kerflooey. When [the companies] reached for the assets that were on their books, the money wasn't there. When it comes to financial assets, we haven't had any such denouement and the accountings hasn't changed so the denouement is ahead of us.
Derivatives are full of clauses that say if one party's credit gets downgraded then it has to put up collateral. It's like margin - you can go broke [just putting up more margin]. In an attempt to protect themselves, they've introduced instability. Nobody seems to recognize what a disaster of a system they've created. It's a demented system.
In engineering people have a big margin of safety. But in the financial world, people don't give a damn about safety. They let it balloon and balloon and balloon. It's aided by false accounting. I'm more pessimistic about this than Warren is.
Accounting for Derivatives
I hate with a passion GAAP [Generally Accepted Accounting Principles] as applied to derivatives and swaps. JP Morgan sold out to this type of accounting to front-end revenues. I think it's a disgrace.
It's bonkers, and the accountants sold out. Everyone caved, adopted loose [accounting] standards, and created exotic derivatives linked to theoretical models. As a result, all kinds of earnings, blessed by accountants, are not really being earned. When you reach for the money, it melts away. It was never there.
It [accounting for derivatives] is just disgusting. It is a sewer, and if I'm right, there will be hell to pay in due course. All of you will have to prepare to deal with a blowup of derivative books.
Likelihood of a Derivatives Blowup
We tried to sell Gen Re's derivatives operations and couldn't, so we started liquidating it. We had to take big markdowns. I would confidently predict that most of the derivatives books of [this country's] major banks cannot be liquidated for anything like what they're carried on the books at. When the denouement will happen and how severe it will be, I don't know. But I fear the consequences could be fearsome. I think there are major problems, worse than in the energy field, and look at the destruction there.
I'll be amazed if we don't have some kind of significant [derivatives-related] blowup in the next five to ten years.
I think we're he only big corporation in America to be running off its derivative book.
It's a crazy idea for people who are already rich - like Berkshire - to be in this business. It's a crazy business for big banks to be in.
Yo would be disgusted if you had a fair mind and spent a month really delving into a big derivative operation. You would think it was Lewis Carroll. You would think it was the Mad Hatter's Tea Party. And the false precision of these people is just unbelievable. They make the worst economics professors look like gods. Moreover, there is depravity augmenting the folly. Read the book F.I.A.S.C.O., by law professor and former derivative trader Frank Partnoy, an insider account of the depravity of derivative trading at one of the biggest and best-regarded Wall Street firms. This book will turn your stomach.

These are very blunt warnings from a legendary investor over many years, yet no one listened. It does explain why it is so hard for Infosec to make its case for building margins of safety into the system.

Links for 2008-09-04 [del.icio.us]

Thu, 04 Sep 2008 20:00:00 +0000

Tech Trader Daily - Barron’s Online : Secure Computing Buys Securify; VCs Take A Hit
Maybe the most interesting thing about this deal is that Securify is selling out for far less than the amount of venture capital it raised.

Are Stolen Credit Card Details Getting Cheaper?

Tue, 15 Jul 2008 11:36:12 +0000

What is shaping the prices of stolen credit card details? The investments the cybercriminals or real life scammers ( through credit card cloning or ATM skimming) put into the process of obtaining the details, or can we even talk about investments being made where an experienced scammer has just purchased 1GB of raw credit cards data from a novice botnet master who isn't really aware of the actual value of his "botnet output"?

Depends on which economic theory you believe in, or whether or not you'll take the "bottom-up approach" or the "top-down" one. And since I'm not aware of the existence of "the invisible hand of the underground market" and centralized power to increase the supply or decrease it to boost prices for the stolen credit card details, also indicating the existence of underground cartels putting everyone in a "price taker" position.

The basics of demand and supply for anything underground will always apply unless of course, The more they want, the cheaper it gets, the less they want, the higher the price on per credit card basis gets, since the investment on behalf of the malicious party that originally stolen them is virtually the same, and he can theoretically break-even in every single case since the credit card details were obtained efficiently. It's up to the seller to follow or entirely ignore economic behavior, and do what they feel like doing with this good which must on the other hand reach its market liquidity as soon as possible, else it becomes obsolete. The current market model can be further explained as a good example of competitive equilibrium :

"Competitive market equilibrium is the traditional concept of economic equilibrium, appropriate for the analysis of commodity markets with flexible prices and many traders, and serving as the benchmark of efficiency in economic analysis. It relies crucially on the assumption of a competitive environment where each trader decides upon a quantity that is so small compared to the total quantity traded in the market that their individual transactions have no influence on the prices."

This can be easily explained in a single sentence - it's a mess and every participant is doing whatever they want to, so generalizing on the prices charged for stolen credit card numbers would be unrealistic, since it's the price a single seller with no real impact on the "average" market price for the same good. As for the average market price itself, it would be hard to measure it depending on the quality of the sample you want to rely on, since this is a type of market where sellers don't have to report price changes in their goods for the purpose of statistical research.

A recently released report by Finjan, with whom I've been on the same page of several high profile incidents so far, touches this very same topic :

"Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says. Researchers for Finjan, a Web security firm, said the high volumes traded had led to bank and credit card information becoming "commoditized" - account details with PIN codes that once fetched $100 or more each might now go for $10 or $20. In its latest quarterly survey of Web trends, the California-based company said cybercrime had evolved into "a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world."

Excluding the presence of price discrimination for a while, as well as open topic offers in the lines of "how much for X amount of Y?" answered as "how much are you willing to pay?", it's all a matter of the seller in a particular situation.

Furthermore, in real-life market there's always the scarcity problem, however, in the underground market there's no shortage of resources despite the ever growing wants of the buyers. Generalizing even more, take for instance the butterfly effect of a price change in petrol, and result of which is inevitable increase of prices in every single aspect of your life, but in the underground market mostly due to the malicious economies of scale achieved, a price increase in renting a botnet would have no effect in the prices charged for the stolen credit card details obtained through the infected hosts. How come? Basically, the price and resources for malware infection are prone to decrease, if we take a malware infected host as a static foundation for the basis of any upcoming cybercrime activities using it.

Perhaps the most disturbing part is that the market for stolen credit card details is so mature, and its entry barriers so low these days, that the confidential data that cannot be efficiently obtained through real-life means like credit card cloning or ATM skimming on a large scale, is now purchased online for the purpose of abusing it in real-life by embedding the valid information into plastic cards.

Links for 2008-05-30 [del.icio.us]

Fri, 30 May 2008 20:00:00 +0000

Tech Trader Daily - Barron’s Online : Sourcefire Rejects $7.50/Shr Bid From Barracuda

Société Générale plans to close loopholes by year end

Thu, 22 May 2008 20:00:00 +0000

French bank Société Générale expects to have remedies in place by year end for the technical and procedural flaws that allowed rogue trader Jérôme Kerviel to build a fraudulent trading position that cost the bank €4.9 billion (US$7.25 billion).

Genius Hacker Released from Prison; Lands Job with IT Firm

Sat, 26 Apr 2008 20:40:38 +0000

When Société Générale announced Jan. 24 that it had lost €4.9 billion (now valued at $7.68 billion) due to risky and unauthorized trading by Mr. Kerviel, the bank depicted the former trader as a devious information-technology whiz.

Biometrics would not have prevented SocGen incident

Fri, 07 Mar 2008 16:25:37 +0000

An early contender for the biggest load of security tosh of the year comes within the report produced by Société Générale in response to the recent trading fraud scandal. The report identifies a number of actions "as part of a structured plan", and the very first one of those is described as follows: - Strengthening IT security through the development of strong identification solutions (biometry). I cannot see anything to suggest that insufficient authentication and access controls were to blame for the incident. What we had was a breakdown in process, supervision, management and audit controls that should have worked together and flagged an issue long before it became newsworthy. Call me what you like but I just don't see that biometrics would have mitigated any of the risk. Am I missing something? For example, page 8 of the report (and here I will admit that I haven't read it all, just the bits I can pick out in five quick minutes) lists a number of controls that were bypassed in order to "hide the fictitious nature" of the trading. Given that the purpose of biometrics is to determine identity, I do not see how using a fingerprint, blood sample or iris scan would have prevented the trader from not complying with the list of procedural controls listed such as "no confirmation for internal transactions." This is also a view shared by Kenneth Paterson of the Royal Holloway in this very insightful article published as part of the latest Computer Weekly Think-Tank on insider threats. Read the full report here.

Let's Not Let the Security Staff Become the SocGen Scapegoat

Mon, 25 Feb 2008 14:47:53 +0000

A growing number of commentators are pointing the finger at the Societe Generale security function as being at fault in allowing "rogue" trader Jerome Kerviel to eventually bring the bank to its knees. Security product vendors are taking the opportunity to position their technology as being solutions that could have prevented this failure.

It is certainly the case that many forms of control technology can overcome human weakness. But at best, it is misguided to believe that technology failure is the root vulnerability, and at worst, this is an attempt to turn the security staff into the scapegoat. Believe me, the security managers were fully aware of the problem and had warned about it many times.

It has always been well-recognized in the financial services arena that trading staff do not follow even the simplest security procedures. Sharing of logins on the trading floor is the normal way that they do business. These are people who do not follow the rules. Not only do they not follow the rules, but their management and the bank management also feel that rules should not apply to these people.

The crux of that problem is that they are treated as golden geese, and any attempt to inhibit their flexibility is avoided, because the result might be fewer golden eggs. It isn't a security failure; it is a governance failure. And it is not a problem unique to SocGen. This is the way financial services firms run their trading floors, and there should be no reason to feel that other banks aren't equally or even more vulnerable to such an incident.

If you want to douse the flames of the bonfire of the vanities, you have to start at the top, not the bottom. Real improvements in risk management can come about only if top management is sincere in setting an agenda that balances short-term profits with long-term corporate viability and social responsibility.

See, they ain't that scientific either

Mon, 25 Feb 2008 10:42:29 +0000

I'm no big fan of overly complex approaches to risk management, and recent economic events have made me even less so.

There was a great article in the Economist about a conference for the Ameican Securitization Forum - the wonfderful people that brought us all these complex debt products that are giving banks no end of bellyache. Ironically the conference was held in Las Vegas, and a wonderful quote came from hedge fund manager John Devaney, who said "I'd like to thank the market for dealing me a direct hit. As a trader if you don't get sucker-punched every once in a while, you don't understand what risk is."

Also, there were a few good articles last week about how money managers had retreated from the market because they'd lost faith in the ability to model risk effectively.

If only it were so easy for information risk professionals, who often protect far more than just money - we protect innovation, national security, and even human life in some cases. It's not quite so easy for us to take a direct hit.

Financial markets have taken centuries to evolve, yet look at what can happen with their well established risk models. Information risk modeling is still only nascent, and changing at blistering pace. Yes, we need a more structured approach to information risk management - defining and comparing the different risks we face - but technology and business are evolving so fast that we need to temper our expectations about how scientific this can ever become.

The best quote I heard on this topic was from Hugh Voight of Solutionary, who says that "To get from New York to San Francisco, you don't need Google Maps until you get close to the Bay Area. At first, you just need to go West."

We still just need to "Go West" when it comes to modeling information risk. Bring on the Village People!

Poor IT security to blame in Société Générale fraud

Tue, 19 Feb 2008 21:00:00 +0000

Inadequate IT security allowed a trader at French bank Société Générale to make a series of unauthorized transactions that ultimately cost the bank €4.9 billion ($7.2 billion), an internal investigation has found.