The other day, Swiss banking giant UBS said on Thursday that it was anticipating a loss of $2 billion in the third quarter due to losses by a rogue trader.  From the Associated Press:

LONDON (AP) -- One man armed with only a computer terminal humbled a venerable banking institution yet again. This time it was Swiss powerhouse UBS, which said Thursday that it had lost roughly $2 billion because of a renegade trader.

The arrest of 31-year-old equities trader Kweku Adoboli in London is one more headache for troubled international banks, and fresh proof that they remain vulnerable to untracked trading that can produce mind-boggling losses.

Adoboli would join a rogue's gallery that includes Jerome Kerviel, who gambled away $6.7 billion at a French bank until he was caught three years ago, and Nick Leeson, who made so many unauthorized trades that it caused the collapse of a British bank in 1995.

The scale of those frauds rocked world finance. Banks tightened oversight rules to make sure such large sums could not be traded under the radar. But the safeguards, designed to protect the public and shareholders alike, seem to have failed.

UBS discovered irregularities in its trading records Wednesday night, and Adoboli was arrested early Thursday. Swiss banking regulators began looking into the scandal, which sent the bank's stock sharply lower.

"From the scale of this case, you can be sure that it's the biggest we've ever seen for a Swiss bank," Tobias Lux, a spokesman for Swiss regulators, told The Associated Press.

Details about the alleged fraud were scarce. In a terse statement shortly before markets opened, UBS informed investors that a large loss due to "unauthorized trading" had been discovered.

The bank estimated the loss at $2 billion, big enough that the bank said it might have to report a quarterly loss.

This is a huge loss and as the article says, it reminds me of the case from a couple of years back when a French bank suffered similarly huge losses.

I bring this up because we in the security industry (including me) are forever harping about the lack of law enforcement when it comes to phishing.  We claim that phishers and scammers get away with it because they can: nobody goes after them, and when they do it is extremely rare.  But we then say that they should because when you put the sum of all losses together due to phishing, estimates range from the following:

  • $3.2 billion in 2007 according to Gartner
  • $137 million in 2004 according to TRUSTean
  • $60 million in 2008 according to Microsoft
  • $500 million in 2004 according to the Ponemon Institute
  • Not even in the top 5 threats according to Paypal
  • $100 million in losses according to the FBI
  • $250 million per year over the past couple of years according to Consumer Reports
  • $2.3 million per one million customers of banks according to Trusteer

You can see that these estimates are off by an order of magnitude or more between some of them!  It doesn’t look like anyone really knows for sure how big a problem phishing is but it looks like (a) it is somewhere in the low-to-mid hundreds of millions, and (b) a really good study of phishing losses doesn’t exist.

Law enforcement only has so many resources just like anyone else in government and the rest of the world.  They have to make decisions – where will they get the most bang for the buck, and what should they prioritize?

One way to do it is with financial losses.  One trader caused $2 billion in damages in less than a year.  Contrast this to hundreds of millions in financial losses spread over thousands (or tens of thousands) of transactions.  Who is more likely to get investigation priority?  Which one is easier to stop?  Which one is easier to investigate and which one prevents more damage to the economy when mitigating the next big thing?  Obviously, going after the bigger cases is going to result in more resources.

Investigation of financial fraud (trading) vs investigation of cyber crime require unique skill sets.  The average law enforcement official doesn’t have the skills necessary to do the investigation and so it requires a very specific set of training for a small number of personnel.  If the same number of (different) personnel are assigned to investigate financial fraud and online fraud, then by sheer numbers, online fraud is facing a losing battle.  It takes way more people to investigate the online fraud because the losses are small: one huge case of a rogue trader vs thousands of small phishing investigations.  How long does it take to investigate one online fraud case?  How long would it take to get through 1000 of them?  To get through them all requires more people… and more people just aren’t available.

Online fraud is but one fish in a large pond.