Financial Cryptography

Audit redux.2 - and what happened to the missing MF Global client funds?

As we all know by now, MF Global crashed with some many billions of losses, filing for bankrupcy on 31st October. James Turk wonders aloud:

First of all investors should be concerned because everything is so inter-connected today. People call it contagion and this contagion is real because the MF Global bankruptcy is going to have a knock on effect, just like Lehman Brothers had a knock on effect.”

The point being that we know there is a big collapse coming, but we don't know what it will that will trigger it. James is making the broad point that a firm collapsing on the west side of the Atlantic could cause collapse in Europe. But wait, there's more:

So the contagion is the first reason for concern. The second reason for concern is it’s taking so long for them to find this so called missing money, which I find shocking. It’s been three weeks now since the MF Global bankruptcy was declared and they started talking about $600 million of missing funds.

So I’m not too surprised that now they are talking about $1.2 billion of missing customer funds. I think they are just trying to delay the inevitable as to how bad the situation at MF Global really is.

And more! Chris points to an article by Bloomberg / Jonathan Weil:

This week the trustee for the liquidation of its U.S. brokerage unit said as much as $1.2 billion of customer money is missing, maybe more. Those deposits should have been kept segregated from the company’s funds. By all indications, they weren’t.

Jonathan zeroes in on the heart of the matter:

Six months ago the accounting firm PricewaterhouseCoopers LLP said MF Global Holdings Ltd. and its units “maintained, in all material respects, effective internal control over financial reporting as of March 31, 2011.” A lot of people who relied on that opinion lost a ton of money.

So when I asked:

Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?

we now know that PricewaterhouseCoopers LLP will not be stepping up to the podium with MF Global! Jonathan echoes some of the questions I asked:

What’s the point of having auditors do reports like this? And are they worth the cost? It’s getting harder to answer those questions in a way the accounting profession would favor.

But now that we have a more cohesive case study to pick through, some clues are emerging:

“Their books are a disaster,” Scott O’Malia, a commissioner at the Commodity Futures Trading Commission, told the Wall Street Journal in an interview two weeks ago. The newspaper also quoted Thomas Peterffy, CEO of Interactive Brokers Group Inc., saying: “I always knew the records were in shambles, but I didn’t know to what extent.” Interactive Brokers backed out of a potential deal to buy MF last month after finding discrepancies in its financial reports.

That's a tough start for PricewaterhouseCoopers LLP. Then:

For fiscal 2007, MF Global paid Pricewaterhouse $17.1 million in audit fees. By fiscal 2011, that had fallen to $10.9 million, even as warning signs about MF’s internal controls were surfacing publicly.

In 2007, MF and one of its executives paid a combined $77 million to settle CFTC allegations of mishandling hedge-fund clients’ accounts, as well as supervisory and record-keeping violations. In 2009, the commission fined MF $10 million for four instances of risk-supervision failures, including one that resulted in $141 million of trading losses on wheat futures. Suffice it to say, Pricewaterhouse should have been on high alert.

On top of that, Pricewaterhouse’s main regulator, the Public Company Accounting Oversight Board, released a nasty report this week on the firm’s audit performance. The agency cited deficiencies in 28 audits, out of 75 that it inspected last year. The tally included 13 clients where the board said the firm had botched its internal-control audits. The report didn’t name the companies. One of them could have been MF, for all we know.

In a response letter to the board, Pricewaterhouse’s U.S. chairman, Bob Moritz, and the head of its U.S. audit practice, Tim Ryan, said the firm is taking steps to improve its audit quality.

Ha! Jonathan asks the pointed question:

The point of having a report by an independent auditor is to assure the public that what a company says is true. Yet if the reports aren’t reliable, they’re worse than worthless, because they sucker the public with false promises. Maybe, just maybe, we should stop requiring them altogether.

Exactly. This was what I was laying out for the reader in my Audit cycle. But I was doing it from observation and logic, not from knowing about any particular episode. One however was expected to follow from the other...

The Audit brand depletes. Certainly time to start asking hard questions. Is there value in using a big 4 auditor? Could a firm get by on a more local operation? Are there better ways?

And, what does a big N auditor do in the new world? Well, here's one suggestion: take the bull by the horns and start laying out the truth! KPMG's new Chairman seems to be keen to add on to last week's revelation with some more:

KPMG International LLP’s global chairman, Michael Andrew, said fraud was evident at Olympus Corp. (7733) and his firm met all legal obligations to pass on information related to Olympus’s 2008 acquisition of Gyrus Group Ltd. before it was replaced as the camera maker’s auditor.

“We were displaced as a result of doing our job,” Andrew told reporters at the Foreign Correspondents’ Club in Hong Kong today. “It’s pretty evident to me there was very, very significant fraud and that a number of parties had been complicit.”

Now, if I was a big N auditor, that's exactly what I'd do. Break the cone of silence and start revealing the dirt. We can't possibly make things any worse for audit, so let's shake things up. Go, Andrew.

Advanced Persistent Threat (APT) - why did we resist so long?

Bruce Schneier posts on something I've felt as well:

Advanced Persistent Threat (APT)

It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker.

A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security against this sort of attacker is relative; as long as you're more secure than almost everyone else, the attackers will go after other people, not you. An APT is different; it's an attacker who -- for whatever reason -- wants to attack you. Against this sort of attacker, the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.

APT attackers are more highly motivated. They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed.

So, this becomes a really classic case of that old saw: "What's your threat model?"

There are apparently two sterotypical attackers out there (at least in this dichotomy):

1. the random agnostic thief: "A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever." He doesn't share our economic beliefs of society and trade, but he certainly subscribes to the power of our money.
2. the advanced persistent threat: the spy who's after your state-level secrets. He's not economic, in the sense that he isn't constrained by normal commercial levels of investment, instead he's got a very large budget behind, with very large strategic interests directing the target choice.

Very different agents, leading to very different models of security. And all other things, such as how we as society deal with these issues.

Schneier finishes on this:

This is why APT is a useful buzzword.

Sure, no matter how uncomfortable we are with the background, it's the buzzword we've got.

Why then did we disbelieve the APT for so long? I think there are three factors.

• We the people aren't bothered by the APT, we're bothered by the random agnostic thief.
• The credibility of the USA industrial-military machine is at an all time low. Since the low-point of Colin Powell's speech to the UN, the people routinely disbelieve anything said, and now demand evidence.
• They presented no evidence. We had to wait until DigiNotar and the surrounding other events (the other CAs) to understand that this was the real deal.

We still aren't so totally accepting. We still have the problem that our attacker is the random agnostic thief.

Why still resist? My feeling is this: I'm annoyed that the state has managed more success in swinging the major Internet vendors around to dealing with selling to the state's APT -- NIST's pogrom on small numbers, ESG’s U.S. Advanced Persistent Threat Analysis, etc -- than we ever had as an open community in dealing with our random agnostic thieves.

We're still following the NSA's drumbeat.

Measuring Cyberfraud, the fall rate of sky, and other metrics from the market for Silver Bullets

The Economist also picks up on the "bursting the bubble" paper from Florencio & Herley:

BIG numbers and online crime go together. One well-worn assertion is that cybercrime revenues exceed those from the global trade in illegal drugs. Another nice round number is the $1 trillion-worth of intellectual property that, one senator claimed earlier this year, cybercriminals snaffle annually.

It is hard to know what to make of these numbers. Online crooks, like their real-world brethren, do not file quarterly reports. In the absence of figures from the practitioners, experts tend to fall back on surveys of victims, often compiled by firms that sell security software. These have a whiff of self interest about them: they are the kind of studies that get press released but not peer reviewed.

A paper by two researchers at Microsoft, Dinei Florencio and Cormac Herley, shows why: because losses are unevenly distributed. ....

So, if the existing numbers are bad (as I posted), where are the good cybercrime numbers? And, of course, how to better measure the real cost of cybercrime?

Well, one way to find better numbers is to ask the criminals. But, this is also flawed. For a start, this only measures their take, not the cost to the victim, which can often be out by a factor of 10:1. Also, "Online crooks, like their real-world brethren, do not file quarterly reports."

Notwithstanding these flaws, it may be better than surveys. And some results are in:

In the latest instalment of a mammoth four-year exercise Chris Kanich of the University of California, San Diego, and colleagues tracked around 20 outfits that use spam to advertise illegal online pharmacies. First they secretly monitored the spammers’ payment systems. Then they obtained logs from one of the servers that power the illegal pharmaceutical sites. They even ordered (and—perhaps surprisingly—received) some of the non-prescription drugs on sale.

Their findings suggest that only two of the 20 or so operators bring in $1m or more per month. The criminals behind fake security software appear to reap similar rewards, say Brett Stone-Gross and colleagues at the University of California, Santa Barbara. Their study, due to be presented at next month’s eCrime 2011 conference in San Diego, puts the annual revenue of each criminal group at a few tens of millions of dollars. As with Mr Kanich’s study, it is not clear how much of this is profit.

OK, so we can guesstimate that each sector - grey market pharma, and grey market anti-virus, or whatever we call the vendors of fake security software to differentiate them from the vendors of exaggerated security software - can do maybe 100m per annum over the lot, assuming a normal industry distribution in a market with free entry.

Which might suggest that phishing is also capped at around that number: 100m per annum across all players. Or might not... Have we got a better number?

Such hauls fall well short of extravagant claims from the security industry that some spammers make millions every day. Stefan Savage, Mr Kanich’s PhD supervisor, says that the security industry sometimes plays “fast and loose” with the numbers, because it has an interest in “telling people that the sky is falling”.

Say hallelujah to that! I'd say the jury is still out, one paper is not enough, and their conclusion aren't easy to extrapolate from. But $100m might be a closer number than a billion.