By now, french bank Societe General's huge loss is well known. And while the intricacies that led to such a loss remain unclear, Jerome Kerviel, the man presently at the center of the storm, has apparently revealed to authorities that he was able to pull off some of his stunts by using forged emails. That is, at least, what can be found in the Le Monde newspaper's article covering transcripts of Kerviel's interrogation. Here is the relevant portion roughly translated:
I provided false evidence of these transactions, basically forged emails. I created a forged email using a capability available to me in our internal messaging system, basically a function that enables me to reuse the header of an email that was sent to me while replacing the email's content. I was then able to type the text I wanted and the email appeared as being genuine.
That is an extraordinary statement in and of itself and should sound the alarm for any organization that depends on emails' contents for executing critical decisions. Basically, casual conversations asside, if you cannot tie an email's content to a verifiable origin, you shouldn't act on the contents.
And while there are a few email authentication schemes around, it's important to note that few enable recipients to reliably tie a body to its real-world origin (i.e. a legally-formed company or actual individual) and much less tie headers' contents to a body, especially as header content changes greatly in transit. A decent email authentication mechanism should be robust enough to continue providing recipients with verifiable information even when some email parts might have changed. For example, it should allow the recipient to check the validity of the body's content even if the "to" or "from" or even "subject" fields may have changed in transit.
In sum, the Societe General scandal should serve as an eye-opener for those who feel that email authentication is simply a matter of getting rid of spam. In fact, email authentication is crucial to any real-life scenario where critical decisions are taken based on the content of an email. And, as we know from the above, from other headlines and even from some laws in effect in certain jurisdictions, email is considered by many to be an authoritative document. Those in the know, however, realize that there is no technical basis for such a mindset. For now at least.
