XY, a financial institution, suffered US $504,000 loss in fraudulent transactions. The culprits did it by: (i) gaining access to the super administrator (“sa”) password through social engineering. The “sa” password is required to access the live banking application database and the Head of ICT and Managing Director keep its custody under dual control. The bank’s system admin accessed the Head of ICT’s notebook and got part 1 of the password. He then tricked the MD’s to have his computer updated with a recent patch contrary to the normal procedure where an external firm provides such maintenance service under a…