Inadequate IT security allowed a trader at French bank Société Générale to make a series of unauthorised transactions that ultimately cost the bank £3.6bn, an internal investigation has found.

To prevent a recurrence, the bank should immediately introduce stronger security systems, including biometric authentication of trading staff, a special committee has recommended in its preliminary report to the bank's board of directors.

Between 18 and 20 January, the bank discovered that trader Jérôme Kerviel had established trading "positions" - bets that the price of securities and warrants would move in a particular direction - worth more than the bank itself.

He bet wrongly, and unwinding those positions over the following three days cost the bank €4.9 billion as it sold the stocks into a falling market.

As an arbitrage trader, Kerviel should have been making transactions in pairs, buying and selling similar assets to exploit the minute and fleeting differences in prices that exist in markets. Arbitrage trading is considered less glamorous than the one-way bets he secretly made from time to time by faking one half of a pair of transactions.

Kerviel had previously worked in the bank's IT department, and so had in-depth knowledge of its systems and procedures.

Staff mostly followed those procedures, the investigating committee found, but the procedures were not in themselves sufficient to identify the fraud before 18 January, partly because of the effort Kerviel made to avoid detection, and partly because staff did not systematically conduct in-depth investigations when warnings flags were raised.

Among the tricks Kerviel used to hide his activities, the bank's General Inspection department highlighted the use of fake e-mail messages to justify missing trades, and the borrowing of colleagues log-in credentials to conduct trades in their name.

Investigators identified at least seven occasions on which Kerviel faked messages between April 2007 and 18 January, four of them referencing trades that never existed. The deception was eventually uncovered when they could find no trace of Kerviel receiving the purported messages in the bank's e-mail archival system, Zantaz.

Between July 2006 and September 2007, internal control systems raised 24 alerts when the value of Kerviel's trades exceeded authorised limits, the General Inspection department reported. At the time, the bank's risk monitoring unit put the anomalies down to recurrent problems with the way the trading software recorded operations, and asked Kerviel's superiors to make sure he didn't exceed limits again.

The special committee made a number of recommendations, including the use of stronger, biometric authentication systems to prevent traders from accessing one another's accounts, and the improvement of alert procedures so warnings reach the appropriate managers. In addition, it suggests the tightening of trading controls, which do not cover cancelled or modified transactions, two of the tricks Kerviel used to conceal his bets.

Auditors are still looking for suspect trades to make sure all have been uncovered, and investigators have yet to review Kerviel's use of an instant-messaging service for evidence of his activities, the special committee said.

It will present a final report to shareholders at the annual general meeting on 27 May.