Slashdot Mirror
UK ATM System Could Have Ruined Economy
seanyboy writes "The Register is running the story of how the UK banking system could have collapsed in the early 1990s, how easy it was at the time to withdraw against other people's accounts and the worrying case of a Bank's rogue IT Department." From the article: "What quickly became clear was that the law needed a system to provide proof that events had happened so that legal cases could be made. You might say that 'the computer debited the account', but to a barrister (and more importantly, a judge) that's not enough. Did the computer do it at random? In that case it's like a tree branch falling - an accident. Or did a person program it to do so? In which case the person must be able to testify about the precise circumstances when a debit could happen. Sounds daft, but the law rests on proving each step of an argument irrefutably."
The worst part of the story was that the lawyer couldn't tell anyone about the security problem because he was no longer retained by his original client. I believe that in the US attorneys are obliged to come forward with information related to a criminal nature because they are officers of the court. I don't know if that distiction would have helped in this case, but the fact that the whole system perched precariously on the fact that only a few criminals knew how to bilk the system is disturbing.
"Rocky Rococo, at your cervix!"
As long as the situation remains that no one person can take any my money without my money, any number of people in fact, I'm happy.
Any grammatical or spelling errors above are for comic effect, and do not signify imperfection in the writer.
I had an account with National Westminster in '87 when I lived in the UK. The ATM's would always let you take cash out no matter how much in the red you already were. (It was my roommate that took advantage of it, not me, honest!)
I went to withdraw from an ATM. I put the card in, entered my PIN, and selected the amount I wanted - $200.
The ATM goes nuts and procedes to give me only $160 while debiting my account two transactions: one for $200 and another for $160.
I call my credit union and I tell them what happened. They tell me to fax a letter stating that I was diputing the $200. I did. They audited the ATM.
Long story short, the credit union backed out the $200 debit.
Evil people don't think they're evil. - George Lucas, Making of Ep III
Did anyone else see the headline and 1990's in the link and at first glance think this would be an article about why running an ATM network but using LANE everywhere is bad? Or perhaps how implementing this correctly would have caused bankruptcy because of all the expensive network cards for servers that would have to be purchased?
Of course, they would have your account info and know where to go to get you to pay it back, right?
Seems like this article and http://it.slashdot.org/article.pl?sid=05/10/21/135 204&tid=172&tid=156 are related - getting to market is more important than making sure it's 100% secure.
KeepTrackOfIt.com - Find the lowest gas prices in your area graphically
Could someone post some techniques to record changes to database records that don't involve a lot of overhead yet allow one to revisit any prior state of the data?
I suppose this sort of duplicates the functions of a transaction log but I don't know if a transaction log is queryable.
The reason why I ask is that I suppose it might have been useful in this case (as long as the law enforces audit logging)
lifts up his mattress and whispers to his stash of crumpled bills that he knew they were safe all along and the youngsters just don't know! They JUST DON'T KNOW!
My humor is probably your flamebait
It would be a sad thing if we've already lost our democracy.
Abstinence is a government conspiracy. www.SafeSexZone.co
Computers? Pah! Everyone knows that back in those days it was a midget with a box of money, trained to make BEEP! BEEP! noises.
Mother, do you think they'll like this sig?
Would that falling branch make a noise?
--
Shallow Sea Aquatics - Aquarium Supplies
I was actually wondering if this article was about the NERC centre in Swannwick being 6 years late and grossly over budget.
/You say "Asyncrhonous Transfer Mode" and I say "Air Traffic Management"
In the future, I would want to not be isolated from my friends in the Space Station.
I've never heard the phrase "think worries" before. I assume it means "to worry about," but where are you from, out of curiosity?
banks rob YOU!
+1 funny, -2 overrated. Life isn't fair.
The article has a number of strange assertions. First, only 3 PINs being generated by the card issuing system. I can see this is possible if you hack the application code itself but the HSMs (hardware security modules) that actually do the cryptographic operations wouldn't do this using Visa, IBM or Diebold PIN offset generation calls. It's possible, but it would be an insider job in one bank NOT the whole banking system. Second, the description of the scam is that one PIN offset on track 2 can be used with multiple account numbers. Again, all the standard PIN methods explicitly prevent this - the account number (PAN) is part of the input data to the PIN verification call. Third, the description has the crook shoulder surfing for PINs. Why does he need to do this if any known PIN can be used with any account? He only needs one known PIN and the corresponding card to be able to write as many cards as he likes. I'm sure there's some truth in the story but the technical detail is unconvincing.
computers have been a synonym for organized fraud in other places.
In Mexico, in the 1988 elections, the opposition candidate was winning by a large margin according to the official data. Then suddenly, "the system crashed", and when it came up, the official party was winning by a large margin.
This event was called "La caida del sistema de 1988", and makes me think that there's nothing new under the sun (Diebold voting machines, anyone?).
The lesson is clear: Regarding data and computers, if someone can do something wrong, he WILL. So auditing is a must.
Avoid any online payment systems based on "epay". No transaction begin/commit statements, no journal, few authorization checks, cleartext password table, one big table syndrome. It's clear the authors had little knowlege of accounting or database design beyond LAMP for blog/forum sites.
2 - The UK didn't have something similar to Reg E in the United States regulating "electronic" banking (in the US, that would include ACH items, wire transfers, and ATM/debit card transactions). And apparently, the UK doesn't have the banking regulatory structure to add such regulations as necessary without passing new laws.
If anyone is interested, here is Reg E in all of its glory.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
It's "Sheila McKechnie", not "MacKenzie".
My dad, who used to work for a well-known UK building society, told me a story sometime in the early 1990s of how there had been some buggy code on all their ATMs. When making a withdrawl, the machine would issue the cash and wait around a minute. If you hadn't taken the cash by then, it assumed you were still waiting for the cash to be dispensed and would issue it again, possibly even several times over if you kept waiting and waiting. Apparently it took the company quite some time to discover this bug.
I'm reasonable sure the story is completely true, although since my dad isn't around anymore, I can't ask him about it.
Organic free-range music... yum!
TFA is absurd on its face. Who would believe this story? There are no facts, just faulty logic.
Whats the name of the "rogue bank"?
He was trying to charge £1,750 per hour? Now he's going to court to try to collect fees that where not paid?
Nice try, but advice to the authors of the register dot com: if you are going to make up a story, try to make it sound believable.
--Barry
Those basards would let you withdrawal money from an already overdrawn account and then charge you a $29 dollar overdraft fee.
Hollow words will burn and hollow men will burn.
She seems to be using "worries" as a noun, the plural of a single "worry"; specifically, the kind of worry which is regarding electronic voting. In other words, 'Politicians think [that] worries-about-electronic-voting are...'
Similar sentences:
I think troubles with understanding each other are the root of all miscommunication.
I think fears about terrorism are largely unfounded in modern day America.
I think acts of nature are causing much larger problems.
"Worry", "trouble", "fear", and "act" can all be verbs ('that worries him', 'this troubles me', 'she fears that', 'they act out') or nouns ('He has many worries', 'I have many troubles', 'Her fears are unfounded', 'Their acts were irrational').
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
Well, that's certainly interesting. Here in Germany, banks always tell you that the system is infallible whenever money disappears from your account without you having withdrawn it, claiming that you must've written down your PIN and that someone must've found both the number and your card - according to them, there is no way to withdraw money from your account otherwise, and so far, the judges have believed them.
I wonder if this will have any influence here - I've never personally been affected, fortunately, but I do have at least one friend from whose account money has disappeared.
Seriously. How do you prove irrefutably that something happened? Can you prove irrefutably that man landed on the moon? That Hitler actually existed? That we are not in some false reality ala The Matrix? Taken to extremes, nothing is irrefutably provable.
But the real question is can you irrefutably prove that this post exists? Maybe you are part of the conspiracy...
Lawyer. What's happening? We need to talk about your TPS ATM reports.
Bank: Yeah. The withdralws errr coversheet. I know, I know. I'm uh...working on the ATM errors right now.
Lawyer: Yeah. So if you could just remember to do make sure the customer only withdralws his own money from now on, that'd be great.
If you liked this article and are interested in some technical background, you might also like Ross Anderson's essay: Why Cryptosystems Fail, which discusses some of the poor engineering that contributed to this situation.
#!
The original movies.
Here, most banks have "bounce protection," which basically means that the ATM will happily let you withdraw $50 when you only have $49.99 in the bank, and then charge you a $30-$50 "fee" for the privelege.
Personally, I'd rather have the ATM tell me to bugger off.
This was about 1999 or 2000. He was in Germany, his ATM card was in Germany with him, his account was being debitted from ATMs in Thailand, 10 Euros or so a time. The bank refused to return the money (about 80 euros in total?) until he hired a solicitor, then they settled immediately.
So I think there are newer cases than 1992 that this comes from.
accounts describes all the accounts
JournalEntries shows the date, time, type, who, etc of each transaction
JournalLines shows part of each transactionAfter All transactions, the sum of JournalLines(change) must be zero, and all account ballances must equal the sum of the changes to that account. No changing or deleting of past transactions is allowed, only compensating transactions if an error is found.
An ATM withdrawl would be:This would normally be done by a stored procedure that also checks the PIN, etc. The DB user that machines, etc connect as would only have access to run stored procedures, not change the journal directly.
There are several holes in the U.S. banking system, most notable of which is the demand draft.
But banks would prefer secrecy and bad legislation to contain their screw ups.
That is what banks are for!
...making every freak out!
Nice grammar.
It took a while and a half a bottle of mayonaisse, but I got all three of them up there. It isn't helping at all. Now what?
Related to this is the completely insecure EFT system in the US. One time, just to see if I could, I typed my friends routing number and checking account number into my online credit card website. She had given me a check, and so I wasn't stealing from her. I was just debiting the funds from her checking account in a slightly different way. The credit card online website had no trouble taking the money out of her account and crediting it to my account.
But this story gets better. I went on a trip and didn't see my friend for a few weeks. She noticed the debit in her checking account and at first thought it was something fishy. She called her bank and they told her the name of the credit card company and said that she'd have to call the credit card company to find out more. She called the CC company and they couldn't help her even though they had taken her money. After a couple weeks, she made the connection that it was probably me, sent me an email and I confirmed it. She had a father who went to jail for banking fraud and wasn't freaked out by things like this.
But the point is, that there's no security on EFT transfers, or for that matter checks. I could print up a check if I know the routing and account numbers and just cash it at one of those check cashing places... I can't believe that our system hasn't collapsed yet.
A 'friend of mine' used to get free money out of ATMs in the late 80's by using the simple method of a piece of stickytape. you go to the ATM and draw out £5, on those old machines and when the gate opened you had time to stick a peice of tape across the dispensing rollers. You then hang around like surly teenagers while people fail to draw money out - after 5 people have done this you go back and withdraw another £5, when the gate opens you use a pair of tweezers to rip off the tape and claim the winnings (normally around £200 - £400). Yes, my friend had few morals when he was a teenager, but a nice computer.
Excellent: Homer: Computer! Computer: Yes sir? Homer: Accidentally kill flanders! Computer: It shall be done. Ahhh...Good 'ol accidents. :)
*SNIFF*!! You smell like the inside of my mama's purse!
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Used it myself a few times when I worked in London in the 80's.
First of all, it would only work with a Nat West Deposit Account, if you did it with a current account you were screwed as you would get charged.
Lets say you had a big weekend coming up, you had £100 in your pocket and £100 in the bank. You would go to the bank and deposit £100 in the branch so you had £200 in Nat West. This would flag up on the ATM as you had £200 to withdraw, so you could go and withdraw £200 from the ATM, but for some reason (I assume the ATM's did a processing job every couple of days to a mainframe) the transaction didn't register on the branches computers for about 3 days and you could walk into the same branch 5 minutes later and withdraw another £200, so you had £400 now for the weekend. 3 days later however, the bank will have caught up and you are overdrawn by £200.
OK, now you are thinking about "hey you are going to get big charges for that", but the beauty was that it was meant to be impossible for you to go overdrawn on a deposit account so there was no charging procedures in place (the old computers are infallible thing that was mentioned in the original article), I did get called in to the bank once or twice to explain my actions but I just shrugged my shoulders and said "Well, I thought I had that much money in my account, sorry I buggered up, but why did you let me take that extra money out when I didn't have it, why didn't your computers stop me?" So I got away with it every time.
It was never a way to get free money, it was just a way to tide you over if you were a little short before your next pay day.
Jonathan
Oscar The Grouch Does America - http://www.mccormackj.fsnet.co.uk/oscarthegrouch/
About 8 years ago, there was one branch of Wells Fargo locally that had an ATM with issues. That ATM would essentially, every night at 12:28AM, be taken off the network for some kind of maintenance. For 10 minutes, that ATM wasn't connected in any way, and because of some sort of bug, if you withdrew cash, it would never report it to the bank.
This went on for a year before they fixed it. Anytime I was really low on cash I'd go make a free withdrawal in the middle of the night.
I still don't know how it would accept my card and pin, but not withdraw it.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d Capitalization really works: i helped my uncle jack off a horse
I'm an outside contractor in a UK bank and you wouldn't believe it. I care more about their security than the they do! They only care when something appears in the papers.
In the late 80's,
There was a known fault on some of the ATMS where the "picker" and the "presenter" units could go into a runaway condition.
This happened on London's Edgeware Road while the shutter (remember them) was open.
So there we were with the ATM spewing £5's and &10s all over the street as fast as it could pick them.
A number of passers by collected up the money while another went into the bank to alert the staff.
Amazingly when the bank balanced the ATM they found that there was no money missing.
A retrofit was quicly engineered to prevent the presenter motors running when the picker unit was in operation.
You need to check out products from SenSage Inc. They specialize in collecting log data from all levels of the network and consolidating it in a central log repository, queryable by SQL. This is the best technology for recording legal audit trails of electronic networks, and is a big deal for forensics, compliance, ...
SensageThe Briths economy is already fucked, and has been for some time.
Of course, sixteen years of economic incompetence will do that to a country, especially when eight of them are under Marxist government... currently shifting to a despotic Marxist government.
God save the fucking Queen. Nobody else can.
what I want to know is, who is "rogue Bank" and are they the same one I bank with
Well, after that Hack, Rogue Bank's CEO Frank ADOM resigned. The bank went belly-up and was bought out by Angbank, a subsidiary of Moria Holding.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
But I don't really know.
Anyone?
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"That sounds absolutely insane.
:-)
I worked for a company who, among other things, serviced ATMs. Although it wasn't 8 years ago, they certainly looked after some of that era (and then some).
They serviced Diebold, IBM and NCR machines, among others (like those little cash terminals). If the ATM goes offline for "maintenance", the authorised field tech has to call the Bank's NOC and obtain a new 3DES key to punch into the thing.
And believe me, if there is _ANY_ kind of network problem which prevents the ATM from authorising a transaction (EVERY transaction is authorised over the network before dispensing cash), it just sits there blinking "out of order".
When ATMs screw up, they will happily eat your cards, vomit ink on your receipts, and give you LESS cash than you are charged for, but everything about their design screams "no free money for you".
If you have a dispute about an ATM incorrectly dispensing cash, they can do an individual audit at your request on the machine which should show up anomolies.
They have procedures and practices that are continually monitoring and tracking the "performance" of these ATMs. If there's a discrepency in the amount of cash reported as going out vs the amount going in, it doesn't last long...
You must have strange ATMs in the US
It was quite fun to watch. The TV company had copied one ATM card and distributed it to guys across the country. At a given point in time, everyone withdrew all the funds simultaneously - and everyone got the money in the account (which was just up to the withdrawal limit).
;-).
Before you ask, they weren't silly. They had (if I recall correctly) the whole thing audited and monitored by both a lawyer and the police.
The evil bit was that they had scheduled interviews with major bank directors the next day and they asked them if their systems were safe. Inevitably (with one honourable exception) the answer was 'yes, absolutely'. On camera, they then opened their little briefcase with bank statements and quite a pile of cash.
It was incredibly funny to watch the bank directors' pose crumble. The notable exception was one bank where they interviewed the director of security who bluntly said that there's no such thing as a 100% safe system and he was always open to hear of ways to improve matters. So they told him in a more gentle way
Insert
In Belgium, there recently was a problem where ATMs would crash when the digit 7 was entered. Kind of nasty if that's part of your PIN...
In Taiwan, machines can be used not only to withdraw money, but also to transfer it. This is used for scams where people are told they won some amount of money, they just need to enter their PIN to get it transferred to their account...
Please correct me if I got my facts wrong.