Slashdot Mirror

← Back to Stories (view on slashdot.org)

2010 Bug Plagues Germany

Posted by CmdrTaco on from the well-that-was-ten-years-late dept.

krou writes "According the Guardian, some 30 million chip and pin cards in Germany have been affected by a programming failure, which saw the microchips in cards unable to recognize the year change. The bug has left millions of credit and debit card users unable to withdraw money or make purchases, and has stranded many on holiday. French card manufacturer Gemalto accepted responsibility for the fault, 'which it is estimated will cost €300m (£270m) to rectify.' They claim cards in other countries made by Gemalto are unaffected."

40 of 233 comments (clear)

  1. I wonder how that is compared to the loss from Y2K by mapkinase · · Score: 4, Insightful

    from TOA

    A French card manufacturer, Gemalto, admitted today it was to blame for the failure, which it is estimated will cost 300m (£270m) to rectify.

    I wonder how does it compare to the losses from Y2K bug... I know it is hard to compare, because there was an unspecified money loss as part of unnecessary checks, difference in scale, anticipation and efforts to fix before manifestation.

    I guess it hits you when you are least expecting.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  2. 2010 by s31523 · · Score: 4, Interesting

    Who would have thought 2010 was going to be a big deal. We just had a 2010 programming problem at work. Everything worked great in December then in January our software simulation stopped sending the correct time to our hardware. Turns out the simulation handles 2010 incorrectly. We now have to set our PC clocks to 2009 until the team gets a fix out. I bet we see more of this.

    1. Re:2010 by corbettw · · Score: 2, Funny

      Damn Mayans and their inability to correctly predict the end of the world! It came two years early!

      --
      God invented whiskey so the Irish would not rule the world.
    2. Re:2010 by edmicman · · Score: 4, Interesting

      2 weeks before the new year I found in our legacy code multiple "Y2K10" bugs. We're a health insurance company, and this is for a major national client who is sending us data with a 2-digit year format. There is code all over the place that is making assumptions about how to treat those dates, but it's faulty logic. We've fixed what we've found, but have no way of doing a complete audit so we're just going to have to fix them as issues arise. I love the clusterf*ck that is my job.

    3. Re:2010 by guruevi · · Score: 4, Interesting

      My question is, why the f*** so many systems have issues with their clocks. In just about any language (C, Java, .NET, Perl, PHP, SQL...) there are (built-in) libraries available that do time correctly. If you're unsure on how to store time, Unix epoch is just about the simplest way to store it (it's a freakin' integer), it's universally recognizable and accepted and very easy to calculate with and if you need more precision just make it a floating point number and add numbers after the comma.

      I see way too many implementations where people build their own libraries to convert a string into a date format, calculate with it and back. On embedded systems it's even worse. Some hope to save some storage space and speed by building custom functions to store a time format (eg. 2010-01-07 10:50:59 pm) into an integer (201001071050591) and back simply by stripping some characters and implementing the storage part in assembler. When they decide to export to other states/countries however they now have to implement a conversion for timezones and daylight savings time and the code becomes hopelessly buggy and bloated - usually too late to fix it since they already have it out in the field. While they could've just saved time (and storage space) by just storing it as 1278024659 using an (initially) somewhat larger library.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    4. Re:2010 by digitig · · Score: 4, Interesting

      My question is, why the f*** so many systems have issues with their clocks. In just about any language (C, Java, .NET, Perl, PHP, SQL...) there are (built-in) libraries available that do time correctly. If you're unsure on how to store time, Unix epoch is just about the simplest way to store it (it's a freakin' integer), it's universally recognizable and accepted and very easy to calculate with and if you need more precision just make it a floating point number and add numbers after the comma.

      Partly because of ignorance of the libraries, but partly because the built-in libraries simply don't do time correctly. Unix epoch? Rolls over in 2038, so it's no use for dealing with 49 or 99 year land-leases (or the 999 year lease I held on one property). I know somebody who worked on software dealing with mineral exploration rights who had just this problem: Unix epoch simply got it wrong for the timescales involved (and he wasn't allowed to use 3rd party libraries because management perceived that as a support issue). What was he to do but roll his own? And it's very much because people think it's simple, without looking at the actual issues.

      --
      Quidnam Latine loqui modo coepi?
    5. Re:2010 by Rockoon · · Score: 2, Insightful

      I think most of the time they are building their own conversions to date formats because they have to. Those standard libraries are great when the date is in a standard format, but multinationals deal with nearly every variation of date encoding known to man.

      1-digit years, 2-digit years, 4-digits years, month-before-day, month-after-day, year-first, year-last, decimal-seperators, slash-seperators, dhash-seperators, space-seperators, a-mix-of-seperators, without-day-of-week, with-day-of-week, with-day-of-week-abbreviated, without-english-month, with-english-month, with-month-abbreviation, and all words in many languages.. and different variations on abbreviations..

      Even if these guys leverage the standard libraries as much as they can, its still non-trivial to do it correctly. Multinationals arent dealing with data in a single format.

      --
      "His name was James Damore."
    6. Re:2010 by Rufty · · Score: 2, Insightful

      Premature optimization is the root of (most) evil.

      --
      Red to red, black to black. Switch it on, but stand well back.
    7. Re:2010 by digitig · · Score: 2, Insightful

      continue to clone every release. Or just use updates of the library, to carefully apply applicable patches to your fork of that part.

      Sounds like exactly the sort of maintenance issue management wanted to avoid in the case I mentioned.

      --
      Quidnam Latine loqui modo coepi?
    8. Re:2010 by l0b0 · · Score: 2, Funny

      Planck units since the Big Bang is the only way! Let's see: ~5.4E-44 seconds per unit, ~1.37E10 years since the Big Bang ~= 2.53E53 decimal = 2A4359FEF2C78D94A50F53B75B35AA648000000000000 hex, which should take about 180 bits to store.

    9. Re:2010 by Megane · · Score: 2, Funny

      The bad news is that your patents will have expired by then. The good news is that the Y10K bug means that your patents will un-expire. So get your head jar ready, because you're gonna be RICH!

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  3. They had to Queue? by HiChris! · · Score: 3, Funny

    "Although some cash machines were quickly reconfigured to override the 2010 problem, many bank customers were forced to queue to withdraw cash over the counter. Germany's economics minister, Rainer Brüderle, urged banks to 'ensure that credit and bank cards function without problem as soon as possible, or to replace them immediately'." My gosh standing in line to get money is so 1980

    1. Re:They had to Queue? by fuzzyfuzzyfungus · · Score: 2, Insightful

      The trouble is less in having to do it the old way than in having to do it the old way without notice and in an environment that has shifted toward the new way.

      Back when ATMs and POS electronics were uncommon, everyone knew well in advance that they would have to go get cash in order to make purchases, and do so during banking hours. Inconvenient; but everybody knows the score and the system is set up to work that way. If things suddenly shift back, you get a whole bunch of people, many whose first warning is probably some sort of cryptic error at a payment terminal, either stuck outside of banking hours, or swarming the few bank clerks that haven't been replaced by ATMs. Substantially more inconvenient now than it was then.

  4. Revenge at last by egandalf · · Score: 5, Funny

    It only took 65 years, but they finally got their revenge for those invasions. Subtle, the french are, very subtle and patient. Like mice.

    --
    Those who have telepathy have no need to RTFA.
  5. Effected? by LSD-OBS · · Score: 3, Informative

    Come on, editors.

    --
    Today's weirdness is tomorrow's reason why. -- Hunter S. Thompson
    1. Re:Effected? by show+me+altoids · · Score: 2, Informative

      This is what I came here to say. Should be "affected."

      --
      I feel sorry for people that don't drink, because when they get up in the morning, that's as good as they're gonna feel
    2. Re:Effected? by Jojoba86 · · Score: 2, Informative

      All editors please consult this handy guide.

    3. Re:Effected? by hicks107 · · Score: 5, Funny

      Eye was going two say the same thing. They knead to insure they are spelling things the write weigh.

  6. Untested software by nodan · · Score: 4, Interesting

    Again, it's surprising that such an obvious software bug makes it into the real world. You really can never trust untested software at all. What disturbs me most are the proposed "solutions": the companies issuing the cards try to avoid the exchange of the cards by all means due to the costs involved. However, that comes at the cost of sacrificing the security gained by the introduction of the now ill-functioning chip. What has been mentioned as well was updating the software on the card at the banking terminal - I'm surprised that this is possible at all. Essentially, that opens another huge security gap (which might have been there for a long time but went unnoticed so far).

    1. Re:Untested software by owlstead · · Score: 3, Informative

      Essentially, that opens another huge security gap (which might have been there for a long time but went unnoticed so far).

      It does not necessarily open up a "huge security gap", that's sensationalism. It does add significant "surface" to attack.

      GlobalPlatform cards (used by Visa/Mastercard) have always contained methods to update the Java Card (or other OS) applications on the card. Of course, this requires either signed code or a master key set. One expects this interface to be well tested and certified - and normally they are.

      Normally bank cards (and ID cards/passports) don't get updated in the field. I would not be surprised when upgrading the cards would meet serious problems.

    2. Re:Untested software by rickb928 · · Score: 2, Insightful

      Believe me, they they are tested. I know. But they are not always tested well.

      - The EMV (Euro MasterCard & Visa, also called chip & pin) specs are complex to say the least. It took 6 months for one team I know of to get to the point that the spec writerd admitted they did not know how it actually worked, and to admit that the actual data did not match the specs. They rewrote the spec based on actual data. Later, the 'controlling authorities' updated their specs to match our results. As if anyone ever really know how it worked. Kinda like taking your new car to a mechanic, having him change the oil, and he says 'gee, this doesn't look like the oil drain to me, but the manual says so. Just let me check'. And sure enough, the manual is illustrating the radiator draincock. Nice. And the car manufacturer is arguing with you that you're wrong, even when you send them a video of coolant coming out of the so-called 'oil drain plug'. Next year, they send you a new page for the manual. Your video is the source of the new pictures. Thanks, guys. You made this, and you got it that wrong?

      - Covering the connectors will force the reader to take the stripe if it can, and many do. This is also a scam by some criminals, where they cover the terminals in the reader and force the stripes for all purchases - and snarf your data. These usually don't last long, as this is a characteristic of either a failed terminal or fraud, and someone will be sending a new terminal out to the POS. If they do it again, they will send a body also. Third time usually results in sanctions. Gas stations and small restaurants are favorites for this, but large retailers also get hit of someone can slip in a doctored terminal - usually after stealing one earlier. Mongrel terminals are usually caught pretty quickly, so go in late at night, distract the staff, nick it, fix it up in your car, come right back, and get it back in before anyone notices. Target here in the U.S. got hit by this. So far, no reports from Europe.

      Chip & pin is not yet common in the U.S., and I'm not looking forward to it. In England, disputes over unauthorized charges with chip & pin almost always result in the bank ignoring the customer's pleas, and very often result in discovery later that there was a breach elsewhere in the system, like a pin pad. Many a sad tale of widows wiped out, and only after much pain is the truth found. The banks and all are hanging on to chip & pin as the 'final solution' to card fraud. Fat chance.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  7. Similar Bug Reported Before ... by foobsr · · Score: 2, Interesting

    Technology: 2016 Bug Hits Text Messages, Payment Processing

    Experts (or excellence, YMMV) at work.

    CC.

    --
    TaijiQuan (Huang, 5 loosenings)
  8. Re:I wonder how that is compared to the loss from by zaydana · · Score: 4, Insightful

    Moreover, it makes you wonder who much of a problem Y2K may have actually been if we hadn't of looked for all the problems and fixed them.

    Chances are things like this would have only been the beginning if Y2K hadn't have been anticipated and planned for, even if we over-reacted. Maybe we should be giving some people more credit than we do...

  9. Easy solution . . . by PolygamousRanchKid+ · · Score: 2, Informative

    . . . use the magnetic strip.

    I just saw a clip on a German news channel showing a chick covering the chip on her card with a piece of clear adhesive tape. Apparently this forces a dual card reader to use the strip. But I wasn't listening, so I'm working, you know.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    1. Re:Easy solution . . . by Anonymous Coward · · Score: 2, Informative

      This "solution" has already clogged up several ATMs: the adhesive tape gets stuck inside the machine and blocks the reader, rendering it unusable even for those customers who have an unaffected card. Thank you very much. (Remember that ATMs are designed to prevent manipulated cards from being used, so tolerances are tight. The increased thickness could be something more sinister than tape.)

  10. Remind me of another story... by langelgjm · · Score: 5, Interesting

    Reminds me of a story I mention every so often. When I was an undergrad, I along with a few other enterprising students discovered that our university ID cards stored our social security numbers in the clear on the magnetic stripe. We eventually brought this to the attention of the school, who rushed to find a solution. They needed a unique identifier that was also not important information. They quickly settled on using our "university ID numbers" - arbitrary numbers whose value had no importance to the individual, and they reissued cards to the entire university.

    A few weeks after they finished reissuing cards, one of us discovered that the "university ID number" was a primary key in the school's LDAP database. By using a directory browser, you could look up any student, staff, or faculty member by name, and obtain their university ID number. Since this was the number on their ID card, and their ID card controlled access to buildings, labs, etc., it was trivial to obtain access privileges to pretty much anywhere on campus. Want to make it look like the president of the university broke into the nuclear reactor? Look him up, write his ID number to a magnetic stripe card (we had built the hardware to do this, as well as to "fake" cards, which allowed us to simple type in numbers and generate signals, without actually making a card), and have at it.

    Again, it was brought to the attention of the university. After a failed attempt to begin disciplinary action against one of us, they recalled everyone's cards and wrote new, presumably pseudo-random identifiers to them that were not publicly accessible.

    Moral of the story? In your rush to fix one problem, make sure you don't create an even bigger one.

    --
    "Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
    1. Re:Remind me of another story... by noidentity · · Score: 2, Insightful

      Moral of the story? In your rush to fix one problem, make sure you don't create an even bigger one.

      Indeed. When you find a problem and develop a fix, you are faced with a choice: continue using the old system with mostly known problems and possibly known workarounds, or use the patched system that has one of the known problems fixed, but might have new unknown problems, possibly more severe than the old known problem, and possibly without any workarounds.

    2. Re:Remind me of another story... by harl · · Score: 3, Funny

      My school did also. It's just a small one. They gave tours. It was really neat to look down into the core. Until I realized that I was looking down into the core.

      I thought most large universities had one.

      --
      I find being offended by me offensive.
  11. Greetings from 2038! by fotoguzzi · · Score: 4, Insightful

    Hah, hah, hah!

    --
    Their they're doing there hair.
  12. How big is a country factory? by Anonymous Coward · · Score: 3, Funny

    They claim cards in other countries made by Gemalto are unaffected.

    Which countries were made by Gemalto?

  13. This won't be fixed quickly... by MiniMike · · Score: 4, Funny

    Gemalto accepted responsibility for the fault, 'which it is estimated will cost €300m (£270m) to rectify.'

    I hope that money isn't in a German bank...

  14. Re:I wonder how that is compared to the loss from by Nadaka · · Score: 4, Insightful

    The response for y2k was not planned for, and it was not an over reaction.

    Y2k issues were known in the 80's. Had IT been allowed to respond in a timely manner, it would have cost much less, been checked more thoroughly and finished earlier. Instead they waited until the last possible moment and poured much more money into it, hiring as many developers as possible to put in a rushed hackjob and then firing them when the hack worked instead of retaining them to vet, verify and implement permanent solutions where needed. This issue is a result of the failure to react apropriately to y2k. The rushed temporary get-it-done-yesterday hacks are starting to fail.

  15. Unix epoch does not have to end in 2038 by Chemisor · · Score: 3, Insightful

    2038 is only the limit on 32bit platforms. On a 64bit platform time_t is 64bits, which will last "forever". We are already significantly on the way to switching to 64bit-only CPU operation, and I'm going to bet that by 2038 we'll switch completely, if only to avoid the end of time. Heck, if you could only have a working 64bit flash plugin on Linux, all Linux users would go 64bit already.

  16. Re:I wonder how that is compared to the loss from by WinterSolstice · · Score: 4, Interesting

    I was running a Y2K lab at my company from 1999 to 2000, and we found a TON of serious problems. Nearly all of our internal stuff had major issues, as well as email, phone systems, backup systems, and several operating systems.

    The tests I ran went from 1998->2012 in one year increments (with full tests by all teams at each year step) and most of those problems were nailed down.

    I'm guessing not all shops tested much further out than 2001 or 2002 - probably due to poor planning and lack of funds. As it was we had to cut ours back to 2012 because of budget constraints, so I can only imagine other shops did likewise.

    --
    An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
  17. Wow! by Linuxmonger · · Score: 2, Insightful

    Wow, somebody stood up, said it was their fault, and took responsibility - what a rare moment in the business world. I offer my gratitude and wish them well on what will undoubtedly be a perilous journey.

  18. Re:I wonder how that is compared to the loss from by hrimhari · · Score: 2, Insightful

    The rushed temporary get-it-done-yesterday hacks are starting to fail.

    Wonderful rant, but pray tell, how does this issue link to y2k hacks when it's an update to previous cards limited to German market? Have you inside knowledge from Gemalto of what motivated the aforementioned update and the reason they used such a way to represent the year in that particular geographic location?

    --
    http://dilbert.com/2010-12-13
  19. Re:Suppression of costs via minimizing testing. by Dr.+Hok · · Score: 2, Insightful

    I agree. In my experience, testing is usually cut down first when it comes to cost reduction, because the bosses can't see the benefit of testing. They never learn, it seems.

    --
    Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
  20. Re:I wonder how that is compared to the loss from by Rich0 · · Score: 2, Insightful

    You know, companies make the conscious decision to not have permanent staff to oversee contractors. They get what they pay for. That doesn't excuse contractors, but there is this thing called due diligence.

    Also, I'd say there is a 90% chance that the contractor spelled out exactly what they were doing and its implications, and somebody in the company signed off. Maybe they didn't read it all, but it is just as likely that they were given the choice of $600k to do it right, and $500k to do it cheap, and they picked the latter. Saving $100k probably got the decision-makers bigger bonuses, and by now they're all in different jobs or retired anyway.

    The problem is that companies are WAY too short-sighted. As a result stuff like this never shocks me.

  21. Re:I wonder how that is compared to the loss from by Nefarious+Wheel · · Score: 3, Interesting

    I was running a Y2K lab at my company from 1999 to 2000, and we found a TON of serious problems...

    My wife was in charge of a Pick-based hospital IS back then. She put in a huge number of extra-long days getting the dates expanded so the hospital wouldn't have to "go manual" on 1-Jan-2000. She made the deadline, but it nearly killed her. Hospital administrators then gave her a sledge for making such a big deal over it, because clearly it was all a farce - nothing happened as a result of the date changing to year 2000.

    The loss to her was any further interest in an IT career. She's now teaching immersive medieval history to a number of schools, where her work is at least appreciated by her clients.

    --
    Do not mock my vision of impractical footwear
  22. Is there such a thing as obsolete code? by jc42 · · Score: 4, Interesting

    Plus, by waiting until the last minute, no labor was wasted in pre-fixing systems that would already be obsoleted by 1999.

    Yeah, but recall that in the Y2K bugs were mostly found in corporate COBOL programs, and COBOL code doesn't get retired. It just accumulates in the musty corners of old runtime libraries. There was a lot of COBOL code from the 1960s that was patched for Y2K

    To see how bad the COBOL retention syndrome is, consider that IBM has had to supply emulators of older processors, so that customer companies could continue to run binaries for which the COBOL source has been lost. Yes, it really is that bad in the corporate DP/MIS/IT world. Of course, the binary-only programs generally couldn't be fixed for Y2K, and had to be rewritten. But they were rewritten by people adapted to the same corporate culture, and made the same mistakes in date/time handling that they've always made.

    I remember reading a story by a fellow who got curious about the date problems in COBOL code, and started collecting examples of COBOL date-manipulating code. He said that when his count of the number of different date formats passed 180, he decided that he understood the problem quite well. This is still going on, as can be seen by looking at the date-handling code in newer software, and we still have the same problems.

    Just last week, I gave a demo of some web code that I've been developing for a (mercifully) unnamed client. During the demo, some of the screens exposed the fact that the code internally saves all dates in ISO standard form, for the UT "time zone". I assured them that I could add the obvious translations to local time fairly soon, but this turned out not good enough. They were insistent that they didn't want the code "working on European time", and wanted the internal times all in local time. This despite the fact that they (and their visitors) are scattered across about 10 time zones. Just displaying all times in the local zone isn't acceptable; they object to Universal Time internally on general principles. I've seen this repeatedly on a lot of projects. It tells you a lot about why our software continues to have time-handling problems, whenever any particular ad-hoc time representation reaches a value ending with some number of zeroes (in base two or ten).

    It was really funny a few days ago, when we read about spamassassin's bug triggered by the first day of the year 2010. I predict that we'll get reports like this in every year ending with a zero, for as long as any of us is alive. ;-)

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.