Buggy Software Made Us Miss Money Laundering Scam, Says Australian Bank

An anonymous reader shares a report: Australia's Commonwealth Bank has blamed a software update for a money laundering scam that saw criminals send over AU$70m (US$55m) offshore after depositing cash into automatic teller machines. News of the Bank's involvement in the laundering scam broke last week, when Australia's financial intelligence agency AUSTRAC announced that it had found over 53,500 occasions on which the Bank failed to submit reports on transactions over $10,000. All transactions of that value are reportable in Australia, as part of efforts to crimp the black economy, crime and funding of terrorism. The news was not a good look for the Bank (CBA), because most of the cash was deposited into accounts established with fake drivers licences. Worse still is that each failure of this type can attract a fine of AU$18m, leaving CBA open to a sanction that would kill it off. Today the bank has explained the reason for its failure: "a coding error" that saw the ATMs fail to create reports of $10,000+ transactions. The error was introduced in a May 2012 update designed to address other matters, but not repaired until September 2015.

Office Space

[Nidi62]

Sounds to me like a couple programmers found a way to take their retirement accounts into their own hands.

Re:Office Space

[parkinglot777]

Sounds to me like a couple programmers found a way to take their retirement accounts into their own hands.

And how the changes passed the QA anyway? I think the QA could also be involved. :p

Re:Office Space

[MoarSauce123]

Have you ever worked in a software company? QA gets the least resources, the least respect, and typically no veto rights whatsoever. When management decides that on date X the product ships then it ships. And when developers claim that QA is full of hooey then the developers are always considered to be right. That assumes that there is dedicated QA in the first place. There are plenty of places that ship as long as the compiler does not throw any hard errors.

So it was an insider then

No one would know about this bug except the person responsible for creating it.

Awwwwww, blame it on the software!

Yeah, no way you couldn't have hired DIFFERENT PROGRAMMERS or purchased software from a DIFFERENT COMPANY.
 
Don't be so gay. Accept your responsibilities.

Well, that's news.

[hey!]

I didn't know they held a pageant for that.

Re:Well, that's news.

Seems the recruiting season for Miss Dark Web just started.

Chloe Ayling, UK model kidnapped for dark web auction, reveals ordeal

Re:Well, that's news.

[Nchantim]

“a coding error” that saw the ATMs fail to create reports of $10,000+ transactions.

How about ATMs that don't allow you to withdraw or deposit more than $10,000 in cash?
No, I'm guessing that they made transfers between accounts using the ATMs. but shouldn't the reporting be done at a centralized level?
e.g. ATM requests that a service transfers funds, the transfer service is used by all software to access the accounts (online, teller, ATM, phone), and THAT is responsible for logging $10k+ transactions?
But it does bring us to the question of who was on the inside? The scheme wouldn't work if the criminals didn't know that the reports weren't being generated...

Re:Well, that's news.

Australian ATMs have a limit of $1000 out per day but you can get up to $2000 from the branch with only ID and a signature. However sometimes in the branch if I withdraw $2000 they don't have enough $100 notes or not enough notes at all!

Any more than that and you have to organise in advance as they don't hold so much. What I did find odd was that they said that their cash machine in the branch has a withdrawal limit of 10,000 at a time so I had two lots of withdrawals.
If that is the case then anyone who wants to withdraw a lot can just let them do all the work chopping up the withdrawal without reporting.

I did this when purchasing a car in 2016 and when organising on the phone they were like "so what are your plans?" They then wanted to do a quote for car insurance and since I was legit I got a quote.
The operator slipped when they said a few things about the car I never explained which I thought was odd (it being a rare car). How would they have known? I thought maybe something was flagged in their system once I gave the car details.

Then going to the branch to collect it all and again they were asking questions about what I was doing with all of the money.

Turns out the previous owner had car insurance with them (even the same branch as we were not far from each other) and the bank already had the details about the car. So it wasn't some government/banking reporting thing at all.

US

Oh wait... Us

Re: Would Rust have prevented these bugs?

I have another idea. How about actually testing the features before deploying the software?

"a coding error"

[nastyphil]

A coding error that was not caught in regression testing, and remained undetected and thus unpatched for years, breaking your organization's compliance... IS A BUSINESS ERROR.

Re:"a coding error"

Does anyone actually do regression tests? Pretty sure they're just a running joke professors tell their students, like comments and complexity analysis.

Re:"a coding error"

We run regression where I'm at - our offshore teams constantly check in stuff that breaks them raising the ire of our QA team.

Re:"a coding error"

[ZiakII]

All the time automatically every night only a complete idiot wouldn't do it.

Re:"a coding error"

Testing costs money. Shareholders and executives demand higher profits. These are in direct conflict, so greed wins out and testing gets kicked to the curb.

Until these types of practices start really affecting the pockets of shareholders and execs, don't expect it to change.

Re:"a coding error"

[jellomizer]

ree-gressi-on? What is that some sort of crazy MBA buzzword?

Regression testing, for complicated applications can still miss a lot of bugs. To do a full regression test, it could put the company at a full stand still. I remember the boss asking to process a sample of data with a 5% margin of error. We calculated the sample size, and we needed to process 100,000 records... Giving them that number, no one wanted to do it. So that fell by the wayside.

Not for the Australian bank. How much did this Hack cost the organization. How much would it had cost for the development team to make it right in the first place...
Sometimes it is cheaper to do it wrong, and pay for the consequences then do it right the first time.

Re:"a coding error"

[dwywit]

The $10K reporting requirement has been around for a long time. The bug is that they *stopped* reporting the transactions. Previous to this software update, the transactions were being reported, so the reporting was either deliberately stopped (possible, but unlikely), or the trigger wasn't pulled because some flag wasn't set because Total_A 10,000.00, even though it was.

How does a programmer turn off a process that should have "WARNING - THIS IS REQUIRED BY LAW" written all over the comments?

Re:"a coding error"

[nastyphil]

You're correct of course, it can be expensive to test thoroughly. Depends on where your model and risk extend. The functional aspects of design? The maintenance of the software? Correct functioning of the ATM HW? Support procedures? Escalation? Audit? Independent verification? Monitoring of operational performance of it and other applications that provide inputs or consume outputs, etc ...the division, governance, the business?

My point is that especially in a fashionable Dev Ops world, the 'system' includes, but is not restricted to code. Do _you_ test the code, or do you test the system?

Yes, it can be cheaper to deal with consequences than to over engineer. Make sure you understand the consequences first before making that call however.

Often programmers or their leads or the PM etc are dimly if at all aware of the broader ecology in which their output features, or certainly more aware of short term requirements only. Like I said this is a business problem and not at all uncommon.

Man...

That's one hell of a feature

what QA?

I bet they cheaped out on QA.

"buggy software" made us do it

yeah yeah... pull the other one. I'll believe that when monkeys come flying out of my butt.

Re:"buggy software" made us do it

If only the CBA would be fined $963 billion dollars, but i'll believe that when monkeys come flying out of your butt.

Re: Would Rust have prevented these bugs?

No.

Re:Would Rust have prevented these bugs?

Would using a provably safe language like Rust have prevented these bugs? Even if Rust can't completely prevent logic bugs, it does free programmers from having to worry about memory bugs and thread safety, allowing programmers to put more focus on avoiding logic bugs.

BINGO!!!

You said all the buzzwords on my bingo card!

I WIN!!!!

Why ATM

[Luthair]

Why exactly is the ATM machine the piece that is doing the reporting? Shouldn't it be a central authority not some piece of hardware the a large number of people have physical access to?

Re:Why ATM

It does not make sense, as far as I know you can only take out a maximum of $1000 per day from a ATM unless there is something I don't know.

Re:Why ATM

Automated Teller Machine Machine?

Re:Why ATM

[gravewax]

The reporting is not for a standard ATM, these are for deposit ATM's placed around the world where deposits can be very large and from the sounds of it when a large deposit is received they are supposed to trigger a report (larger than $10,000 AUD). the coding error gives them an excuse for the majority however there is also a chunk of them (around 100 or so) where they also failed to monitor and report known suspicious accounts for which they have no excuse for. In theory total fines could be as much as $1 trillion dollars, in reality I suspect they are looking at a couple of hundred million in fines and mandated oversight/audits.

Re:Why ATM

this is not for withdrawals it is for deposits.

Re:Why ATM

[GumphMaster]

This, and its close ally the PIN Number, are a classic examples of RAS Syndrome (Redundant acronym syndrome syndrome).

Re:Why ATM

[Luthair]

Not sure what you mean by standard ATM, here virtually every machine accepts deposits barring the shady ones in bars. I stand by my point, reporting standards aren't only for deposits, they are also for transfers, cheques, etc.

Re:Why ATM

these ATM's accepted and counted cash which could be placed into accounts anonymously. ATM's have long been able to accept deposits but "most" required you to use a card or access your account first and then would provide a deposit envelope, the net effect was really the deposit was processed much later when a bank staffer checked the deposit. with the IDM ATM's the deposit is instant and anonymous so criminals could then immediately transfer the funds seconds are the cash is deposited making them highly attractive.

Re:Why ATM

most ATM's do not "PROCESS" deposits. They accept them and then they are processed by a person in the bank later. these ATM's processed the deposit meaning the funds were immediately available to transfer after the deposit. So you could put $20k in drug cash in anonymously and then 10 seconds later transfer that money overseas or to another account for withdrawal.

Re:Why ATM

[Luthair]

Again, how is that different precisely? Whether a machine or a person counts the bills the result is still sent to a central authority which can easily do the reporting or you can implement it in 47 different places.

Re:Why ATM

the difference is when a machine does it is processed instantly without any eyes on the transaction to report it or put a temporary hold it on while it is checked for suspicious activity, so the cash can be in the bank and then moved to another account long before anyone in the bank ever sees it, the system is 100% reliant on the machine accurately reporting (which it wasn't). With a normal deposit ATM if you put $20k in cash in, a bank teller is going to open the envelope and immediately go "oh, ok I need to report this".

It's hard to care about money laundering

Money laundering laws remind me of stuff like DRM, where it's primarily known for being a pain in the ass for completely innocent people, and it's assumed that crooks already know how to get around it anyway and are therefore not as inconvenienced or violated as everyone else.

Any time a money laundering law comes into play, it's very likely that it's just making things harder for (or compromising the privacy of) a non-criminal. Ergo, the laws have little legitimacy and no person worries if they're circumvented or otherwise fail.

This bug is unimportant, even if crooks did use it. The crooks are so staggeringly outnumbered by all the other people who used the ATMs too, for non-money-laundering purposes, that whatever money laundering "crime" which may have happened, simply doesn't matter.

Re:It's hard to care about money laundering

[GumphMaster]

The $10000 reporting limit is transparent to the end user unless the transaction is made in cash (and not, it seems, a deposit through one of these machines) or triggers the "suspicious activity" criteria (e.g. repeated $9000+ deposits). I have moved close to $30000 electronically to other parties, in both AUD and USD through a forex service, in past weeks for a trip to Patagonia/Antarctica: not a piece of paper in sight. The machines in question are for deposits, primarily for out-of-bank-hours business trade, and not the transactional cash withdrawal machines. They replaced the old night safe arrangements where cash was deposited in a bank safe and processed manually the following business day. The user population for these machines is much smaller than the common ATM. The number of unreported transactions we know about is in excess of 50000, each of more than $10000. We do not yet know to what extent suspicious activity on smaller deposits has been unreported. I do not think for a moment that these are all money laundering transactions, but it is still an amount in excess of $500,000,000 that has moved without scrutiny through these machines alone. The machines are only a small part of the systemic problem.

Re:Would Rust have prevented these bugs?

Rust is a toddler. Many better and safer languages have been in production use for a long, long time. Three of the best in this regard are SPARK, Eiffel, and Ada. Rust is too young and untested.

/. is more fun when you're half awake

[GrumpySteen]

I read the headline as "Buggy software made the United States win the Miss Money Laundering Scam according to an Australian bank." I think it's a title we would live up to.

Re:/. is more fun when you're half awake

I read it as "buggy software made us nostalgic for money laundering scam."

Re:Would Rust have prevented these bugs?

[jellomizer]

With modern OS's (Memory Address randomization, have data and Executable data in different areas of the memory ) the types of bugs that Rust fixes by default will prevent a bunch of system crashes vs using low level hacking methods to control the system.

Besides the developers who are good at fixing the low level security problems are often not the same people who are good at fixing logic errors.

I find most bugs comes from management pushing the get the product done quickly. and forcing using the prototype proof of concept code into the core system.

Re:Would Rust have prevented these bugs?

[jellomizer]

Rust in my opinion, has not proven itself yet.
Once the amateur programmers start using it to make shovel ware, junk programs. Then we will see how good it really is. Right now most of the Rust developers (Not all) are good at their craft and already write careful code.

Once it matures a bit, it will get the immature developers on it, meaning they will stumble on crazy hacky ways to get things done. Making all the variables mutable just because it will be easier than having compile errors.

I remember back in the old days where there were a a bunch of Computer science freshman, who will declare victory and turn in their code for grading once they get it to compile. (without testing to see if it works as directed) While luckily most of these students change majors. But a few will be happy with their 2.0 GPA and get the paper, and a job somewhere.

Re:Would Rust have prevented these bugs?

declare victory and turn in their code for grading once they get it to compile ...at least they get it compiled. I've seen students submit code typed up in Word! :-/

No problem. $10bn overdraft fee please.

No problem. $10bn overdraft fee please. Also, you might be lying and need to go to jail. Zero fox.

They got letters from the AFP...

They got letters regarding the transactions from the Australian Federal Police and continued to allow it to happen... so... it sounds like being complicit to me.

Secondly... you wiuldn't out the reporting in ATM soace either. You'd build this stuff into the core transaction code that does the ledgering between accounts...fot all accounts.

I call bull.

Maybe...

[The123king]

Maybe they just Can't Be Arsed

Lets put htis in perspective

[ozphobia]

Firstly I love to kick the crap out of Aussie banks as much as the next person. It is a national past time down her under the rest of the world.
The Aussie banking system is regulated up the wazoo,with APRA and ASIC constantly moving the regulations around to protect people from the perceived 'predatory' ways of the 'Big' Banks, being NAB, Westpac, ANZ and CBA in recent time. Now firstly these banks make obscene amounts of profits, and in the past have made some monumental screw ups/crap decisions, as have most large business, but really a big chunk of this is protection is because people want to borrow more money than they can afford so they can keep up with the Jones'.
Which brings us to the point in question, when one of the regulators makes a change, it causes a lot of change to be made across the business which takes time and money to implement. The banks aren't actually receiving any benefit from these changes, in most cases are losing business and expending real dollars in meeting the needs, otherwise they have their license jeopardised. When you have rolling changes year on year that effect the entire business and the systems that support them shit it going to get missed.
Maybe the government should look inwards at the amount of fraud that exists in the welfare, tax and health systems before targeting the banks. After all they have just decided to tax the five biggest banks AU$1.6B a year just because they can.
Just to be clear I don't work for any financial industry, I actually work in health.

Re:Lets put htis in perspective

[nastyphil]

The benefit of compliance, is the license to trade.

Re:Lets put htis in perspective

[ozphobia]

Absolutely agree with this comment. But with any large organisation, it is a lumbering beast, and when asked to run it tends to fall over. Structured change is better than constant change, and with many sections of government 'decisions' it tends to be reactive rather than tempered pro-activity.

Offshore coding.

If CBA are anything like the other banks their coders are all in Mumbai as they're cheap.

I once worked for another one of the Big Four aussie banks and they were busily shifting as many IT positions as possible to India.

It goes without saying the Indians were fucking useless. Tata, Wipro etc...you guys know the drill. They were lazy, incompetent, would "hide" using the time zone differences, would say yes to everything even when they knew they couldn't do it, and would stink up the HQ with curry shit when they were flown in to work onshore.

Have you ever noticed that most of them don't even wash their fucking hands after using the toilet ?? It was a running "thing" in HQ that you'd avoid using hotdesks that an Indian had been in, especially touching the phone etc...

Number of the beast

[nastyphil]

IKR?

I worked most of career in .au, the last 10 years as a contract Information Architect. All industries NGO, .gov, Big 4s, SMEs, Energy etc are depressingly not self aware. Like a complicated soup, they struggle with the laws of thermodynamics, Chinese whispers and too many chefs.

It's depressing as a stakeholder (ie citizen, customer, investor etc) to observe. OTH, it's been a lucrative career and I am enjoying a multi year sabbatical in Europe, studying Art History and (barely) managing a porn startup.

ymmv.

Re: Number of the beast

Tell me more about this porn startup.

You're Aussie ?

Re: Number of the beast

[ozphobia]

Well I hope NastyPhil got a grant from the Federal Government for his new venture.

Rust does not prevent backdoors.

[knorthern+knight]

> Would using a provably safe language like Rust have prevented these bugs?

A programmer somewhere could have been bribed to do this deliberately. In that case, it doesn't matter whether it's COBOL/FORTRAN/C/C++/PYTHON/RUST/whatever. This was not a buffer overflow, or a null pointer. The program was WAD (Working As Designed). Someone on the design team accidentally or deliberately did this.