| « 2.13: The Demo | Please Drive Thru » |
Over the course of 100-plus years, Sampo Bank had grown into one of the largest banks in Finland. Since its founding in 1887, Sampo stayed ahead of the technology curve, introducing the first modern payment system -- the postal giro -- in 1939, becoming Finland's first adopter of IBM's "electronic brain" in 1958, and amassing nearly one million users of its online banking service by 2006.
But alas, in today's acquire-or-be-acquired world, Sampo was swallowed up by Denmark giant Danske Bank. On Nov. 9, 2006, Danske announced not only the acquisition, but that it would integrate all IT platforms -- online banking, merchant processing, account management and so on -- in 1 year, 4 months and 15 days, by Easter weekend of 2008. And come hell or high water, they would meet that date.
As Easter grew closer, the integration problems grew worse. Instead of extending its own deadline, Danske opted to expand its integration project team to a whopping 2,500 employees and the budget to more than $300 million. The longer and harder developers worked on the systems, the sooner they transferred their personal savings accounts to other banks. Despite all the issues, Danske pushed forward with its Easter integration plan. Not surprisingly, after that fateful switchover in March 2008, things didn't go over so well.
When the new system went live, many Sampo customers couldn't help but notice. Standing in line at retailers across Europe, they watched clerks swipe their Sampo cards over and over, only to get an "Authorization Denied" message every time.
Not to worry, embarrassed shoppers naively thought, the ATM is right across the corner -- but Sampo ATMs weren't quite working, either. As for the branches, not only were there hour-long lines, but the teller computer systems had issues as well: incorrect account balances, wrongly applied transactions and unavailable accounts, to name a few -- exactly the type of things that could send someone over the edge. One disgruntled customer took an axe to a wooden desk at a Sampo branch after learning his account was supposedly empty.
As bad as Danske's retail problems were, its new online banking system fared much worse. While Sampo's former e-banking site was user-friendly, secure and accessible in most browsers and mobile phones, Danske's was none of the above.
Within hours of use, the entire online banking system collapsed under a normal, Monday-morning workload. This meant that Sampo's tech-savvy customers couldn't transfer money, pay bills or issue debits. While that isn't a mission-critical issue for the average personal banker, some of Sampo's business customers -- such as Nokia -- weren't too pleased.
When persistent users managed to access the site during its sporadic uptime, they immediately noticed that it was only accessible in Windows using Internet Explorer. And to make matters worse, they'd have to download a fairly large Java applet to perform their banking tasks. To make matters even worse, the Java applet was disastrously developed.
Because Java code can so easily be decompiled, many developers chose to use an obfuscator to make reverse engineering-compiled Java virtually impossible. While the Danske developers actually did include an obfuscator in the applet, they apparently forgot to use it. This oversight allowed anyone with the freely available Java SDK to see the code behind their "secure" applet.
The most obvious oddity in the Danske applet was that it made extensive use of platform-specific native DLLs -- such as non-Java code -- for no apparent reason, thereby effectively undoing the platform-independence of the Java applet.
There were other interesting finds in the applet:
And then there was this curious snippet of code:
public static final int RandomErrorNotEnoughRandom = 1;
While Danske has since resolved many of the most serious issues, it's still dealing with the fallout. Though the bank has vowed to waive fees through September 2008 and has offered to pay for any financial damages that occurred as a result of its system outages, an estimated 20,000 customers have switched banks.
But the good news is it made the Easter deadline.
with enough resources, it could have been built in a day! |
|
I've always thought that Danske Bank would be a great place for developers that care about quality and such stuff ... now I'm not so sure ...
However, the article explains this job-add for Danske Bank: http://www.danskebank.com/da-dk/Job/soeg-job/ledige-job/it/Pages/JOB391974364583333299386890.aspx I know, it's in danish, and only a very select few can read that, but the gist of it is that they are looking for developers that have an education in computer science, engineering or something like that, or may have several years experience in developing large administrative systems. There are NO requirements for technology-experience, no mentions of platform (mainframe, Java, VB??) nothing ... |
|
There was several other WTFs with the system as well. Like several XSS holes due to extensievelink/3gmobilban use of javascript and document.write(). Also, their communication director kept saying "It's not a hole before we have confirmed it's a hole" in public when the XSS holes were being released and only accepting that they "might" have been holes when finally fixed.
Ironically, the best web interface they have is the mobile interface that remains unchanged :) ( http://mobiili.sampopankki.fi/ ) Oh yeah, and they are running SharePoint somewhere in their site... Addendum (2008-08-05 11:09): So managed to somehow add "link/3gmobilban" (/link/3gmobilbank is the last part of the url to mobile interface) after extensieve, you can ignore it :) |
|
About a year ago my previous company had (probably still has) Danske Bank as a client, and would send them automated emails containing embeded images.
* Did the Danske Bank employees see the images we sent them ? No : it turned out that their email software (IBM Lotus) didn't support this advanced technology. * Is it implemented in current versions of Lotus ? Yes. * How old is Danske Bank's version of Lotus ? 3-4 years past official end-of-life statement from IBM. * How was the mater resolved ? I was tasked to send images as file attachment, of course :) |
| « 2.13: The Demo | Please Drive Thru » |
