Over the course of 100-plus years, Sampo Bank had grown into one of the largest banks in Finland. Since its founding in 1887, Sampo stayed ahead of the technology curve, introducing the first modern payment system -- the postal giro -- in 1939, becoming Finland's first adopter of IBM's "electronic brain" in 1958, and amassing nearly one million users of its online banking service by 2006.

But alas, in today's acquire-or-be-acquired world, Sampo was swallowed up by Denmark giant Danske Bank. On Nov. 9, 2006, Danske announced not only the acquisition, but that it would integrate all IT platforms -- online banking, merchant processing, account management and so on -- in 1 year, 4 months and 15 days, by Easter weekend of 2008. And come hell or high water, they would meet that date.

As Easter grew closer, the integration problems grew worse. Instead of extending its own deadline, Danske opted to expand its integration project team to a whopping 2,500 employees and the budget to more than $300 million. The longer and harder developers worked on the systems, the sooner they transferred their personal savings accounts to other banks. Despite all the issues, Danske pushed forward with its Easter integration plan. Not surprisingly, after that fateful switchover in March 2008, things didn't go over so well.

Money Troubles

When the new system went live, many Sampo customers couldn't help but notice. Standing in line at retailers across Europe, they watched clerks swipe their Sampo cards over and over, only to get an "Authorization Denied" message every time.

Not to worry, embarrassed shoppers naively thought, the ATM is right across the corner -- but Sampo ATMs weren't quite working, either. As for the branches, not only were there hour-long lines, but the teller computer systems had issues as well: incorrect account balances, wrongly applied transactions and unavailable accounts, to name a few -- exactly the type of things that could send someone over the edge. One disgruntled customer took an axe to a wooden desk at a Sampo branch after learning his account was supposedly empty.

Don't Even Bother Logging In

As bad as Danske's retail problems were, its new online banking system fared much worse. While Sampo's former e-banking site was user-friendly, secure and accessible in most browsers and mobile phones, Danske's was none of the above.

Within hours of use, the entire online banking system collapsed under a normal, Monday-morning workload. This meant that Sampo's tech-savvy customers couldn't transfer money, pay bills or issue debits. While that isn't a mission-critical issue for the average personal banker, some of Sampo's business customers -- such as Nokia -- weren't too pleased.

When persistent users managed to access the site during its sporadic uptime, they immediately noticed that it was only accessible in Windows using Internet Explorer. And to make matters worse, they'd have to download a fairly large Java applet to perform their banking tasks. To make matters even worse, the Java applet was disastrously developed.

The Disassembly

Because Java code can so easily be decompiled, many developers chose to use an obfuscator to make reverse engineering-compiled Java virtually impossible. While the Danske developers actually did include an obfuscator in the applet, they apparently forgot to use it. This oversight allowed anyone with the freely available Java SDK to see the code behind their "secure" applet.

The most obvious oddity in the Danske applet was that it made extensive use of platform-specific native DLLs -- such as non-Java code -- for no apparent reason, thereby effectively undoing the platform-independence of the Java applet.

There were other interesting finds in the applet:

  • the users' computers' hardware and drives were scanned and a profile sent to the bank
  • a root-certificate was an embedded resource, yet was encoded in Base64
  • the same Base-64 encoded certificate was encoded a second time in Base64
  • and so many more

And then there was this curious snippet of code:

public static final int RandomErrorNotEnoughRandom = 1;

Happy Easter

While Danske has since resolved many of the most serious issues, it's still dealing with the fallout. Though the bank has vowed to waive fees through September 2008 and has offered to pay for any financial damages that occurred as a result of its system outages, an estimated 20,000 customers have switched banks.

But the good news is it made the Easter deadline.