Half Credit

« Return to Article
  • Lily Sloan 2014-06-03 06:17
    Money? In the 24th century? WTF.
  • Sheldon Cooper 2014-06-03 06:28
    rist
  • da Doctah 2014-06-03 06:29
    In the long run, his simple heuristic would almost certainly fail to categorize transactinos correctly, but Adam wasn’t concerned with the “long run”.

    Transactinos.

    I like it.

    An uncharged, massless particle, almost impossible to detect.
  • Habib 2014-06-03 06:29
    The problems will increase after offshoring! We will make sure of it! The rich infidels will pay!
  • Mariachi 2014-06-03 06:38
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.
  • Don 2014-06-03 06:40
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.

    This all day long... easiest, most meaningful solution.
  • Who 2014-06-03 06:43
    Doctah:
    Transactinos.

    An uncharged, massless particle, almost impossible to detect.


    ...and all traces of its existence vanish if it causes an inconsistency with the rest of the universe. Kind of like some theories about the grandfather paradox.
  • Steve 2014-06-03 06:49
    Hello, bank? Those cards weren't really stolen, the reports were fraudulent. Yes, that's right, it was Adam. Such a shame, he was a subordinate of mine before he turned to evil.
  • Miriam 2014-06-03 06:50
    Does this artcle contain more typos or more bad Star Trek puns?
    I lost count on both.
  • Lawrence 2014-06-03 06:51
    That’s impossible.

    Yeah, right.
    There should never be any repeats in the suffix.

    Hmmm. And maybe there are more than 10000 cards in circulation, too.
  • np 2014-06-03 06:54
    Don:
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.

    This all day long... easiest, most meaningful solution.


    Glad to know that more than 1 person thought of a non-software method of solving this problem.
    Especially since the bank said it was "impossible" that the company have multiple cards with the same suffix.
    Least frequently used duplicate-suffix card is "stolen/lost" until there are no duplicate-suffix cards.

    And make that 4-digit suffix the primary key for the pcard table so that new duplicate cards can't even get entered.

    Bug fixed.
  • Jibble 2014-06-03 06:54
    [quote user="Don"][quote user="Mariachi"]Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.[/quote
    This all day long... easiest, most meaningful solution.[/quote]

    That was my first thought, too.

    Except it was more along the lines of "keep ordering new/secondary cards for the all the affected PHBs until they get one with a unique number".
  • beginner_ 2014-06-03 06:56
    The real WTF is obviously Adam. If you can't explain this to your boss why it doesn't work your either dumb or should quit.
  • CigarDoug 2014-06-03 06:57
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.

    Beat me to it. So why is it, that casual readers of a web site can see a solution to the problem, and the people paid to solve the problem can't?

    I would also think there is a contract violation with the bank, if they insist the suffixes do NOT repeat. So, what do companies with more than 10,000 cards issued do?
  • lurker 2014-06-03 07:05
    da Doctah:
    In the long run, his simple heuristic would almost certainly fail to categorize transactinos correctly, but Adam wasn’t concerned with the “long run”.

    Transactinos.

    I like it.

    An uncharged, massless particle, almost impossible to detect.

    Just be careful they don't start mutating
  • Dan 2014-06-03 07:10
    "If one and only one card had previous transactions with this vendor, assign the transaction to that card."

    How do you do this if you dont know what card did what?
  • ¯\(°_o)/¯ I DUNNO LOL 2014-06-03 07:10
    I once worked at a place that had a custom message format for an embedded system. It used 0xFF to mark the start of fields in IPC messages, so 0xFF was not allowed in field data, because then you couldn't find the next field. (The protocol normally passed numbers as BCD.)

    They also had a PoS system, with multiple DOS-based terminals (this was back in the '90s) connected via Ethernet. There was a message defined to announce the Ethernet address of the PoS system computers, and the last field in the message was the MAC address.

    Except MAC addresses are binary, and may contain an 0xFF. But this was always the last field, always a specific message type, always a specific field ID, and only passed between the PCs, not the embedded system. They could have made it a special case.

    Nope. What they did was every time they got a new Ethernet card, they checked its MAC address. If it contained an 0xFF, they threw it in the trash. I left before Ethernet ports started becoming standard on PC motherboards.
  • ratchet freak 2014-06-03 07:15
    birthday paradox says you only need 118 to have a more than 50% chance to get a dupe
  • Matt Westwood 2014-06-03 07:19
    TRWTF is storing all this dangerously sensitive and confidential data in plaintext in a database file, yeah?
  • ¯\(°_o)/¯ I DUNNO LOL 2014-06-03 07:19
    CigarDoug:
    I would also think there is a contract violation with the bank, if they insist the suffixes do NOT repeat. So, what do companies with more than 10,000 cards issued do?
    The last digit is a check digit, based on the other 15 digits. You have to mess with the other 12 (and four of those are usually fixed) to get all 10,000 combinations. They are not guaranteed to be sequential.

    Also, if you just start dumping and re-issuing numbers to find one that isn't used, instead of intentionally constructing a number, it's going to get harder and harder as you start to fill up your 10,000 number space.
  • ¯\(°_o)/¯ I DUNNO LOL 2014-06-03 07:23
    ¯\(°_o)/¯ I DUNNO LOL:
    Except MAC addresses are binary, and may contain an 0xFF. But this was always the last field, always a specific message type, always a specific field ID, and only passed between the PCs, not the embedded system. They could have made it a special case.
    FWIW, they could have also passed it as hex ASCII, but they still decided that throwing away $40 Ethernet cards was the right solution.
  • jarfil 2014-06-03 07:32
    "Fix the bug!", they told me. So I grabbed a gun, and went to see the bank manager.
  • MP 2014-06-03 07:36
    ratchet freak:
    birthday paradox says you only need 118 to have a more than 50% chance to get a dupe


    If my math is correct, you should be able to do it with only 101:

    ((101 * 100) / 2) / 10000 = 0.505

    Incidentally, with 118, I got this;

    ((118 * 117) / 2) / 10000 ~= 0.69

    Now wondering whether this was a very clever and subtle 69 joke...
  • skotl 2014-06-03 07:39
    Hey! I love this new commenting platform! Can we move the old Discourse comments over here?
  • faoileag 2014-06-03 07:52
    Nice one, this wtf. Reminds me of a creditcard wtf I came across some 15 years back:

    I got a new creditcard, this time from bank X.

    Next day at work: "Got a fresh new card from bank X." "Oh, so did I, just this month!"

    Since we were working on an online payment module at the time, we decided to compare our card's numbers.

    Surprise: both cards were identical save the last two digits. Last digit is the check number and for the previous to last, I had a 3 and he had a 2 (he had received his card a day or two earlier than me).

    Those days online payments did not involve the suffix number and I was very tempted to see if .....4right_checknumber had been issued as well.

    But I didn't do it.
  • mister stick 2014-06-03 07:53
    skotl:
    Hey! I love this new commenting platform! Can we move the old Discourse comments over here?


    discourse:
    Unfortunately, your browser is too old to work on this Discourse forum. Please upgrade your browser.


    thedailywtf:
    ha-ha!
  • faoileag 2014-06-03 07:53
    skotl:
    Hey! I love this new commenting platform! Can we move the old Discourse comments over here?

    +1. Or, since you mention Discourse: <3
  • Miriam 2014-06-03 07:58
    faoileag:
    skotl:
    Hey! I love this new commenting platform! Can we move the old Discourse comments over here?

    +1. Or, since you mention Discourse: <3

    You surely mean ?
  • Miriam 2014-06-03 08:01
    They just ... changed the link to point to Discourse?!

    This is really turning into Worse Than Failure 2.0 ...
  • clydesdale 2014-06-03 08:07
    [quote user="Jibble"][quote user="Don"][quote user="Mariachi"]Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.[/quote
    This all day long... easiest, most meaningful solution.[/quote]

    That was my first thought, too.

    Except it was more along the lines of "keep ordering new/secondary cards for the all the affected PHBs until they get one with a unique number".
    [/quote]

    Mine too. except it was more along the lines of "keep ordering new/secondary cards until you've got at least 10,000 of them and they are all duplicates. Solves nothing, but it's more fun.
  • balazs 2014-06-03 08:16
    ¯\(°_o)/¯ I DUNNO LOL:
    I once worked at a place that had a custom message format for an embedded system. It used 0xFF to mark the start of fields in IPC messages, so 0xFF was not allowed in field data, because then you couldn't find the next field. (The protocol normally passed numbers as BCD.)


    Once I saw an application that were sending out large messages via MQ. It had been decided that those messages must be cut into multiple parts of 32000 characters. They also invented a brilliant solution to mark the last message with appending the character sequence "END" to it.
    It all worked "fine" until one of the records in one of these messages contained a partner company's name of "VENDING MACHINES Co." or "HAPPY-END Co." or something like that and also that message got cut right after the "END" sequence like "VEND" + "ING MACHINES". The rest of the story is up to your imagination. (Got fixed, nothing interesting)
  • Anonymous Will 2014-06-03 08:17
    MP:
    ratchet freak:
    birthday paradox says you only need 118 to have a more than 50% chance to get a dupe


    If my math is correct, you should be able to do it with only 101:

    ((101 * 100) / 2) / 10000 = 0.505

    Incidentally, with 118, I got this;

    ((118 * 117) / 2) / 10000 ~= 0.69

    Now wondering whether this was a very clever and subtle 69 joke...


    This is not how the probability is calculated: given a collision probability p and a sample space d, the number n of samples that has a collision with probabibility p is approached by

    sqrt(2*d*ln(1/(1-p)))

    For d = 10,000 (4 digits) and p = 0.5, that's ~= 117.74. So, you need 118 samples to have better than even odds.
  • Miriam 2014-06-03 08:21
    Oh look, cross-software quoting, manually done!
    faoileag:
    FroshKiller :
    This is more like it. Clear, well written, with a sense of resolution.
    You mean the article, don't you?

    I don't think so. Surely he praised Paula Bean's brillant frist post!
  • faoileag 2014-06-03 08:22
    Miriam:
    They just ... changed the link to point to Discourse?!

    This is really turning into Worse Than Failure 2.0 ...

    Yes, that came as a very nasty surprise as well. Luckily, the two systems seems to exist happily right next to each other, so we can spread the word.

    And BTW: yes, I meant ♥ :-)
  • faoileag 2014-06-03 08:23
    Miriam:
    Oh look, cross-software quoting, manually done!
    faoileag:
    FroshKiller :
    This is more like it. Clear, well written, with a sense of resolution.
    You mean the article, don't you?

    I don't think so. Surely he praised Paula Bean's brillant frist post!

    LOL! :-)
  • Bruce W 2014-06-03 08:37
    All those full card numbers are making my PCI compliance brain cells cry.
  • Neil 2014-06-03 08:56
    Of course suffixes don't repeat, just like SIM and IMEI numbers don't repeat.

    (I had to write a database to track SIM cards being put into mobile phones. This was basically a table of unique SIM and IMEI numbers linked to a batch table. Naturally the complaints started rolling in, and I could say "Run the report to find out which batch the it thinks the IMEI is in", and sure enough they would find a phone with the same IMEI barcode. What I don't know is whether the duplicate IMEI was erroneously issued or whether it was some barcoding issue.)
  • lurker 2014-06-03 09:25
    Oh god, I just came back to look at comments and it had changed to that bloody awful discorse system.

    So glad there is a way to find the real comments here rather than deal with that steaming pile of dog poo.
  • faoileag 2014-06-03 09:30
    lurker:
    Oh god, I just came back to look at comments and it had changed to that bloody awful discorse system.

    So glad there is a way to find the real comments here rather than deal with that steaming pile of dog poo.

    I just pointed out on the Discourse counterpart, that on CS the article is discussed, while on Discourse Discourse is trashed. Could you please stick to that convention? ;-)
  • your browser is too old 2014-06-03 09:31
    That's why, when I see a natural PK being used for storing some non-trivial amount of data (i.e, not a constants dictionary), my fingers twitch and reach for the developer's throat. Sometimes a simple explanation just doesn't work.
  • Anon 2014-06-03 09:35
    I'm really loving the meta WTF that Alex is pulling with Discourse. It's a great bit of performance art.

    Or is it an early (or late) April fools day joke?

    Who can tell.
  • D-Coder 2014-06-03 09:54
    da Doctah:
    In the long run, his simple heuristic would almost certainly fail to categorize transactinos correctly, but Adam wasn’t concerned with the “long run”.

    Transactinos.

    I like it.

    An uncharged, massless particle, almost impossible to detect.
    I think the whole point of a transactino is that it does have a charge.
  • faoileag 2014-06-03 09:57
    For those of you who read the comments after appr. 10EDT:

    The comment system for today's article started out with CS (this system), then was changed to Discourse after an hour or so.

    That however turned out to have been accidental and Alex changed the link in the article back to point to CS again.
  • anonymous 2014-06-03 10:04
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.

    QFT.

    As soon as the bank said "but __ should not occur" your immediate reaction should be to pin the blame on them. "But __ DID occur, and it's your fault, so fix it." Do NOT start brainstorming ideas on how they can implement a workaround! That is THEIR problem.

    Meanwhile, tell your boss that the bank is sending you incorrect transaction information (which is true) and there's not a damn thing you can do until they fix their problem (which is mostly true).
  • Blah 2014-06-03 10:08
    beginner_:
    The real WTF is obviously Adam. If you can't explain this to your boss why it doesn't work your either dumb or should quit.


    What a blissful utopia you must work in.
  • Jake 2014-06-03 10:20
    But boss, I checked with the bank and they said there is no problem, so there's no problem.

    Done.

    You're welcome.
  • Taemyr 2014-06-03 10:21
    anonymous at 2014-06-03 10:04:
    Meanwhile, tell your boss that the bank is sending you incorrect transaction information (which is true)


    This is not true. The bank is sending incomplete transaction information. Incomplete is distinct from incorrect transaction information. - Further the bank's information is presumably in accordance with the specification.
  • Matt Westwood 2014-06-03 10:34
    Blah:
    beginner_:
    The real WTF is obviously Adam. If you can't explain this to your boss why it doesn't work your either dumb or should quit.


    What a blissful utopia you must work in.


    As in: we are sufficiently competent that we are in demand, and can easily change jobs if the one we are currently in compromises our sense of aesthetics.
  • RichP 2014-06-03 10:36
    balazs:

    Once I saw an application that were sending out large messages via MQ. It had been decided that those messages must be cut into multiple parts of 32000 characters. They also invented a brilliant solution to mark the last message with appending the character sequence "END" to it.
    It all worked "fine" until one of the records in one of these messages contained a partner company's name of "VENDING MACHINES Co." or "HAPPY-END Co." or something like that and also that message got cut right after the "END" sequence like "VEND" + "ING MACHINES". The rest of the story is up to your imagination. (Got fixed, nothing interesting)


    Hanzo crept through the darkened hallways of WTFU. Somewhere lurking in the shadows was a dark presence, a force that was slashing MQ messages into bits like a fine katana bites through a melon. Hanzo knew that his quest was dangerous, and had driven his predecessor to madness deeper than that of Lorne Kates trapped in a Discourse fourum. Hanzo would have to rely on all of his Ninja training, all the secrets he learned in pubs across Spain, and all of his experience watching The Ring over and over again. Little did he know that the quest would delve into his worst mixed metaphors and tangled quasi martial arts imagery.

    To be continued for some inexplicable reason...
  • Blah 2014-06-03 10:38
    Taemyr:
    anonymous at 2014-06-03 10:04:
    Meanwhile, tell your boss that the bank is sending you incorrect transaction information (which is true)


    This is not true. The bank is sending incomplete transaction information. Incomplete is distinct from incorrect transaction information. - Further the bank's information is presumably in accordance with the specification.


    Depending on where you work, I suppose, it could also be in accordance with the law. I've run into that before where if you are going to put the info in any format where it could be read by any unauthorized person that the suffix was ALL that could be sent or shown of the card number. That may have been the case here. Adam's company could have gotten perfect statements directly from the bank like a regular customer but since this transaction info was being transferred as plain text, only the last 4 digits could be legally sent.
  • anonymous 2014-06-03 10:41
    Also, I'm a little bit curious how he figured out which card had the most transactions in a month, when the 4-digit code used to tell which card made a transaction is the same for both cards. It sounds like all the transactions would just end up in one card or the other.

    And before you say "but there was all the data from past months, and if someone used their card for a vendor his hack would assign future business to that same card", let me remind you that the data from past months is all garbage for the two cards with duplicate IDs. Nobody had noticed the issue until some VP used his card and checked his transaction record to make sure that it showed up, and realised that there were a bunch of transactions he didn't make.
  • anonymous 2014-06-03 10:47
    Taemyr:
    anonymous at 2014-06-03 10:04:
    Meanwhile, tell your boss that the bank is sending you incorrect transaction information (which is true)


    This is not true. The bank is sending incomplete transaction information. Incomplete is distinct from incorrect transaction information. - Further the bank's information is presumably in accordance with the specification.


    The structure of the data is incorrect because it allows a many-to-many relation between the cards and their transactions, when it should be a one-to-many relation. Each card can make many transactions but if a transaction can map to multiple cards, the data structure is incorrect and it's a data integrity issue.

    Sending you the wrong data is just as wrong as sending you wrong data. Possibly worse, because the flat file parsed correctly, but since there wasn't any check of the data integrity the duplicate IDs didn't trigger any red flags until someone noticed that transactions are being associated with the wrong cards.
  • anonymous 2014-06-03 10:52
    Taemyr:
    The bank is sending incomplete transaction information. Incomplete is distinct from incorrect transaction information. - Further the bank's information is presumably in accordance with the specification.

    The specification was "system will not allow cards with the same last 4 digits", so THAT is the problem that the bank should be forced to fix. Whether they want to redesign their system to remove this specification (difficult) or revoke cards with the same last 4 digits for customers who have more than one card, and re-issue new ones that don't have the same last 4 digits (easy) is really their business.
  • F 2014-06-03 11:07
    beginner_:
    The real WTF is obviously Adam. If you can't explain this to your boss why it doesn't work your either dumb or should quit.


    "Explain to boss" != "get boss to understand".

    See Dilbert.
  • phuzz 2014-06-03 11:20
    Up until a few years ago (about 2010) the company I used to work at had a credit card processing system from Comidea.
    Every morning, part of my job was to login to the payment software, and print out a list of yesterday's transactions, which would include the full CC number, and date, and the amount, which the accounts team would use for, um, something accounts-y.
    On top of the full numbers in print outs, it would process payments by sending the CC numbers over a dedicated ISDN line via FTP (not SFPT, just plain old FTP).
    I always assumed that the credit card numbers were probably stored unencrypted on the disk somewhere.
  • slavdude 2014-06-03 12:01
    Gah, I hate working on "legacy" systems like this. They aren't considered important enough to assign the proper resources, and yet the bugs are often too complicated to be solved by a simple hack or one-off solution.
  • RowanYote 2014-06-03 12:05
    I would have thought the best attack on the problem was from the other direction. Have the bank issue new cards for the handful of duplicates.
  • Steve The Cynic 2014-06-03 12:05
    jarfil:
    "Fix the bug!", they told me. So I grabbed a gun, and went to see the bank manager.

    I can lend you a GAU-8 if you need one.
  • Steve The Cynic 2014-06-03 12:15
    slavdude:
    Gah, I hate working on "legacy" systems like this. They aren't considered important enough to assign the proper resources, and yet the bugs are often too complicated to be solved by a simple hack or one-off solution.

    Scratch "often". The correct word is "usually" or maybe it might be better to say "...bugs are almost always too complicated...".

    The reason is that all the bugs that have simple fixes got fixed years ago, and the weird shit is all that's left. Because the time between significant problems is relatively long, They Who Decide long ago decided that the support crew can be small, poor sods.
  • cellocgw 2014-06-03 12:18
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.


    "No, Adam, that won't work, because it'll cause the users to do MORE data entry to set up their new cards. Just FIX THE BUG"
  • Jay 2014-06-03 12:49
    I don't know whether to smack him upside the head or buy him lunch!
  • Zylon 2014-06-03 12:56
    There were a pile of tickets...

    Remy can has English?
  • The Bytemaster 2014-06-03 13:28
    ¯\(°_o)/¯ I DUNNO LOL:
    Nope. What they did was every time they got a new Ethernet card, they checked its MAC address. If it contained an 0xFF, they threw it in the trash. I left before Ethernet ports started becoming standard on PC motherboards.

    Worked for a guy who ordered a 10 pack of Ethernet cards (10-Base-2) which all had the same MAC address. Not sure if the error was on the manufacturer or the person ordering ordered a special pack.

    In any case, he kept them. He told me "why not? They are perfectly good cards. Just don't give more than one to the same client."
  • Blah 2014-06-03 14:52
    OK, the html comments were painful, but cheers on JeanLucPCard!
  • Nagesh 2014-06-03 14:52
    I am very much doubting this story.
  • chubertdev 2014-06-03 15:05
    People that create a relational data schema without a unique identifier should be sent to Gitmo.
  • Jake 2014-06-03 15:10
    chubertdev:
    People that create a relational data schema without a unique identifier should be sent to Gitmo.
    I agree, but it's not a problem here. Our developers have never heard of relational data structures.
  • Paul Neumann 2014-06-03 15:15
    chubertdev:
    People that create a relational data schema without a unique identifier should be sent to Gitmo.
    So we can release 5 of them for every 1 who capitalizes local variable names?
  • chubertdev 2014-06-03 15:57
    Paul Neumann:
    chubertdev:
    People that create a relational data schema without a unique identifier should be sent to Gitmo.
    So we can release 5 of them for every 1 who capitalizes local variable names?


    Or 1 that uses redundant parentheses.
  • Wrexham 2014-06-03 16:32
    anonymous:
    Sending you the wrong data is just as wrong as sending you wrong data.
    Pardon?
  • TV 2014-06-03 16:38
    So... the REAL wtf today seems to by w(hy)tf didn't you submit that story :) Its funnier than everything recent.

    ¯\(°_o)/¯ I DUNNO LOL:
    I once worked at a place that had a custom message format for an embedded system. It used 0xFF to mark the start of fields in IPC messages, so 0xFF was not allowed in field data, because then you couldn't find the next field. (The protocol normally passed numbers as BCD.)

    They also had a PoS system, with multiple DOS-based terminals (this was back in the '90s) connected via Ethernet. There was a message defined to announce the Ethernet address of the PoS system computers, and the last field in the message was the MAC address.

    Except MAC addresses are binary, and may contain an 0xFF. But this was always the last field, always a specific message type, always a specific field ID, and only passed between the PCs, not the embedded system. They could have made it a special case.

    Nope. What they did was every time they got a new Ethernet card, they checked its MAC address. If it contained an 0xFF, they threw it in the trash. I left before Ethernet ports started becoming standard on PC motherboards.
  • dkf 2014-06-03 16:52
    cellocgw:
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.


    "No, Adam, that won't work, because it'll cause the users to do MORE data entry to set up their new cards. Just FIX THE BUG"
    OK, then do it the other way. Accuse some poor sod of hacking the system and revoke their card and their right to a card at the same time. Bonus if you can then get them arrested (and that reduces the amount that they need to do data entry).
  • chubertdev 2014-06-03 17:22
    dkf:
    cellocgw:
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.


    "No, Adam, that won't work, because it'll cause the users to do MORE data entry to set up their new cards. Just FIX THE BUG"
    OK, then do it the other way. Accuse some poor sod of hacking the system and revoke their card and their right to a card at the same time. Bonus if you can then get them arrested (and that reduces the amount that they need to do data entry).


    Creates a lot of data entry for HR, though.
  • Spencer 2014-06-03 20:56
    This is almost a BoFH story. It just needs the BoFH and the PFY to write a script that uses the card numbers most used for purchases to make purchases for themselves, and modify the importer to disguise the transaction as something more mundane. Or use the whole system to get the Boss (or the guy that nicked their parking spot, or the luser on the 4th floor that keeps getting viruses on his machine or making idiotic requests) either fired, arrested, or on terrorism watchlists
  • Darth Darth 2014-06-03 21:40
    That image of Picard is great. I need to send it to the next 419 scammer who asks for my bank details...
  • Cheong 2014-06-03 21:52
    ¯\(°_o)/¯ I DUNNO LOL:
    I once worked at a place that had a custom message format for an embedded system. It used 0xFF to mark the start of fields in IPC messages, so 0xFF was not allowed in field data, because then you couldn't find the next field. (The protocol normally passed numbers as BCD.)

    They also had a PoS system, with multiple DOS-based terminals (this was back in the '90s) connected via Ethernet. There was a message defined to announce the Ethernet address of the PoS system computers, and the last field in the message was the MAC address.

    Except MAC addresses are binary, and may contain an 0xFF. But this was always the last field, always a specific message type, always a specific field ID, and only passed between the PCs, not the embedded system. They could have made it a special case.

    Nope. What they did was every time they got a new Ethernet card, they checked its MAC address. If it contained an 0xFF, they threw it in the trash. I left before Ethernet ports started becoming standard on PC motherboards.

    How wasteful.

    I used to work in computer shop like 10 years ago. And I did remember some brands DO have label of MAC address printed on the box of LAN cards. They should have asked the shopkeepers to check for them.
  • Maple Leaf WTF 2014-06-03 23:15
    anonymous:
    Also, I'm a little bit curious how he figured out which card had the most transactions in a month, when the 4-digit code used to tell which card made a transaction is the same for both cards. It sounds like all the transactions would just end up in one card or the other.

    And before you say "but there was all the data from past months, and if someone used their card for a vendor his hack would assign future business to that same card", let me remind you that the data from past months is all garbage for the two cards with duplicate IDs. Nobody had noticed the issue until some VP used his card and checked his transaction record to make sure that it showed up, and realised that there were a bunch of transactions he didn't make.

    Yeah, the system could work alright for a month or two, but after a few months - say a card got lost or expired - the transactions would always flow to the older card. So he'd need to check that the duplicate card that he's going to assign the transaction to is still valid.

    Speaking of CC numbers in the clear ...

    One of the PCI regulations is that you can only use the CVV / CCV / C2V (the extra three digits) to validate the transaction and then it must be discarded. You can't use it again.

    I booked through some hotel broker website - it might have been hotels.com - and found a little hotel in an out of the way small town near Tulle. When I arrived there I noticed that my booking was a faxed sheet of paper with my CCV printed on the page along with all my credit card details. They really didn't need all of that.
  • Data 2014-06-04 00:31
    Why no puns about me? Me and my meta are what the article is all about.
  • Norman Diamond 2014-06-04 00:45
    Maple Leaf WTF:
    One of the PCI regulations is that you can only use the CVV / CCV / C2V (the extra three digits) to validate the transaction and then it must be discarded. You can't use it again.

    I booked through some hotel broker website - it might have been hotels.com - and found a little hotel in an out of the way small town near Tulle. When I arrived there I noticed that my booking was a faxed sheet of paper with my CCV printed on the page along with all my credit card details. They really didn't need all of that.
    Surely there are easier ways to transfer the CVVs to the spammers who advertise them on this site.
  • Norman Diamond 2014-06-04 00:45
    chubertdev:
    People that create a relational data schema without a unique identifier should be sent to Gitmo.
    75% of the people in Gitmo were innocent.
  • Norman Diamond 2014-06-04 00:46
    Zylon:
    There were a pile of tickets...
    Remy can has English?
    He does. American would be "There was a pile of tickets" but English is "There were a pile of tickets".
  • Norman Diamond 2014-06-04 00:46
    faoileag:
    Those days online payments did not involve the suffix number and I was very tempted to see if .....4right_checknumber had been issued as well.
    It probably had been. You would only have to guess the expiration date and the cardholder's name.
  • da Doctah 2014-06-04 03:13
    Darth Darth:
    That image of Picard is great. I need to send it to the next 419 scammer who asks for my bank details...
    Send them this one instead:
  • MrOli 2014-06-04 04:25
    There's a really, really easy way to fix this: Cancel one of the duplicate cards. The new one will arrive with a different number.
  • iMalc 2014-06-04 05:28
    Bzzzt, wrong solution!

    Right solution:
    You push back. You escalate. You explain that there is not a programmer in the world that can solve the problem because the problem is on the bank's end.
    You attend high level teleconference meetings where often little or progress is made, and it's more of a finger-pointing exercise.
    You ask the right provocative questions in front of many other people from both parties at such meetings. E.g. "What would they have our system do, guess which card each transaction is for, knowing full well that it will often be wrong?". Or "Does xyz bank not have more than 10000 customers... perhaps we should do business with a larger bank?".
    Sooner or later, they will get the idea and they WILL fix it.
  • ThePants999 2014-06-04 06:08
    MP:
    ratchet freak:
    birthday paradox says you only need 118 to have a more than 50% chance to get a dupe


    If my math is correct, you should be able to do it with only 101:

    ((101 * 100) / 2) / 10000 = 0.505

    Incidentally, with 118, I got this;

    ((118 * 117) / 2) / 10000 ~= 0.69

    Now wondering whether this was a very clever and subtle 69 joke...


    If your math were correct, as soon as you had 142 cards, you'd have a greater than 100% chance of duplicates.
  • quis 2014-06-04 07:15
    da Doctah:
    In the long run, his simple heuristic would almost certainly fail to categorize transactinos correctly, but Adam wasn’t concerned with the “long run”.

    Transactinos.

    I like it.

    An uncharged, massless particle, almost impossible to detect.


    I'd have thought that transactinos would have been atomic...
  • mark tosley 2014-06-04 07:16
    balazs:
    ¯\(°_o)/¯ I DUNNO LOL:
    I once worked at a place that had a custom message format for an embedded system. It used 0xFF to mark the start of fields in IPC messages, so 0xFF was not allowed in field data, because then you couldn't find the next field. (The protocol normally passed numbers as BCD.)


    Once I saw an application that were sending out large messages via MQ. It had been decided that those messages must be cut into multiple parts of 32000 characters. They also invented a brilliant solution to mark the last message with appending the character sequence "END" to it.
    It all worked "fine" until one of the records in one of these messages contained a partner company's name of "VENDING MACHINES Co." or "HAPPY-END Co." or something like that and also that message got cut right after the "END" sequence like "VEND" + "ING MACHINES". The rest of the story is up to your imagination. (Got fixed, nothing interesting)
    I facepalm every time I encounter some fucked-up data format that has arbitrary-length fields but no bloody escaping. Every one of those is a WTF waiting to happen. What is so goddamn hard to understand about the concept of escaping?
  • anonymous 2014-06-04 09:50
    Wrexham:
    anonymous:
    Sending you the wrong data is just as wrong as sending you wrong data.
    Pardon?

    If I ask you for data with a unique primary key and you give me data with the last 4 digits of the card number as a non-unique key, then you're giving me correct data yet the wrong data. The information stored in that column is what it claims to be on the surface (the last 4 digits of the card) yet it is not what it needs to be for data integrity (a unique key).
  • Masaaki 2014-06-04 09:58
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.


    Which only works if less than 9999 people are issued cards.
  • anonymous 2014-06-04 10:09
    Masaaki:
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.


    Which only works if less than 9999 people are issued cards.

    No. It's like a MAC address. Duplicates are not a problem as long as the cards won't be used on the same network. If the last 4 digits are used on a customer's unified billing statement to identify which of multiple cards were used to make a transaction, then it follows that you can't give a single customer more than one card with the same last 4 digits, or they won't be able to tell them apart on their unified billing statement.
  • chubertdev 2014-06-04 13:05
    iMalc:
    Bzzzt, wrong solution!

    Right solution:
    You push back. You escalate. You explain that there is not a programmer in the world that can solve the problem because the problem is on the bank's end.
    You attend high level teleconference meetings where often little or progress is made, and it's more of a finger-pointing exercise.
    You ask the right provocative questions in front of many other people from both parties at such meetings. E.g. "What would they have our system do, guess which card each transaction is for, knowing full well that it will often be wrong?". Or "Does xyz bank not have more than 10000 customers... perhaps we should do business with a larger bank?".
    Sooner or later, they will get the idea and they WILL fix it.


    Wow, you're optimistic.
  • anonymous 2014-06-04 13:17
    Masaaki:
    Mariachi:
    Why not have the bank issue replacement cards for the duplicates? If they send more dupes, report them stolen or something and get more replacements. Rinse and repeat until there are no collisions.


    Which only works if less than 9999 people are issued cards.

    "10000 or fewer"

    not

    "less than 9999"
  • Bernie The Bernie 2014-06-06 09:11
    until the support for the app moved offshore

    Poor Nagesh!
  • dude 2014-06-08 07:42
    The bank staff probably knew about the issue, but fixing it would alert everyone all at once and they probably don't want to come under that level of scrutiny.

    If you don't get the support from your employer then it's likely that getting it fixed properly will be career limiting in the long run. You're fooling yourself if you think you have any career prospects with someone as clueless though.
  • Jay 2014-06-09 13:48
    Dan:
    "If one and only one card had previous transactions with this vendor, assign the transaction to that card."

    How do you do this if you dont know what card did what?


    Umm, yeah. The whole "solution" seems to fall down on this point.

    Day 1: We have only one card with suffix, say, 4242. We get a transaction from vendor A for 4242. Cool, we assign it to that card.

    Day 2: We get a second card with suffix 4242.

    Day 3: We get a transaction from vendor A for 4242. I guess it goes to the first card 4242.

    So the second card 4242 will NEVER get any transactions from vendor A.

    It's not a matter of "whoever had the most". It's a matter of "The first card with that suffix gets all transactions. Subsequent cards with the same suffix never get any transactions." (Or transactinos, as the case may be.)
  • Jay 2014-06-09 13:58
    When the bank says that no two cards have the same last four digits, but you have a data file showing multiple cards with the same last four, can't you just say to the bank, "Okay, please look up the card numbers for Bob Smith and Mary Jones. What are the last four digits of each?"

    I would think the solution to this problem is to explain the situation to someone suitably high up in the organization and get them to contact the bank and demand that they fix the problem.