- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Also, I'm a little bit curious how he figured out which card had the most transactions in a month, when the 4-digit code used to tell which card made a transaction is the same for both cards. It sounds like all the transactions would just end up in one card or the other.
And before you say "but there was all the data from past months, and if someone used their card for a vendor his hack would assign future business to that same card", let me remind you that the data from past months is all garbage for the two cards with duplicate IDs. Nobody had noticed the issue until some VP used his card and checked his transaction record to make sure that it showed up, and realised that there were a bunch of transactions he didn't make.
Admin
The structure of the data is incorrect because it allows a many-to-many relation between the cards and their transactions, when it should be a one-to-many relation. Each card can make many transactions but if a transaction can map to multiple cards, the data structure is incorrect and it's a data integrity issue.
Sending you the wrong data is just as wrong as sending you wrong data. Possibly worse, because the flat file parsed correctly, but since there wasn't any check of the data integrity the duplicate IDs didn't trigger any red flags until someone noticed that transactions are being associated with the wrong cards.
Admin
Admin
"Explain to boss" != "get boss to understand".
See Dilbert.
Admin
Up until a few years ago (about 2010) the company I used to work at had a credit card processing system from Comidea. Every morning, part of my job was to login to the payment software, and print out a list of yesterday's transactions, which would include the full CC number, and date, and the amount, which the accounts team would use for, um, something accounts-y. On top of the full numbers in print outs, it would process payments by sending the CC numbers over a dedicated ISDN line via FTP (not SFPT, just plain old FTP). I always assumed that the credit card numbers were probably stored unencrypted on the disk somewhere.
Admin
Gah, I hate working on "legacy" systems like this. They aren't considered important enough to assign the proper resources, and yet the bugs are often too complicated to be solved by a simple hack or one-off solution.
Admin
I would have thought the best attack on the problem was from the other direction. Have the bank issue new cards for the handful of duplicates.
Admin
Admin
The reason is that all the bugs that have simple fixes got fixed years ago, and the weird shit is all that's left. Because the time between significant problems is relatively long, They Who Decide long ago decided that the support crew can be small, poor sods.
Admin
"No, Adam, that won't work, because it'll cause the users to do MORE data entry to set up their new cards. Just FIX THE BUG"
Admin
I don't know whether to smack him upside the head or buy him lunch!
Admin
Admin
In any case, he kept them. He told me "why not? They are perfectly good cards. Just don't give more than one to the same client."
Admin
OK, the html comments were painful, but cheers on JeanLucPCard!
Admin
I am very much doubting this story.
Admin
People that create a relational data schema without a unique identifier should be sent to Gitmo.
Admin
Admin
Admin
Or 1 that uses redundant parentheses.
Admin
Admin
So... the REAL wtf today seems to by w(hy)tf didn't you submit that story :) Its funnier than everything recent.
Admin
Admin
Creates a lot of data entry for HR, though.
Admin
This is almost a BoFH story. It just needs the BoFH and the PFY to write a script that uses the card numbers most used for purchases to make purchases for themselves, and modify the importer to disguise the transaction as something more mundane. Or use the whole system to get the Boss (or the guy that nicked their parking spot, or the luser on the 4th floor that keeps getting viruses on his machine or making idiotic requests) either fired, arrested, or on terrorism watchlists
Admin
That image of Picard is great. I need to send it to the next 419 scammer who asks for my bank details...
Admin
I used to work in computer shop like 10 years ago. And I did remember some brands DO have label of MAC address printed on the box of LAN cards. They should have asked the shopkeepers to check for them.
Admin
Speaking of CC numbers in the clear ...
One of the PCI regulations is that you can only use the CVV / CCV / C2V (the extra three digits) to validate the transaction and then it must be discarded. You can't use it again.
I booked through some hotel broker website - it might have been hotels.com - and found a little hotel in an out of the way small town near Tulle. When I arrived there I noticed that my booking was a faxed sheet of paper with my CCV printed on the page along with all my credit card details. They really didn't need all of that.
Admin
Why no puns about me? Me and my meta are what the article is all about.
Admin
Admin
Admin
Admin
Admin
Admin
There's a really, really easy way to fix this: Cancel one of the duplicate cards. The new one will arrive with a different number.
Admin
Bzzzt, wrong solution!
Right solution: You push back. You escalate. You explain that there is not a programmer in the world that can solve the problem because the problem is on the bank's end. You attend high level teleconference meetings where often little or progress is made, and it's more of a finger-pointing exercise. You ask the right provocative questions in front of many other people from both parties at such meetings. E.g. "What would they have our system do, guess which card each transaction is for, knowing full well that it will often be wrong?". Or "Does xyz bank not have more than 10000 customers... perhaps we should do business with a larger bank?". Sooner or later, they will get the idea and they WILL fix it.
Admin
If your math were correct, as soon as you had 142 cards, you'd have a greater than 100% chance of duplicates.
Admin
I'd have thought that transactinos would have been atomic...
Admin
Admin
Admin
Which only works if less than 9999 people are issued cards.
Admin
Admin
Wow, you're optimistic.
Admin
not
"less than 9999"
Admin
Admin
The bank staff probably knew about the issue, but fixing it would alert everyone all at once and they probably don't want to come under that level of scrutiny.
If you don't get the support from your employer then it's likely that getting it fixed properly will be career limiting in the long run. You're fooling yourself if you think you have any career prospects with someone as clueless though.
Admin
Umm, yeah. The whole "solution" seems to fall down on this point.
Day 1: We have only one card with suffix, say, 4242. We get a transaction from vendor A for 4242. Cool, we assign it to that card.
Day 2: We get a second card with suffix 4242.
Day 3: We get a transaction from vendor A for 4242. I guess it goes to the first card 4242.
So the second card 4242 will NEVER get any transactions from vendor A.
It's not a matter of "whoever had the most". It's a matter of "The first card with that suffix gets all transactions. Subsequent cards with the same suffix never get any transactions." (Or transactinos, as the case may be.)
Admin
When the bank says that no two cards have the same last four digits, but you have a data file showing multiple cards with the same last four, can't you just say to the bank, "Okay, please look up the card numbers for Bob Smith and Mary Jones. What are the last four digits of each?"
I would think the solution to this problem is to explain the situation to someone suitably high up in the organization and get them to contact the bank and demand that they fix the problem.
Admin
What's with that explanation to his boss? "Bank doesn't send us correct information so I cannot do anything" should have been the answer. After that it's boss' problem to sort it out with the bank (aka change banks).