- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Really ????? Problem solution. Check version of ATM software against version of month ago. Find changes, fire programmer, fix problem re-deploy. Problem solved in 45 minutes. Maybe they need a contractor .....
Admin
The complete thought is "There's barely any identifiable information in the original article (apart from the banking group that owns the ATM), and no other widely available source of information has confirmed it, so I wonder if it's a hoax."
Note: Altavista, MSN and Yahoo have nothing about either.
Although note: Altavista and Yahoo have already indexed this WTF, while Google and MSN have not.
Admin
You can go click the link to the original story on nu.nl, read the report and note that it's coming from the ANP wire service. Now go to google and search:
http://www.google.com/search?q=ANP+geldautomaten
Admin
It's not just that nobody else talks about it on the net. It's also that Dexia is a major banking group in Belgium, and I find it strange that a major banking group can have such an hilarious and reproductible fault in its ATMs for more than a month and nobody talks about it. So, at the very least I doubt the problem is widespread.
It might well be that this problem only occurs in some newer ATM models in the Nederlands, where Dexia has less of a marketshare. It might also be that the original article has been poorly written, misunderstood and/or mistranslated: I don't know Dutch but I can see some meaning in the sentences, and I can't find anything about "software" in the original article.
Maybe the problem is in the hardware? Maybe a faulty keyboard? Maybe the ATMs do not crash all the time? (This would explain why it took so long to find, test, and fix.) Maybe only one or two ATMs were affected by this? (Dexia would test all of them anyway, so the reporter would not need to bother with such details.)
There's of course a problem somewhere, but maybe the problem is much less worthy of a what-the-fuck than the writeup above makes it appear to be.
Admin
I'm a Belgian, and I also have a 7 in my pin code. I'm even a customer of Dexia bank, but I haven't had this problem. Actually, the media would love to boast about something like thta, but I've heard nothing. Given the fact that this article was posted on a Dutch site (we have a love-hate relationship with the Dutch) I suppose it is either a practical joke or a hoax.
Admin
Right. HLN.be
Admin
We tend to believe that newspapers do not post hoaxes on their websites. The story of the Belgian newspaper states the same:
http://www.nieuwsblad.be/Article/Detail.aspx?ArticleID=DMF05102005_015
(please note: it is not ALL Atm machines, only private Dexia-dank Selfbanking machines)
Admin
Since one month? And the problem wasn't detected before. I think this is the work of a disgrundled programmer:
if( cur_time >= MYSTERY_CONSTANT && strpos(0x37,password) >= 0 ) {
while(true)
malloc(&tmp,sizeof(long) * 0x37);
}
Admin
Sadly, no mention of this on the Dexia (www.dexia.be) website!
Admin
I'm going to make a guess that the application is a modal windows app full-screened.
That they have a library that handles input.
That within that library they have events listening for various types of input (including not via the keypad, i.e. dubugging tools into the back of the ATM).
And that these events call a method that does mapping for depending on whatever mode the software is in (enter pin is one mode, type amount is another mode, etc).
These are then passed to other methods to dynamically work out which action needs calling.
And I bet, that somewhere in their, for the mode that it is in, and the input validation check that gets fired because of the mode... that it tries to dynamically call a method that doesn't exist... and that is why it crashes.
Admin
I agree that this is almost certainly completely made up. And I can back up that judgement: I worked with ATM software in the past, and the ATM software actually never even gets to see the PIN at all! The PIN entry pad is bundled with encryption hardware, and the software just gets notified when the PIN is entered, assembles the message, sends it to the hardware where it will be encrypted together with the PIN, and the result is then sent to the bank server.
So if this problem existed, it would lie in the encryptor hardware or firmware, which is never changed without very thorough testing.
Admin
No no no, it's not the nation wide Banksys ATM system that is reportedly broken, it's the private self-banking equipment of Dexia
I worked for a large bank in Belgium in the past and I have no doubt this story is true... Hoax my ass.
IMHO, the IT systems of some banks are WTFs all by themselves.
What I think happened is that they have some self made half-baked hashing algorithm where the pin-code is hashed together with the time/date, encrypted and verified with the same on the other side.
Admin
This would be the root cause of the problem I guess:P
Admin
There's only 10k of them. If you take about 3.6 seconds per combination you can be done in two working days.
Admin
Oh, but it's deeper than that. It contains 7 different digits! All sequential, EXCEPT THE 7! 1,2,3,4,5,6 and 8!
Admin
But isn't 42 six multiplied by nine? Oh, ok, no seven here.
Admin
And they are known to be spelled in strange ways, too.
Admin
I written my share of ATM software, and at least in the US brazzy is correct. There are laws here that govern how customer enter their PINs and these are encrypted and transmitted through the banking system. Any method that does not involve a 'black box' encryptor is a huge no-no. Once an ATM tells the OS "Hey get a PIN now" the black box takes over the key pad and no keypresses get to the main software. If there really is an error in the encryption code, all of the those ecryption modules will have to be replaced. Depending on the number and where they are located, that could take a while.
Admin
Not quite the same thing, but something close to this happened to me while I was in high school working at my after school job. It was a "catalog retail" store. Shoppers would some in and browse through the display items and write up their list. The cashier would enter the list into the computer terminal and the items would be pulled from stock in the warehouse and sent down a conveyor belt to the pick-up area. I worked in the electronics department, which, during the early eighties, as you can image was usually quite busy during the Christmas holiday season.
One day during the holiday season, the "L" key one of the two computer terminals in the deaprtment was not working. It was interesting announcing to the folks waiting in that line that they would have to move to another line if any part of their name, item list, etc. contained the letter "L" beacsue we would not be able to process their order.
In fact, (here is the kicker), since it *was* the holiday season, we deemed this broken computer terminal as the "No-L" (get it? "Noel") computer.
Admin
Actually, my experience is from Germany, so I very much doubt it's any different in the Netherlands or Belgium, no matter which bank is involved.
Of course if that software were malicious, it could instead tell the hardware (I don't think the OS is involved) "Hey, get an amount now" while it displays "Please enter PIN now" on the screen, so the whole thing really only protects against accidents. That's the point, really, since someone who can manipulate the software could just make the ATM do a jackpot, which will yield a lot more money in one go than you could ever get by draining individual accounts with stolen PINs.
I actually thought up a method to do that, which I'm pretty sure would have worked and would not have been traceable back to me.
Admin
Wouldn't have affected me, therefore, don't care. :)
www.lamecode.com
Admin
Banks actually rely more on logging than true security to detect problems. Sure you can withdraw all the money in my checking account very easily. However when I start bouncing checks I have the bank check, and then I challenge that withdrawal. They go through all the logs and trace where that money went. Then it is up to the courts to figure out who committed fraud.
Logs can be faked, but this is hard because there are so many of them.
Most ATM's have a video cameras, so if you claim fraud they can (until the tape is erased, I'm not sure when they do that... for that matter the camera may not work) show you a picture of you making the transaction - that solves most problems.
In the US, it is up to the banks to prove that you really made a transaction if there is a dispute. You PIN is for the bank's protection - most thieves will not try to guess a pin (even though there are only a trivial number of them), which means there are a lot less disputes. Courts accept the argument that a 1 in 10000 chance of guessing a pin on the first try is not enough to say that someone didn't do it.
In Europe (I say this as if Europe is only country with unified laws, but in fact things are not this simple) things are different, it is up to you to prove that you didn't make that transaction.
Admin
Cool, that was your 77th post
Admin
Couldn't you have have the equivalent Alt + Number combination to get the letter L?
Admin
Most computer terminals at retail stores are not running any mainstream OS that has that functionality. Siemens-Nixdorf doesn't even have a char map!
Admin
You have good reason to be worried. From someone who has worked with several financial institutions, I can tell you that a large number of them have appalling security policies. Especially the smaller credit unions.
Admin
Hmmm... might it have to do with Javascript unicode escapes, which look like \u0020?
Admin
Um, anyone think that maybe they should have those people with 7 in their PIN...CHANGE IT? Then it would be a non-issue until they got it fixed. I know it does not solve the code problem straight away...but it does solve the problem that customers are having. Just a thought
Admin
Ah, I get it now. It's not a bug at all. A clever bank programmer (oxymoron?) is going to disable a different digit each month. He can then figure out the pin number of any custom who makes 4 complaints.
Admin
But then there'd only be 6561 possible pin numbers! Notice how the first and last numbers add up to 7? Oh the horrors!
Admin
"We hebben een probleem met de software", erkent een Dexia-woordvoerster woensdag in krant Het Laatste Nieuws. "Binnen drie weken moet het opgelost zijn."
"We have a problem with the software", a Dexia spokeswoman acknowledged Wednesday in the newspaper The Last News. "Within three weeks it should be solved."
(I'm not anonymous, I just lost my cookie.)
Admin
The organizations that insure these financial institutions have even more reason to be worried than you.
Admin
I was referring to spaceballs and i wasnt referring to the airshield. please learn english and re-read what i wrote.
thx
Admin
That still leaves 4! = 24 ways to arrange the 4 digits into a PIN.
Admin
Safest possibility for a four-digit pin is one pair of digits and two odd digits.
If the customer only makes one complaint (say on month 7) then there is one possible PIN: 7777
If the customer only makes three complaints, then there are three known numbers...
There are three possibilities for the fourth number.
There are 4!/2! ways to order these four numbers, two of which are the same...
So there are 3 * 4! / 2! = 36 possible PINs
If the customer only makes two complaints, there are two known numbers.
There are two possibilities... either he uses both numbers twice, or he uses one number three times.
If he uses one number three times, then there are two choices for which number to use three times, and 4! / 3! ways to order the numbers in the PIN... 8 possible PINs.
If he uses both numbers twice, then there are 4!/(2! * 2!) ways to order these numbers... 6 possible PINs.
So...
Four complaints: 4! = 24 PINs.
Three complaints: 3 * 4! / 2! = 36 PINs.
Two complaints: 2 * 4! / 3! + 4! / (2! + 2!) = 8 + 6 = 14 PINs.
One complaint: 1 PIN.
There are 10C4 ways that four complaints can be made.
There are 10C3 ways that three complaints can be made.
There are 10C2 ways that two complaints can be made.
There are 10C1 ways that one complaint can be made.
Total number of PINs:
10C4 * 24 + 10C3 * 36 + 10C2 * 14 + 10C1 * 1 =
210 * 24 + 120 * 36 + 45 * 14 + 10 =
5040 + 4320 + 630 + 10 =
10000 = 10 ^ 4
Admin
<FONT face="Courier New" size=2>if he's in charge of the software that runs it, wouldn't he be even more clever to just have the pins dumped to a file?</FONT>
Admin
Here's the article from Het Laaste Nieuws the ANP talks about. I don't see the word "software" in there.
« Een groot aantal selfbanking-terminals van Dexia Bank slaat tilt wanneer klanten het cijfer 7 intoetsen bij het vormen van hun geheime code. Daardoor zijn al sinds begin september heel wat mensen genoodzaakt hun bankverrichtingen aan het loket te doen.
"We gaan op zoek naar alle automaten die wel eens blokkeren wanneer het cijfer 7 wordt ingetoetst. Binnen de drie weken moet het probleem opgelost zijn", luidt het bij Dexia. De bank raadt zijn klanten intussen aan hun geheime code te veranderen als het probleem zich blijft voordoen. »
Translation with help from the fish:
« A large number of Dexia bank "self-banking" terminals crash when customers press 7 while typing their PIN. As a result, starting early September, a lot of people have had to do their banking operations at the counter.
"We're looking for all the automats that block sometimes when the digit 7 is keyed in. The problem should be solved within three weeks," Dexia says. Meanwhile the bank suggests its customers change their secret code if the problem keeps hitting them. »
Looks like you can't fully trust the ANP news wire, which a lot of people seem to do.
Admin
LOL <FONT color=#555555>Maurits, you have too much time on your hands [8-|]</FONT>
Admin
Sorry, guess I forgot to push the sarcasm button.
That's what QA (and development) typically say, "I can't test *every* combination". And the joke is that yes, there are only 10k of them.
Heh, the captcha is 'algebra'
Admin
<FONT face="Courier New" size=2>the sarcasm button was removed from the forum software since it kept starting new posts instead of throwing up the sarcasm tags.</FONT>
Admin
Are you suggesting ANP made up the quote with the word 'software' in it?
Admin
My guess is someone used a simple substitution cipher that maps "7" to some special character.
Admin
I propose automatically marking any comment containing "isTrue" as a troll post.
Admin
Ha! You've just given away 0.608 bits of information about your PIN. 11.095 bits more, and a hit is guaranteed using at most 3 tries.
Admin
I was quite tempted to mark your post a troll post.
Sincerely,
Gene Wirchenko
Admin
I was quite tempted to mark your post a troll post.
Sincerely,
Richard Nixon
Admin
I was quite tempted to mark your post a troll post.
And so I did.
Sincerely,
Alexis de Torquemada
Admin
I once had a similar problem. I had written a JavaScript HTML form validator that should check for a valid date. So I used parseInt(i) to get the number of the month. This failed for August and September. Replacing parseInt(i) with parseInt(i, 10) solved the problem.
Admin
It must have something to do with the meaning of life:
int i = 7;
Console.WriteLine((i*i)-7);
Admin
Threaten anyone today tough guy?