• vhawk (unregistered)

    Really ?????  Problem solution.  Check version of ATM software against version of month ago.  Find changes, fire programmer, fix problem re-deploy. Problem solved in 45 minutes.  Maybe they need a contractor .....

  • boa13 (unregistered) in reply to notJohnO
    Anonymous:
    That's a scary thought above, "it must be a hoax if it's not in google"...


    The complete thought is "There's barely any identifiable information in the original article (apart from the banking group that owns the ATM), and no other widely available source of information has confirmed it, so I wonder if it's a hoax."

    Note: Altavista, MSN and Yahoo have nothing about either.

    Although note: Altavista and Yahoo have already indexed this WTF, while Google and MSN have not.
  • Nand (unregistered) in reply to boa13
    Anonymous:
    Anonymous:
    That's a scary thought above, "it must be a hoax if it's not in google"...


    The complete thought is "There's barely any identifiable information in the original article (apart from the banking group that owns the ATM), and no other widely available source of information has confirmed it, so I wonder if it's a hoax."

    Note: Altavista, MSN and Yahoo have nothing about either.

    Although note: Altavista and Yahoo have already indexed this WTF, while Google and MSN have not.


    You can go click the link to the original story on nu.nl, read the report and note that it's coming from the ANP wire service. Now go to google and search:



    http://www.google.com/search?q=ANP+geldautomaten
  • boa13 (unregistered)

    It's not just that nobody else talks about it on the net. It's also that Dexia is a major banking group in Belgium, and I find it strange that a major banking group can have such an hilarious and reproductible fault in its ATMs for more than a month and nobody talks about it. So, at the very least I doubt the problem is widespread.

    It might well be that this problem only occurs in some newer ATM models in the Nederlands, where Dexia has less of a marketshare. It might also be that the original article has been poorly written, misunderstood and/or mistranslated: I don't know Dutch but I can see some meaning in the sentences, and I can't find anything about "software" in the original article.

    Maybe the problem is in the hardware? Maybe a faulty keyboard? Maybe the ATMs do not crash all the time? (This would explain why it took so long to find, test, and fix.) Maybe only one or two ATMs were affected by this? (Dexia would test all of them anyway, so the reporter would not need to bother with such details.)

    There's of course a problem somewhere, but maybe the problem is much less worthy of a what-the-fuck than the writeup above makes it appear to be.

  • Jens (unregistered)

    I'm a Belgian, and I also have a 7 in my pin code.  I'm even a customer of Dexia bank, but I haven't had this problem.  Actually, the media would love to boast about something like thta, but I've heard nothing.  Given the fact that this article was posted on a Dutch site (we have a love-hate relationship with the Dutch) I suppose it is either a practical joke or a hoax.

  • Kevin (unregistered) in reply to Jens
    Anonymous:
    Given the fact that this article was posted on a Dutch site (we have a love-hate relationship with the Dutch) I suppose it is either a practical joke or a hoax.


    Right. HLN.be
  • FlashGordon (unregistered) in reply to boa13

    We tend to believe that newspapers do not post hoaxes on their websites. The story of the Belgian newspaper states the same:
    http://www.nieuwsblad.be/Article/Detail.aspx?ArticleID=DMF05102005_015

    (please note: it is not ALL Atm machines, only private Dexia-dank Selfbanking machines)

  • (cs) in reply to Kevin

    Since one month? And the problem wasn't detected before. I think this is the work of a disgrundled programmer:

    if( cur_time >= MYSTERY_CONSTANT && strpos(0x37,password) >= 0 ) {
        while(true)
           malloc(&tmp,sizeof(long) * 0x37);
    }

  • (cs) in reply to boa13

    Anonymous:
    I wasn't able to find anything on Google, Google Groups, Google News (U.K., U.S., French editions) about Dexia and various combinations of the words "seven" "digit" "atm" "brussels" "blocks" etc., in both English and French.

    Searching for "Cijfer 7 blokkeert Belgische geldautomaten" brings plenty of hits, but it all boils down to blogs talking about blogs talking about the same very short article.
    I heard Koen Filet and Annemie Peeters mention it in "Wilde Geruchten" ("Wild Rumours") -VRT Radio 1, but I didn't really listen. That and "Het Laatste Nieuws" being a huge (twice the size) tabloid-kind of paper, ...

    Sadly, no mention of this on the Dexia (www.dexia.be) website!

  • (cs) in reply to mdecarle

    I'm going to make a guess that the application is a modal windows app full-screened.

    That they have a library that handles input.

    That within that library they have events listening for various types of input (including not via the keypad, i.e. dubugging tools into the back of the ATM).

    And that these events call a method that does mapping for depending on whatever mode the software is in (enter pin is one mode, type amount is another mode, etc).

    These are then passed to other methods to dynamically work out which action needs calling.

    And I bet, that somewhere in their, for the mode that it is in, and the input validation check that gets fired because of the mode... that it tries to dynamically call a method that doesn't exist... and that is why it crashes.

    • what do I win? *
  • (cs)

    I agree that this is almost certainly completely made up. And I can back up that judgement: I worked with ATM software in the past, and the ATM software actually never even gets to see the PIN at all! The PIN entry pad is bundled with encryption hardware, and the software just gets notified when the PIN is entered, assembles the message, sends it to the hardware where it will be encrypted together with the PIN, and the result is then sent to the bank server.

    So if this problem existed, it would lie in the encryptor hardware or firmware, which is never changed without very thorough testing.

  • (cs) in reply to brazzy
    brazzy:
    I agree that this is almost certainly completely made up. And I can back up that judgement: I worked with ATM software in the past, and the ATM software actually never even gets to see the PIN at all! The PIN entry pad is bundled with encryption hardware, and the software just gets notified when the PIN is entered, assembles the message, sends it to the hardware where it will be encrypted together with the PIN, and the result is then sent to the bank server.

    So if this problem existed, it would lie in the encryptor hardware or firmware, which is never changed without very thorough testing.


    No no no, it's not the nation wide Banksys ATM system that is reportedly broken, it's the private self-banking equipment of Dexia
    I worked for a large bank in Belgium in the past and I have no doubt this story is true...  Hoax my ass.
    IMHO, the IT systems of some banks are WTFs all by themselves.

    What I think happened is that they have some self made half-baked hashing algorithm where the pin-code is hashed together with the time/date, encrypted and verified with the same on the other side.



  • Kevin (unregistered) in reply to DavidK
    DavidK:
    I'm going to make a guess that the application is a modal windows app full-screened.

    This would be the root cause of the problem I guess:P
  • Paladin (unregistered) in reply to Anonymous coward
    Anonymous:
    What, you expect me to test EVERY possible combination of personal PIN numbers?


    There's only 10k of them. If you take about 3.6 seconds per combination you can be done in two working days.
  • Portveien 2 (unregistered) in reply to kipthegreat
    kipthegreat:
    Manni:

    Ytram:
    So the problem has been going on for one month(4 weeks) and is expected to be working again in 3 weeks.  7 weeks total that it won't be working.  Coincedence?  I DON'T THINK SO!

    *dons tin-foil hat*

    This is getting out of control Curse you JJ Abrams! Now everyone that watches "Lost" is looking for number patterns everywhere!!

    *steals Ytram's tin-foil hat*



    4 8 15 16 23 42  ----   notice that there is no 7!!

    Oh, but it's deeper than that. It contains 7 different digits! All sequential, EXCEPT THE 7! 1,2,3,4,5,6 and 8!

  • (cs) in reply to kipthegreat
    kipthegreat:

    4 8 15 16 23 42  ----   notice that there is no 7!!


    But isn't 42 six multiplied by nine? Oh, ok, no seven here.

  • (cs) in reply to llxx
    Anonymous:

    If it hadn't happened before and just started happening, maybe a virus has infected their software. Virii are known to do strange things, you know...



    And they are known to be spelled in strange ways, too.

  • (cs) in reply to Matt Casters

    Matt Casters:
    brazzy:
    I agree that this is almost certainly completely made up. And I can back up that judgement: I worked with ATM software in the past, and the ATM software actually never even gets to see the PIN at all! The PIN entry pad is bundled with encryption hardware, and the software just gets notified when the PIN is entered, assembles the message, sends it to the hardware where it will be encrypted together with the PIN, and the result is then sent to the bank server.

    So if this problem existed, it would lie in the encryptor hardware or firmware, which is never changed without very thorough testing.


    No no no, it's not the nation wide Banksys ATM system that is reportedly broken, it's the private self-banking equipment of Dexia
    I worked for a large bank in Belgium in the past and I have no doubt this story is true...  Hoax my ass.
    IMHO, the IT systems of some banks are WTFs all by themselves.

    What I think happened is that they have some self made half-baked hashing algorithm where the pin-code is hashed together with the time/date, encrypted and verified with the same on the other side.

    I written my share of ATM software, and at least in the US brazzy is correct. There are laws here that govern how customer enter their PINs and these are encrypted and transmitted through the banking system. Any method that does not involve a 'black box' encryptor is a huge no-no. Once an ATM tells the OS "Hey get a PIN now" the black box takes over the key pad and no keypresses get to the main software. If there really is an error in the encryption code, all of the those ecryption modules will have to be replaced. Depending on the number and where they are located, that could take a while.

     

  • (cs)

    Not quite the same thing, but something close to this happened to me while I was in high school working at my after school job.  It was a "catalog retail" store.  Shoppers would some in and browse through the display items and write up their list.  The cashier would enter the list into the computer terminal and the items would be pulled from stock in the warehouse and sent down a conveyor belt to the pick-up area.  I worked in the electronics department, which, during the early eighties, as you can image was usually quite busy during the Christmas holiday season. 

    One day during the holiday season, the "L" key one of the two computer terminals in the deaprtment was not working.  It was interesting announcing to the folks waiting in that line that they would have to move to another line if any part of their name, item list, etc. contained the letter "L" beacsue we would not be able to process their order.

    In fact, (here is the kicker), since it *was* the holiday season, we deemed this broken computer terminal as the "No-L" (get it?  "Noel") computer.

  • (cs) in reply to res2
    res2:

    I written my share of ATM software, and at least in the US brazzy is correct. There are laws here that govern how customer enter their PINs and these are encrypted and transmitted through the banking system. Any method that does not involve a 'black box' encryptor is a huge no-no.

     


    Actually, my experience is from Germany, so I very much doubt it's any different in the Netherlands or Belgium, no matter which bank is involved.


    res2:

    Once an ATM tells the OS "Hey get a PIN now" the black box takes over the key pad and no keypresses get to the main software.

     


    Of course if that software were malicious, it could instead tell the hardware (I don't think the OS is involved) "Hey, get an amount now" while it displays "Please enter PIN now" on the screen, so the whole thing really only protects against accidents. That's the point, really, since someone who can manipulate the software could just make the ATM do a jackpot, which will yield a lot more money in one go than you could ever get by draining individual accounts with stolen PINs.

    I actually thought up a method to do that, which I'm pretty sure would have worked and would not have been traceable back to me.

  • smelliot (unregistered)

    Wouldn't have affected me, therefore, don't care. :)


    www.lamecode.com

  • (cs) in reply to Hans
    Anonymous:
    I feel so safe with my money kept by the bank, with all that well-tested software around, there is no way there could be a security hole somewhere. Could there? (deeply worried...)


    Banks actually rely more on logging than true security to detect problems.   Sure you can withdraw all the money in my checking account very easily.  However when I start bouncing checks I have the bank check, and then I challenge that withdrawal.  They go through all the logs and trace where that money went.  Then it is up to the courts to figure out who committed fraud.

    Logs can be faked, but this is hard because there are so many of them. 

    Most ATM's have a video cameras, so if you claim fraud they can (until the tape is erased, I'm not sure when they do that...   for that matter the camera may not work) show you a picture of you making the transaction - that solves most problems.

    In the US, it is up to the banks to prove that you really made a transaction if there is a dispute.    You PIN is for the bank's protection - most thieves will not try to guess a pin (even though there are only a trivial number of them), which means there are a lot less disputes.  Courts accept the argument that a 1 in 10000 chance of guessing a pin on the first try is not enough to say that someone didn't do it.  

    In Europe (I say this as if Europe is only country with unified laws, but in fact things are not this simple) things are different, it is up to you to prove that you didn't make that transaction.


  • Nigel (unregistered) in reply to Jon Limjap

    Cool, that was your 77th post

  • (cs) in reply to sksmiths
    sksmiths:

    One day during the holiday season, the "L" key one of the two computer terminals in the deaprtment was not working. 



    Couldn't you have have the equivalent Alt + Number combination to get the letter L?
  • (cs) in reply to haveworld
    haveworld:
    sksmiths:

    One day during the holiday season, the "L" key one of the two computer terminals in the deaprtment was not working. 



    Couldn't you have have the equivalent Alt + Number combination to get the letter L?


    Most computer terminals at retail stores are not running any mainstream OS that has that functionality.  Siemens-Nixdorf doesn't even have a char map!
  • (cs) in reply to Ytram
    I feel so safe with my money kept by the bank, with all that well-tested software around, there is no way there could be a security hole somewhere. Could there? (deeply worried...)


    You have good reason to be worried.  From someone who has worked with several financial institutions, I can tell you that a large number of them have appalling security policies.  Especially the smaller credit unions.
  • (cs) in reply to Drak
    Drak:

    Actually something similar once happened in a piece of software I wrote. It handled uploading files from JavasScript through an ActiveX control. We tested it (and even used it for about a month on our own Intranet) and nothing went wrong. Until it went to the customer.

    It fell apart. They couldn't upload their files. Finally it became apparent that files starting with the letter 'u' or in folder starting with the letter 'u' caused a failure.

    Can any of you figure out why? It's rather silly.

    Drak



    Hmmm... might it have to do with Javascript unicode escapes, which look like \u0020?
  • Drewsky (unregistered)

    Um, anyone think that maybe they should have those people with 7 in their PIN...CHANGE IT?  Then it would be a non-issue until they got it fixed.  I know it does not solve the code problem straight away...but it does solve the problem that customers are having.  Just a thought

  • robertg (unregistered) in reply to Drewsky

    Ah, I get it now. It's not a bug at all. A clever bank programmer (oxymoron?) is going to disable a different digit each month. He can then figure out the pin number of any custom who makes 4 complaints.

  • (cs) in reply to Drewsky
    Anonymous:
    Um, anyone think that maybe they should have those people with 7 in their PIN...CHANGE IT?  Then it would be a non-issue until they got it fixed.  I know it does not solve the code problem straight away...but it does solve the problem that customers are having.  Just a thought


    But then there'd only be 6561 possible pin numbers!  Notice how the first and last numbers add up to 7?  Oh the horrors!
  • Joost (unregistered) in reply to boa13
    Anonymous:
    It might well be that this problem only occurs in some newer ATM models in the Nederlands, where Dexia has less of a marketshare. It might also be that the original article has been poorly written, misunderstood and/or mistranslated: I don't know Dutch but I can see some meaning in the sentences, and I can't find anything about "software" in the original article.


    "We hebben een probleem met de software", erkent een Dexia-woordvoerster woensdag in krant Het Laatste Nieuws. "Binnen drie weken moet het opgelost zijn."

    "We have a problem with the software", a Dexia spokeswoman acknowledged Wednesday in the newspaper The Last News. "Within three weeks it should be solved."

    (I'm not anonymous, I just lost my cookie.)
  • (cs) in reply to Ytram
    Ytram:
    I feel so safe with my money kept by the bank, with all that well-tested software around, there is no way there could be a security hole somewhere. Could there? (deeply worried...)


    You have good reason to be worried.  From someone who has worked with several financial institutions, I can tell you that a large number of them have appalling security policies.  Especially the smaller credit unions.


    The organizations that insure these financial institutions have even more reason to be worried than you.
  • Jonathan (unregistered) in reply to ComputerGuyCJ

    I was referring to spaceballs and i wasnt referring to the airshield.  please learn english and re-read what i wrote.

    thx

  • Will (unregistered) in reply to robertg
    Anonymous:
    Ah, I get it now. It's not a bug at all. A clever bank programmer (oxymoron?) is going to disable a different digit each month. He can then figure out the pin number of any custom who makes 4 complaints.


    That still leaves 4! = 24 ways to arrange the 4 digits into a PIN.
  • (cs) in reply to Will
    Anonymous:
    Anonymous:
    Ah, I get it now. It's not a bug at all. A clever bank programmer (oxymoron?) is going to disable a different digit each month. He can then figure out the pin number of any custom who makes 4 complaints.


    That still leaves 4! = 24 ways to arrange the 4 digits into a PIN.


    Safest possibility for a four-digit pin is one pair of digits and two odd digits.

    If the customer only makes one complaint (say on month 7) then there is one possible PIN: 7777

    If the customer only makes three complaints, then there are three known numbers...

    There are three possibilities for the fourth number.

    There are 4!/2! ways to order these four numbers, two of which are the same...

    So there are 3 * 4! / 2! = 36 possible PINs

    If the customer only makes two complaints, there are two known numbers.

    There are two possibilities... either he uses both numbers twice, or he uses one number three times.

    If he uses one number three times, then there are two choices for which number to use three times, and 4! / 3! ways to order the numbers in the PIN... 8 possible PINs.

    If he uses both numbers twice, then there are 4!/(2! * 2!) ways to order these numbers... 6 possible PINs.

    So...

    Four complaints: 4! = 24 PINs.
    Three complaints: 3 * 4! / 2! = 36 PINs.
    Two complaints: 2 * 4! / 3! + 4! / (2! + 2!) = 8 + 6 = 14 PINs.
    One complaint: 1 PIN.

    There are 10C4 ways that four complaints can be made.
    There are 10C3 ways that three complaints can be made.
    There are 10C2 ways that two complaints can be made.
    There are 10C1 ways that one complaint can be made.

    Total number of PINs:

    10C4 * 24 + 10C3 * 36 + 10C2 * 14 + 10C1 * 1 =
    210 * 24 + 120 * 36 + 45 * 14 + 10 =
    5040 + 4320 + 630 + 10 =
    10000 = 10 ^ 4
  • (cs) in reply to robertg

    Anonymous:
    Ah, I get it now. It's not a bug at all. A clever bank programmer (oxymoron?) is going to disable a different digit each month. He can then figure out the pin number of any custom who makes 4 complaints.

    <FONT face="Courier New" size=2>if he's in charge of the software that runs it, wouldn't he be even more clever to just have the pins dumped to a file?</FONT>

  • boa13 (unregistered) in reply to Joost

    Here's the article from Het Laaste Nieuws the ANP talks about. I don't see the word "software" in there.

    « Een groot aantal selfbanking-terminals van Dexia Bank slaat tilt wanneer klanten het cijfer 7 intoetsen bij het vormen van hun geheime code. Daardoor zijn al sinds begin september heel wat mensen genoodzaakt hun bankverrichtingen aan het loket te doen.

    "We gaan op zoek naar alle automaten die wel eens blokkeren wanneer het cijfer 7 wordt ingetoetst. Binnen de drie weken moet het probleem opgelost zijn", luidt het bij Dexia. De bank raadt zijn klanten intussen aan hun geheime code te veranderen als het probleem zich blijft voordoen. »

    Translation with help from the fish:

    « A large number of Dexia bank "self-banking" terminals crash when customers press 7 while typing their PIN. As a result, starting early September, a lot of people have had to do their banking operations at the counter.

    "We're looking for all the automats that block sometimes when the digit 7 is keyed in. The problem should be solved within three weeks," Dexia says. Meanwhile the bank suggests its customers change their secret code if the problem keeps hitting them. »

    Looks like you can't fully trust the ANP news wire, which a lot of people seem to do.

  • (cs) in reply to Maurits

    LOL <FONT color=#555555>Maurits, you have too much time on your hands [8-|]</FONT>

  • Anonymous coward (unregistered) in reply to Paladin
    Anonymous:
    Anonymous:
    What, you expect me to test EVERY possible combination of personal PIN numbers?


    There's only 10k of them. If you take about 3.6 seconds per combination you can be done in two working days.


    Sorry, guess I forgot to push the sarcasm button.

    That's what QA (and development) typically say, "I can't test *every* combination". And the joke is that yes, there are only 10k of them.

    Heh, the captcha is 'algebra'
  • (cs) in reply to Anonymous coward

    Anonymous:

    Sorry, guess I forgot to push the sarcasm button.

    <FONT face="Courier New" size=2>the sarcasm button was removed from the forum software since it kept starting new posts instead of throwing up the sarcasm tags.</FONT>

  • Joost (unregistered) in reply to boa13
    Anonymous:
    Looks like you can't fully trust the ANP news wire, which a lot of people seem to do.


    Are you suggesting ANP made up the quote with the word 'software' in it?
  • Dwayne (unregistered)

    My guess is someone used a simple substitution cipher that maps "7" to some special character.

  • (cs) in reply to Luffy

    Luffy:
    if (isTrue(digit == 7))
        throw;

    I propose automatically marking any comment containing "isTrue" as a troll post.

  • (cs) in reply to smelliot
    Anonymous:
    Wouldn't have affected me, therefore, don't care. :)


    Ha! You've just given away 0.608 bits of information about your PIN. 11.095 bits more, and a hit is guaranteed using at most 3 tries.

  • (cs) in reply to drjava
    drjava:
    Luffy:
    if ([DELETED](digit == 7))

        throw;

    I propose automatically marking any comment containing "[DELETED]" as a troll post.


    I was quite tempted to mark your post a troll post.

    Sincerely,

    Gene Wirchenko

  • (cs) in reply to Gene Wirchenko
    Gene Wirchenko:
    drjava:
    Luffy:
    if ([DELETED](digit == 7))

        throw;

    I propose automatically marking any comment containing "[DELETED]" as a troll post.


    I was quite tempted to mark your post a troll post.

    Sincerely,

    Gene Wirchenko



    I was quite tempted to mark your post a troll post.

    Sincerely,

    Richard Nixon
  • (cs) in reply to Richard Nixon
    Richard Nixon:
    Gene Wirchenko:

    I was quite tempted to mark your post a troll post.

    Sincerely,

    Gene Wirchenko



    I was quite tempted to mark your post a troll post.

    Sincerely,

    Richard Nixon


    I was quite tempted to mark your post a troll post.


    And so I did.

    Sincerely,


    Alexis de Torquemada

  • Roland (unregistered) in reply to joe_bruin
    Anonymous:

    My cable company (Adelphia) accepts credit card payments by phone.  When you pay, you give the system your CC number, as well as a four digit expiration date (MMYY).  However, if your four digit expiration date starts with a zero (for, y'know, those months other than October,  November, and December), the system complains that you did not give it a valid input.  Obviously, what's going on is the leading zero is getting dropped off as the input is treated as a number, but when the string length of that number is taken later, it is three, not four (and no, it does not accept 3 digit values).

    So, this is kind of a case of checking your boundry cases.  Or, er, your 75% cases to make sure they work..


    I once had a similar problem. I had written a JavaScript HTML form validator that should check for a valid date. So I used parseInt(i) to get the number of the month. This failed for August and September. Replacing parseInt(i) with parseInt(i, 10) solved the problem.

  • (cs)

    It must have something to do with the meaning of life:

    int i = 7;
    Console.WriteLine((i*i)-7);

  • (cs) in reply to Alexis de Torquemada
    Alexis de Torquemada:
    Richard Nixon:
    Gene Wirchenko:

    I was quite tempted to mark your post a troll post.

    Sincerely,

    Gene Wirchenko



    I was quite tempted to mark your post a troll post.

    Sincerely,

    Richard Nixon


    I was quite tempted to mark your post a troll post.


    And so I did.

    Sincerely,


    Alexis de Torquemada



    Threaten anyone today tough guy?

Leave a comment on “The Trouble With Seven”

Log In or post as a guest

Replying to comment #46774:

« Return to Article