Really expensive user training....



  • Hi...

     After reading all those WTFs I wanted to share one I whitnessed several Years ago. I was consulting in an International Bank and we where creating their Hotline-Banking Application that would be used by the phone custumers. The system used redundant servers, local backup Servers for the main servers in case the network line failed etc... Lets just put it this way.. It was quite complex. The Bank was employing very riggid security measures... No Internet, Multiple Firewalls, Downloads only possible on a 486 PC with 3 Virus scanners running at once (Slowing the Box to a crawl so you didnt WANT to DL anything) and the box was also located in the hall where everyone can see you... Any code change had to be signed in by a supirior so noone can snip away any "pennys" on the transactions....

     Anyone... After a while working there I noticed that one guy from the Team was missing... I had no clue and asked around where he was... Then I was told what happend...

     The Guy was setting up a training enviroment for the system. The training went smoothly and everything worked fine... Until the next day... One of the banks biggest custumers called. There where "a few millions" missing from their main account. After some investigation it turned out that the setup of the training system was slightly incorect. One of the servers was configured wrongly. Instead of pointing to the training enviroment, one of the servers was pointing to the "real" Master-Accounting Server of the Bank... So all transactions which where conducted during this training where real... And the one with the millions missing was the demonstration of the usecase "Superviser Authorizes transaction over X$"

    Anyway.. Since it was a "good" Application all actions had been logged correctly and the bank was able to undo all those transactions. The only thing they where not able to fix was the mood of their big custumer...

     



  • I worked at a national electronics/appliance chain when they were rolling out a new sales/inventory system in 1989.  They had several test/training systems set up that were only supposed to have test store numbers.  One of the test or training people either figured out how to print a pick ticket with a valid store number, or they found someone in the store stupid enough to ignore the wrong number.  So, they "sold" themselves a piece of gear on the test system, took the pick ticket down to the real store and picked up the gear.  Then returned it the next day for a full refund.


    The next year, when they started issuing their own store credit card, they hired a vendor to administer the credit accounts.  We were days away from a live rollout to hundreds of stores and the software at the vendor still wasn't right.  The vendor was intercepting each of the electronic credit applications and tweaking them by hand to fix the credit approval amount.  They caught the vendor out when they ran a few of us through the process of getting a real card/account to make a test purchase.  They did it on our lunch break, when the vendor was out to lunch, too, and missed fixing up the approvals.  I don't know how the vendor expected to fix up approvals for customers from 500 stores.  I guess they figured they would have their software fixed before the rollout.



  • [quote user="rdrunner"]

    The Guy was setting up a training enviroment for the system. The training went smoothly and everything worked fine... Until the next day... One of the banks biggest custumers called. There where "a few millions" missing from their main account.

    [/quote]

    In actuality, there is no such thing called money going missing. Trust me, I work on such a system. What happens here is that the "few millions" were debited from the customer's account. And credited to some other account. Usually that's the bank's income or profit account. Such a situation is indeed very good for the bank. And I assume the people in charge at the bank would not have been very happy to part with their easily-gotten wealth.



  • Unless you have separate systems/ports for debits and credits and only the debits part was pointed at a live system.  Then you would be able to debit a real account and credit a fake one, effectively losing the money.  I know it's a streach, but I have to keep up my hopes that they will hook it up the other way and use my account (debit from a fake system and credit my real account).



  • [quote user="Cotillion"]Unless you have separate systems/ports for debits and credits and only the debits part was pointed at a live system.  Then you would be able to debit a real account and credit a fake one, effectively losing the money.  I know it's a streach, but I have to keep up my hopes that they will hook it up the other way and use my account (debit from a fake system and credit my real account).
    [/quote]

    Yes, that's what happened at Barings.



  • [quote user="kuroshin"]

    [quote user="Cotillion"]Unless you have separate systems/ports for debits and credits and only the debits part was pointed at a live system.  Then you would be able to debit a real account and credit a fake one, effectively losing the money.  I know it's a streach, but I have to keep up my hopes that they will hook it up the other way and use my account (debit from a fake system and credit my real account).
    [/quote]

    Yes, that's what happened at Barings.

    [/quote]

    That is a fascinating and riveting story!

    If I read it right, Nick Leeson was less of a thief than someone who liked to speculate with someone else's money. The man single-handedly brought down a bank that had been in business for centuries. 


Log in to reply