Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Dozing bank clerk turns €64 into €22 million – and teaches us all a security lesson!

12 Jun 2013 12 Social networks

Post navigation

Previous: Blackberry releases first security fixes for new Z10 smartphone
Next: Internet giants call for transparency in government surveillance requests
by Paul Ducklin

The London Evening Standard recently ran a story about a German bank clerk who is supposed to have “nodded off at his keyboard during a transaction.”

Apparently, the clerk was typing in an amount of 64 Euros and 20 cents when he fell asleep and his keyboard’s auto-repeat took over.

A transaction of €22,222,222.22 (about $30m) was processed instead and inadvertently approved by his supervisor.

The supervisor’s supervisor spotted the double-blunder and headed it off at the pass, but the intermediate supervisor was sacked for letting the transaction go through in the first place.

→ The story claims that this all came to light because an industrial tribunal in Germany decreed the supervisor’s punishment to be too harsh, considering that she had already been expected to vet 812 documents that day, spending “just over a second” on each one. She was reinstated.

There are lots of unanswered questions in the story, which makes you wonder how much of it is urban legend, extrapolated somehow from details that were lost or altered in translation.

  • If you fall asleep while typing, even just for a tiny micronap, does your finger really tend to keep one key held down, or does it relax and release its pressure altogether?
  • If you are typing in SIX FOUR decimal-separator TWO ZERO and you fall asleep and manage to hold down the digit two, don’t you end up with €64.2222222222 (or perhaps €64,222,222.22 if the decimal is automatic)?
  • If you fall asleep at the digit two, don’t you wake up to a beeping keyboard buffer in an filled-up number-entry field because you haven’t pressed [Enter]?
  • If you expect your supervisors to cross-check multi-million Euro money-movements mixed up with ones for under €100, don’t you program in some kind of approval speed-bump to ensure that the giant-sized transactions get more than a second of attention?

So, who knows what really happened in this case?

Nevertheless, it’s a great story, and (I bet you’re wondering if I’ll manage to squeeze a generic computer security lesson out of it) contains a generic computer security lesson for us all.

We know that there are some tasks that we simply oughtn’t to attempt when our judgements are impaired, say through tiredness or alcohol.

Driving cars, shooting firearms and performing orthopaedic surgery, for example, are activities that are best avoided under such circumstances.

Yet many of us insist on living our digital lives logged in semi-permanently to sites such as Facebook, Twitter, webmail and more, thus actively and unashamedly inviting upon ourselves exactly this sort of 22-million-Euro-blunder moment.

It’s not just that we’re more likely to initiate an unwanted bank transaction (or send an unintentionally ruinous email) while we’re tired or lit.

It’s that by leaving ourselves logged in unnecessarily, we make it easier for our computer to do just such a thing if it becomes impaired, for example through misconfiguration or malware infection.

It’s a lot less convenient to have to keep logging into and out of your email account, your blog site or your favourite social media account every time you want to tell the world something new.

But do you really have so much to say, at such short notice, that this is an inconvenience you can’t tolerate?

If you are the sort of user who likes to log in and stay logged in, especially to on-line services, why not give yourself a week’s trial of logging out whenever you can, especially from on-line services?

Try it: you may thank yourself one day.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Blackberry releases first security fixes for new Z10 smartphone
Next: Internet giants call for transparency in government surveillance requests

12 comments on “Dozing bank clerk turns €64 into €22 million – and teaches us all a security lesson!”

  1. Colin Bird says:
    June 13, 2013 at 12:06 am

    I always use a different browser for my banking than the one I use for games, etc. For banking, I start that browser, log in, do whatever transaction I have in mind, then log out and close that browser that is set to delete cookies on exit. I simply feel safer that way!

    Reply
    • Paul Ducklin says:
      June 13, 2013 at 12:16 am

      Just don't forget to keep both browsers up-to-date 🙂

      FWIW, I do much the same as you, for the same reason. If the only cookies/web storage objects in the browser are the ones set by the website you're transacting with, then…as you say…you simply feel safer that way!

      I also ensure that Flash is *off* in any browser I use for online transactions, so that I don't have to worry about Flash "cookies", either, which are managed separately from the other cookies in the browser…and I don't have Java in any browser…I simply feel safer that way!

      Reply
      • Spryte says:
        June 13, 2013 at 2:43 pm

        If your browser does not delete Flash cookies there is a third party application that does.
        Also for Windows users, do not forget to delete Silverlight cookies if you have it installed (similar to Flash cookies).
        You have to do it from All Programs > Silverlight.

        Reply
    • Anonymous says:
      June 14, 2013 at 12:14 am

      Yes, and don't forget that you can use the new feature of private session in the latest version of the browsers, such as InPrivate Browsing on IE, Incognito mode on Chrome, etc, or IE with no add-ons.

      Reply
  2. Akumetsu says:
    June 13, 2013 at 12:19 am

    On the "I'm tired = keypress" thing, I can actually kind of relate. When I'm feeling knackered and I'm using the mouse, my rifght hand ringfinger will pack it in, inadvertently executing a right-click. In fact, if I'm really tired, it will happen to the point I'm actually cursing my hand, so there's that.

    Decimal points. I worked at a place that had spreadsheet software to ease the end of day cash close. It was programmed to put a decimal before the last two digits of any figure ONLY. The rest of the sum would have the comma where it should go in each case, so that's a matter of software programming, really.

    Reply
    • Paul Ducklin says:
      June 13, 2013 at 10:23 am

      But…what happened to the six and the four?

      I took into account that the software might require entry in cents, dividing by 100 later one. But did your spreadsheet bump out the most significant digits when the field got full? Or did it simply stop accepting more input?

      Reply
      • Tobias H. says:
        June 13, 2013 at 12:07 pm

        In german news the number mentioned actually is EUR 222,222,222.22 so it’s even more likely that all available fields in the form just got filled with 2’s and the existing numbers got pushed out or were overwritten.

        Apparently the dozing clerk wasn’t even in charge of checking the amount of the transaction so it’s strange that he had editing permission for that field in the first place.

        Just glad that at least someone felt responsible to check a 222 million transfer again the next day.

        Reply
      • Machin Shin says:
        June 13, 2013 at 3:13 pm

        Would be really kind of strange and sloppy for bank software, but I could easily see a large number like say 64 followed by three hundred 2s getting pruned by the software. This would mean in this case though that the software could only handle a transaction up to 99,999,999.99.

        Reply
  3. Barry Moss says:
    June 13, 2013 at 3:58 am

    I've certainly done the nodded off and had the key auto repeat on me, but I've always noticed it immediately afterwards.

    Reply
  4. Jan Doggen says:
    June 13, 2013 at 8:09 am

    "Apparently, the clerk was typing in an amount of 64 Euros and 20 cents" is just an interpretation of someone trying to explain the event, so you don't have to debunk that (the 64,222,222,222 argument).

    There's several other possible reasons: a crumb fell into the keyboard and temporary made the key stick, a book or stack of papers was moved and its corner landed on the keyboard for a moment, etc. Those could explain the keyboard buffer not filling to capacity.

    Reply
    • Paul Ducklin says:
      June 13, 2013 at 10:28 am

      Just to clarify, the claims that he was entering a figure of EUR64.20, and that it ended up as 22,222,222.22 because he "nodded off", are specific details in the London Standard piece. And it's partly the curious detail in that particular version of the story that this article is about 🙂

      Reply
      • Hugo Köncke says:
        June 13, 2013 at 2:54 pm

        Yes, I agree with Paul. What happened to the six and the four? Were they left-shifted until they "fell from the entry field"?? If this was so, it shows a damn-too-poor banking software.

        Reply

What do you think? Cancel reply

Recommended reads

Feb28
by Paul Ducklin
4

Instagram scammers as busy as ever: passwords and 2FA codes at risk

Apr21
by Paul Ducklin
0

S3 Ep79: Chrome hole, a bad place for a cybersecurity holiday, and crypto-dodginess [Podcast]

Mar11
by Naked Security writer
0

Alleged Kaseya ransomware attacker arrives in Texas for trial

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2022 Sophos Ltd. All rights reserved. Powered by WordPress VIP