Sophos Cloud Optix
The London Evening Standard recently ran a story about a German bank clerk who is supposed to have “nodded off at his keyboard during a transaction.”
Apparently, the clerk was typing in an amount of 64 Euros and 20 cents when he fell asleep and his keyboard’s auto-repeat took over.
A transaction of €22,222,222.22 (about $30m) was processed instead and inadvertently approved by his supervisor.
The supervisor’s supervisor spotted the double-blunder and headed it off at the pass, but the intermediate supervisor was sacked for letting the transaction go through in the first place.
→ The story claims that this all came to light because an industrial tribunal in Germany decreed the supervisor’s punishment to be too harsh, considering that she had already been expected to vet 812 documents that day, spending “just over a second” on each one. She was reinstated.
There are lots of unanswered questions in the story, which makes you wonder how much of it is urban legend, extrapolated somehow from details that were lost or altered in translation.
- If you fall asleep while typing, even just for a tiny micronap, does your finger really tend to keep one key held down, or does it relax and release its pressure altogether?
- If you are typing in SIX FOUR decimal-separator TWO ZERO and you fall asleep and manage to hold down the digit two, don’t you end up with €64.2222222222 (or perhaps €64,222,222.22 if the decimal is automatic)?
- If you fall asleep at the digit two, don’t you wake up to a beeping keyboard buffer in an filled-up number-entry field because you haven’t pressed [Enter]?
- If you expect your supervisors to cross-check multi-million Euro money-movements mixed up with ones for under €100, don’t you program in some kind of approval speed-bump to ensure that the giant-sized transactions get more than a second of attention?
So, who knows what really happened in this case?
Nevertheless, it’s a great story, and (I bet you’re wondering if I’ll manage to squeeze a generic computer security lesson out of it) contains a generic computer security lesson for us all.
We know that there are some tasks that we simply oughtn’t to attempt when our judgements are impaired, say through tiredness or alcohol.
Driving cars, shooting firearms and performing orthopaedic surgery, for example, are activities that are best avoided under such circumstances.
Yet many of us insist on living our digital lives logged in semi-permanently to sites such as Facebook, Twitter, webmail and more, thus actively and unashamedly inviting upon ourselves exactly this sort of 22-million-Euro-blunder moment.
It’s not just that we’re more likely to initiate an unwanted bank transaction (or send an unintentionally ruinous email) while we’re tired or lit.
It’s that by leaving ourselves logged in unnecessarily, we make it easier for our computer to do just such a thing if it becomes impaired, for example through misconfiguration or malware infection.
It’s a lot less convenient to have to keep logging into and out of your email account, your blog site or your favourite social media account every time you want to tell the world something new.
But do you really have so much to say, at such short notice, that this is an inconvenience you can’t tolerate?
If you are the sort of user who likes to log in and stay logged in, especially to on-line services, why not give yourself a week’s trial of logging out whenever you can, especially from on-line services?
Try it: you may thank yourself one day.
I always use a different browser for my banking than the one I use for games, etc. For banking, I start that browser, log in, do whatever transaction I have in mind, then log out and close that browser that is set to delete cookies on exit. I simply feel safer that way!
Just don't forget to keep both browsers up-to-date 🙂
FWIW, I do much the same as you, for the same reason. If the only cookies/web storage objects in the browser are the ones set by the website you're transacting with, then…as you say…you simply feel safer that way!
I also ensure that Flash is *off* in any browser I use for online transactions, so that I don't have to worry about Flash "cookies", either, which are managed separately from the other cookies in the browser…and I don't have Java in any browser…I simply feel safer that way!
If your browser does not delete Flash cookies there is a third party application that does.
Also for Windows users, do not forget to delete Silverlight cookies if you have it installed (similar to Flash cookies).
You have to do it from All Programs > Silverlight.
Yes, and don't forget that you can use the new feature of private session in the latest version of the browsers, such as InPrivate Browsing on IE, Incognito mode on Chrome, etc, or IE with no add-ons.
On the "I'm tired = keypress" thing, I can actually kind of relate. When I'm feeling knackered and I'm using the mouse, my rifght hand ringfinger will pack it in, inadvertently executing a right-click. In fact, if I'm really tired, it will happen to the point I'm actually cursing my hand, so there's that.
Decimal points. I worked at a place that had spreadsheet software to ease the end of day cash close. It was programmed to put a decimal before the last two digits of any figure ONLY. The rest of the sum would have the comma where it should go in each case, so that's a matter of software programming, really.
But…what happened to the six and the four?
I took into account that the software might require entry in cents, dividing by 100 later one. But did your spreadsheet bump out the most significant digits when the field got full? Or did it simply stop accepting more input?
In german news the number mentioned actually is EUR 222,222,222.22 so it’s even more likely that all available fields in the form just got filled with 2’s and the existing numbers got pushed out or were overwritten.
Apparently the dozing clerk wasn’t even in charge of checking the amount of the transaction so it’s strange that he had editing permission for that field in the first place.
Just glad that at least someone felt responsible to check a 222 million transfer again the next day.
Would be really kind of strange and sloppy for bank software, but I could easily see a large number like say 64 followed by three hundred 2s getting pruned by the software. This would mean in this case though that the software could only handle a transaction up to 99,999,999.99.
I've certainly done the nodded off and had the key auto repeat on me, but I've always noticed it immediately afterwards.
"Apparently, the clerk was typing in an amount of 64 Euros and 20 cents" is just an interpretation of someone trying to explain the event, so you don't have to debunk that (the 64,222,222,222 argument).
There's several other possible reasons: a crumb fell into the keyboard and temporary made the key stick, a book or stack of papers was moved and its corner landed on the keyboard for a moment, etc. Those could explain the keyboard buffer not filling to capacity.
Just to clarify, the claims that he was entering a figure of EUR64.20, and that it ended up as 22,222,222.22 because he "nodded off", are specific details in the London Standard piece. And it's partly the curious detail in that particular version of the story that this article is about 🙂
Yes, I agree with Paul. What happened to the six and the four? Were they left-shifted until they "fell from the entry field"?? If this was so, it shows a damn-too-poor banking software.