[LINK] [NAB] Bank calls in KPMG to review system debacle

Roger Clarke Roger.Clarke at xamax.com.au
Tue Dec 7 11:14:44 AEDT 2010


>http://www.theaustralian.com.au/australian-it/bank-calls-in-kpmg-to-review-system-debacle/story-e6frgakx-1225966632302
>... someone with access to NAB's mainframe systems ... inadvertently 
>bypassed a piece of code that checks BSBs against addresses.  This 
>happened during the batch transaction cycle and disrupted the bank's 
>ability to process the files. ...

That's consistent with the earlier interpolation:

Roger wrote on Date: Tue, 30 Nov 2010 09:38:20 +1100:
>[Tenable explanation:  they changed everything forward as per the
change control package, it went wrong, they backed almost everything
out, but they forgot to change the parameter or the JCL back to what
it was before the faulty change-package went in.  As a result, a
program that will disappear in the next version was omitted from the
run (a likely candidate would be a transaction-validation program),
letting dirty data through into an update program that was designed
(for good reasons) to expect clean data.

[For 'transaction-validation program' read 'BSB-validation program']


[Aside:  I continue to be very concerned about several aspects of the 
Internet Banking services that I've seen:

(1)  the fields that consumers key BSB and account-number into are 
commonly fixed-length, and preclude the user from using conventional 
groupings (e.g. BSB is either 3-3 or 2-4, and account-number is 
commonly grouped 2-3-4 or 3-3-3).  This must surely result in more 
keying errors than is necessary, particularly single-transpositions. 
BSB codes have no check-digit, and at least some account-numbers 
these days have no check-digit, so many keying errors can't be 
detected that way.  Hence many keying errors will get through to the 
bank.

(2)  banks commonly deny that they can validate account-number 
against account-name.  (It's non-trivial, but it's not *that* hard). 
So any error in keying BSB and account-number will result in either a 
rejection or a posting to the wrong account - if the mis-keyed number 
happens to match a valid BSB-account-number combination.  Has anyone 
seen any stats on the number of transactions that go to the wrong 
account?

(3)  banks commonly refuse to send an email-notification that a 
message has been sent to the customer and is now accessible via their 
Internet Banking interface.  So payment rejections will go unnoticed 
until the next time the customer logs in to their Internet Banking - 
which may be days, weeks or even months.  (On top of that, some 
interface designs fail to highlight the availability of a message, so 
they can be easily overlooked).


-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list