2010 Bug Plagues Germany 233
krou writes "According the Guardian, some 30 million chip and pin cards in Germany have been affected by a programming failure, which saw the microchips in cards unable to recognize the year change. The bug has left millions of credit and debit card users unable to withdraw money or make purchases, and has stranded many on holiday. French card manufacturer Gemalto accepted responsibility for the fault, 'which it is estimated will cost €300m (£270m) to rectify.' They claim cards in other countries made by Gemalto are unaffected."
I wonder how that is compared to the loss from Y2K (Score:4, Insightful)
from TOA
I wonder how does it compare to the losses from Y2K bug... I know it is hard to compare, because there was an unspecified money loss as part of unnecessary checks, difference in scale, anticipation and efforts to fix before manifestation.
I guess it hits you when you are least expecting.
Re:I wonder how that is compared to the loss from (Score:5, Insightful)
Moreover, it makes you wonder who much of a problem Y2K may have actually been if we hadn't of looked for all the problems and fixed them.
Chances are things like this would have only been the beginning if Y2K hadn't have been anticipated and planned for, even if we over-reacted. Maybe we should be giving some people more credit than we do...
Re:They had to Queue? (Score:3, Insightful)
Back when ATMs and POS electronics were uncommon, everyone knew well in advance that they would have to go get cash in order to make purchases, and do so during banking hours. Inconvenient; but everybody knows the score and the system is set up to work that way. If things suddenly shift back, you get a whole bunch of people, many whose first warning is probably some sort of cryptic error at a payment terminal, either stuck outside of banking hours, or swarming the few bank clerks that haven't been replaced by ATMs. Substantially more inconvenient now than it was then.
Greetings from 2038! (Score:4, Insightful)
Re:I wonder how that is compared to the loss from (Score:5, Insightful)
The response for y2k was not planned for, and it was not an over reaction.
Y2k issues were known in the 80's. Had IT been allowed to respond in a timely manner, it would have cost much less, been checked more thoroughly and finished earlier. Instead they waited until the last possible moment and poured much more money into it, hiring as many developers as possible to put in a rushed hackjob and then firing them when the hack worked instead of retaining them to vet, verify and implement permanent solutions where needed. This issue is a result of the failure to react apropriately to y2k. The rushed temporary get-it-done-yesterday hacks are starting to fail.
Re:Untested software (Score:3, Insightful)
Believe me, they they are tested. I know. But they are not always tested well.
- The EMV (Euro MasterCard & Visa, also called chip & pin) specs are complex to say the least. It took 6 months for one team I know of to get to the point that the spec writerd admitted they did not know how it actually worked, and to admit that the actual data did not match the specs. They rewrote the spec based on actual data. Later, the 'controlling authorities' updated their specs to match our results. As if anyone ever really know how it worked. Kinda like taking your new car to a mechanic, having him change the oil, and he says 'gee, this doesn't look like the oil drain to me, but the manual says so. Just let me check'. And sure enough, the manual is illustrating the radiator draincock. Nice. And the car manufacturer is arguing with you that you're wrong, even when you send them a video of coolant coming out of the so-called 'oil drain plug'. Next year, they send you a new page for the manual. Your video is the source of the new pictures. Thanks, guys. You made this, and you got it that wrong?
- Covering the connectors will force the reader to take the stripe if it can, and many do. This is also a scam by some criminals, where they cover the terminals in the reader and force the stripes for all purchases - and snarf your data. These usually don't last long, as this is a characteristic of either a failed terminal or fraud, and someone will be sending a new terminal out to the POS. If they do it again, they will send a body also. Third time usually results in sanctions. Gas stations and small restaurants are favorites for this, but large retailers also get hit of someone can slip in a doctored terminal - usually after stealing one earlier. Mongrel terminals are usually caught pretty quickly, so go in late at night, distract the staff, nick it, fix it up in your car, come right back, and get it back in before anyone notices. Target here in the U.S. got hit by this. So far, no reports from Europe.
Chip & pin is not yet common in the U.S., and I'm not looking forward to it. In England, disputes over unauthorized charges with chip & pin almost always result in the bank ignoring the customer's pleas, and very often result in discovery later that there was a breach elsewhere in the system, like a pin pad. Many a sad tale of widows wiped out, and only after much pain is the truth found. The banks and all are hanging on to chip & pin as the 'final solution' to card fraud. Fat chance.
Re:2010 (Score:3, Insightful)
1-digit years, 2-digit years, 4-digits years, month-before-day, month-after-day, year-first, year-last, decimal-seperators, slash-seperators, dhash-seperators, space-seperators, a-mix-of-seperators, without-day-of-week, with-day-of-week, with-day-of-week-abbreviated, without-english-month, with-english-month, with-month-abbreviation, and all words in many languages.. and different variations on abbreviations..
Even if these guys leverage the standard libraries as much as they can, its still non-trivial to do it correctly. Multinationals arent dealing with data in a single format.
Re:Remind me of another story... (Score:3, Insightful)
Indeed. When you find a problem and develop a fix, you are faced with a choice: continue using the old system with mostly known problems and possibly known workarounds, or use the patched system that has one of the known problems fixed, but might have new unknown problems, possibly more severe than the old known problem, and possibly without any workarounds.
Re:2010 (Score:3, Insightful)
Unix epoch does not have to end in 2038 (Score:4, Insightful)
2038 is only the limit on 32bit platforms. On a 64bit platform time_t is 64bits, which will last "forever". We are already significantly on the way to switching to 64bit-only CPU operation, and I'm going to bet that by 2038 we'll switch completely, if only to avoid the end of time. Heck, if you could only have a working 64bit flash plugin on Linux, all Linux users would go 64bit already.
Re:2010 (Score:3, Insightful)
continue to clone every release. Or just use updates of the library, to carefully apply applicable patches to your fork of that part.
Sounds like exactly the sort of maintenance issue management wanted to avoid in the case I mentioned.
Wow! (Score:2, Insightful)
Re:I wonder how that is compared to the loss from (Score:2, Insightful)
The rushed temporary get-it-done-yesterday hacks are starting to fail.
Wonderful rant, but pray tell, how does this issue link to y2k hacks when it's an update to previous cards limited to German market? Have you inside knowledge from Gemalto of what motivated the aforementioned update and the reason they used such a way to represent the year in that particular geographic location?
Re:Suppression of costs via minimizing testing. (Score:3, Insightful)
Re:I wonder how that is compared to the loss from (Score:3, Insightful)
You know, companies make the conscious decision to not have permanent staff to oversee contractors. They get what they pay for. That doesn't excuse contractors, but there is this thing called due diligence.
Also, I'd say there is a 90% chance that the contractor spelled out exactly what they were doing and its implications, and somebody in the company signed off. Maybe they didn't read it all, but it is just as likely that they were given the choice of $600k to do it right, and $500k to do it cheap, and they picked the latter. Saving $100k probably got the decision-makers bigger bonuses, and by now they're all in different jobs or retired anyway.
The problem is that companies are WAY too short-sighted. As a result stuff like this never shocks me.