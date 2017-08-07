Buggy Software Made Us Miss Money Laundering Scam, Says Australian Bank (theregister.co.uk) 27
An anonymous reader shares a report: Australia's Commonwealth Bank has blamed a software update for a money laundering scam that saw criminals send over AU$70m (US$55m) offshore after depositing cash into automatic teller machines. News of the Bank's involvement in the laundering scam broke last week, when Australia's financial intelligence agency AUSTRAC announced that it had found over 53,500 occasions on which the Bank failed to submit reports on transactions over $10,000. All transactions of that value are reportable in Australia, as part of efforts to crimp the black economy, crime and funding of terrorism. The news was not a good look for the Bank (CBA), because most of the cash was deposited into accounts established with fake drivers licences. Worse still is that each failure of this type can attract a fine of AU$18m, leaving CBA open to a sanction that would kill it off. Today the bank has explained the reason for its failure: "a coding error" that saw the ATMs fail to create reports of $10,000+ transactions. The error was introduced in a May 2012 update designed to address other matters, but not repaired until September 2015.
Sounds to me like a couple programmers found a way to take their retirement accounts into their own hands.
And how the changes passed the QA anyway? I think the QA could also be involved.
I didn't know they held a pageant for that.
How about ATMs that don't allow you to withdraw or deposit more than $10,000 in cash?
No, I'm guessing that they made transfers between accounts using the ATMs. but shouldn't the reporting be done at a centralized level?
e.g. ATM requests that a service transfers funds, the transfer service is used by all software to access the accounts (online, teller, ATM, phone), and THAT is responsible for logging $10k+ tr
With modern OS's (Memory Address randomization, have data and Executable data in different areas of the memory ) the types of bugs that Rust fixes by default will prevent a bunch of system crashes vs using low level hacking methods to control the system.
Besides the developers who are good at fixing the low level security problems are often not the same people who are good at fixing logic errors.
I find most bugs comes from management pushing the get the product done quickly. and forcing using the prototype p
A coding error that was not caught in regression testing, and remained undetected and thus unpatched for years, breaking your organization's compliance... IS A BUSINESS ERROR.
Money laundering laws remind me of stuff like DRM, where it's primarily known for being a pain in the ass for completely innocent people, and it's assumed that crooks already know how to get around it anyway and are therefore not as inconvenienced or violated as everyone else.
Any time a money laundering law comes into play, it's very likely that it's just making things harder for (or compromising the privacy of) a non-criminal. Ergo, the laws have little legitimacy and no person worries if they're circumven
I read the headline as "Buggy software made the United States win the Miss Money Laundering Scam according to an Australian bank." I think it's a title we would live up to.