gemini://freeshell.de/stories/secure.gmi

I once worked on an internet banking thing for some smaller UK banks. You could see your transactions and your balance, make payments, the usual sort of thing. One feature that was unusual at the time was that you could see your credit card as well as your regular bank accounts, and transfer money between them.

I thought at the time that it was way beyond me to know if the site was secure. Was I going to do something that let dubious people in far off countries take the life savings of little old ladies? Well, there were security audits and the bankers were happy.

The money was interesting. I worked for a consultancy company who hired me out to the software company, who in turn charged the bankers. I was told what the bankers were paying for me: about six times what I was earning. Some time later, I mentioned this to a director of the consultancy, and he was annoyed that I didn't tell him at the time. He would have got more money out of the software company. I know I wouldn't have seen any of that money, so meh.

Eventually the project approached go live. My dev work had stopped, and I was left trying to recreate source code for test releases because the bankers thought that we should have used source control. Don't judge. This was a long time ago. The process was to run a decompiler on the release artefacts. Then find the closest source as far as I could guess; compile; decompile; see if the two lots of decompiled source matched. Tweak the source and repeat. When they match, commit to source control. Either the bankers or the software company decided this wasn't worth the money, and I left the project.

A year or two later, when I'd left the consultancy, I saw a report about a security breach at a bank's web site. It's the sort of article I would normally skim past, but the name of the bank made me sit up. Was I right to be worried about lost savings? Was it all my fault?

A customer had a credit card that they'd cancelled, and it disappeared from their internet banking. Then later it reappeared, with transactions that the customer knew nothing about. Naturally they were worried and contacted the bank. It turned out that it was someone else's credit card, so that person had to pay the bill. The real problem is that credit card numbers aren't supposed to be re-used. Every card ever issued should have a unique number. The bankers has re-used numbers from cancelled cards. Oops. The software mapped credit card numbers to customers, but didn't do any other checks because no two people could ever have the same credit card number, surely?

A nice example of the old saying "Software can't be made foolproof because fools are so ingenious."

Did I cause a security breach?