Date: Fri 13 Sep 85 00:22:19-PDT
From: Peter G. Neumann <Neumann@SRI-CSLA.ARPA>
Subject: Some financial disaster cases from Software Engineering Notes
I hope that the RISKS
Forum will not degenerate into only an SDI Forum, so I
thought I would counterbalance this issue with a new topic. I have
resurrected a contribution from the July 1985 SIGSOFT SEN, and also preview
some newer cases that will appear in the October 1985 SEN (which is just
about ready to go to press). (The few of you who are ACM SIGSOFT members
please pardon me for the duplications.)
[FROM ACM Software Engineering Notes vol 10 no 3, July 1985]
Disasters Anonymous 1: A Rose is Arose is (Three) Z-Rose
Now and then I get a
story that I cannot print. (I do have a few, but don't
ask. I have of course conveniently forgotten them all.) Here, is one that can
be printed -- although its author must remain anonymous. Note that the case of
the three extra zeroes resulting from two different assumptions about the human
interface bears an eerie resemblance in cause to the case of the shuttle laser
experiment, which follows after this one. [PGN]
A group within
my company had a policy of dealing only in multiples
of one thousand dollars, so they left off the last three digits in
correspondence to the wire transfer area to make their job easier.
Other groups, however, had to write out the full amount since they did
not always deal with such nice round numbers. One day, a transaction
was processed that had a value of $500,000. The person who entered the
transaction thought that it was from the group who dealt in multiples
of $1000 and entered it as $500,000,000. Of course, this was not the case,
so a $500,000 transaction became a $500,000,000 one.
The only thing
that prevented a disaster was that it was sent to a small
company that called back to verify the amount, and the error was then
caught. However, this was a Federal Reserve transaction and the funds
had been transferred, but the timing was good and the transaction was
backed out before it became a disaster. My opinion is that such critical
software should have caught the error before the wire was sent to the
in a Federal Reserve transfer had to do with multiple
transactions per communications transfer. In this case, the Federal
Reserve software put a pair of nulls in the data that should have been
translated as blanks. However, they were stripped out and a $200,000,000
incoming wire lost. To maintain the Fed balance, money was purchased
to cover a deficit that didn't exist -- since the money was a credit.
This was a substantial monetary loss because of inadequately tested
[FROM ACM Software Engineering Notes vol 10 no 5, October 1985]
Disasters Anonymous 2: Financial Losses
Our anonymous contributor from SEN 10 3 (July 1985) has come through again.
Since I sent some
disaster reports to you in May, another one has occurred.
This one caused some financial loss and acute headaches among managers.
Most large banks
subscribe to the Federal Reserve's funds transfer system,
frequently referred to as "Bankwire". Our system that connects to Fedwire
was being upgraded with a new DDA interface to the host to help protect
against overdrafts. During a review, it was determined that the software
was not quite ready, but should be okay to put into production two days
later. I cautioned them against doing so since not all of the bugs had been
resolved, and the software had not been "stress tested" (or whatever phrase
you wish to use about testing that ensures that it will work in production).
The first day
of production went fine. However, the main file in the new
software was an ISAM file that had degraded significantly during the first
day. On the second day, that file continued to fragment and started to
consume a large amount of the system resources. This slowed response time
so much that by the end of the banking day, we still had hundreds of wires
to send to the Federal Reserve. We had to request extensions every half
hour for hours to try and squeeze the transactions through the system so
that the money would get to our customers.
In addition, the
response-time problem and other bugs in the software
prevented us from knowing our Federal Reserve balance. Since we must
maintain some 150 million dollars in our Fed "checking account", this lack
of information could cause significant financial loss as 1.5 billion dolars
were posted that day and we were off by hundreds of millions of dollars at
Another part of
this disaster is that the slow response time caused one
program to assume that the host was down. When a transaction finally went
through, our system would transmit the DDA information, but the host did not
acknowledge that they already had the wire. Thus a large number of wires
were being "double posted" (money sent twice). At the end of the day, tens
of millions had been double posted.
As of this writing,
the Fed balance had been straightened out, but not all
of the double postings had been recovered. Note that at current interest
rates, a bank loses $350 per day per million dollars of unused money.
[FROM ACM Software Engineering Notes vol 10 no 5, October 1985]
Disasters Anonymous 3: Insurance, Reinsurance, and Rereinsurance
Perhaps anonymity is
contagious. Re: reinsurance, here is
another letter from a different contributor.
I'm newly receiving
SEN and found the ``war stories'' quite interesting.
Here are three more. I would prefer anonymity should you choose to print
This first is
hearsay (from a former co-worker). Apparently he and his
wife had a joint account with a $300 balance. They needed $200 in cash, but
due to miscommunication they both made $200 withdrawals - she at a teller's
window (cage?) and he at an ATM (automatic teller machine) - within minutes
of each other. When the dust settled they found that their account had a
zero balance: the first $200 withdrawal left a $100 balance, the second
should have left a negative balance of $100, but the computer generated a
$100 credit to offset the shortfall. The icing on the cake was my friend's
inability to explain/convince the bank of this situation and have them accept
I need to be circumspect
about this second story -- it might well have
involved fraud. While a consultant, I was hired to review a reinsurance
agreement. The reinsurance industry is an old-boys, ``handshake is my bond''
industry as insurors frequently offset their risk by selling it (reinsuring)
to other insurors. That is, I insure your building for $10,000,000 and
re-sell all or part of that risk to another firm. Apparently, late one
Monday morning (nearly 11:00 a.m. EST), my client got notice across his
computer network from another firm that it was reinsuring (i.e. off-loading
risk) to my client to the tune of several million dollars. The message was
time-dated Friday evening (6:00 P.M., WST). As ``luck'' would have it the
property in question had suffered a catastrophic loss over the weekend. The
bottom line was that the message had been sent directly (not through any of
the store-and-forward services) and the time-date was thus determined by the
clock-calendar on the sender's computer. Need I say more?
Finally, a story
told to me ``out of school'' by a friend at one of the
nation's largest insurance companies. They apparently are involved in so
many reinsurance deals that it turned out that they were reinsuring
themselves. I.e., Jones reinsured with Smith who reinsured with Brown who
reinsured with White who reinsured with Smith. Smith, it turned out was
paying both Brown and White commissions for accepting his own risk. The
computer system was not designed to look beyond the current customer,
neglecting the loop.
Date: Fri 29 Nov 85 00:43:47-EST
From: Peter G. Trei <OC.TREI@CU20B.COLUMBIA.EDU>
Subject: Computer snafu halts treasury
From the Wall Street Journal, Monday 25 November 1985
[quoted without permission]
A Computer Snafu Snarls the Handling of Treasury Issues
by Phillip L. Zweig and Allanna Sullivan
Staff reporters of the Wall Street Journal
A computer malfunction at Bank of New York brought the
Treasury bond market's deliveries and payments systems to a near-
standstill for almost 28 hours Thursday and Friday.
Although bond prices weren't affected, metal traders bid up the
price of platinum futures Friday in the belief that a financial crisis
had struck the Treasury bond market. However, Bank of New York's
problems appeared to be more electronic than financial.
The foul-up temporarily prevented the bank, the nation's largest
clearer of government securities, from delivering securities to buyers
and making payments to sellers - a service it performs for scores of
securities dealers and other banks.
The malfunction was cleared up at 12:30 p.m. EST Friday, and an
hour later the bank resumed delivery of securities.
But Thursday the bank, a unit of Bank of New York Co., had to
borrow a record $20 billion from the Federal Reserve Bank of New York
so it could pay for securities received. The borrowing is said to be
the largest discount window borrowing ever from the Federal Reserve
System. Bank of New York repaid the loan Friday, Martha Dinnerstein, a
senior vice president, said.
Although Bank of New York incurred an estimated $4 million interest
expense on the borrowing, the bank said any impact on its net income
"will not be material." For the first nine months this year, earnings
totaled $96.7 million. Bank of New York stock closed Friday at
$45.125, off 25 cents from the Thursday, as 16,500 shares changed
hands in composite trading on the New York Stock Exchange.
Bank of New York said that it had paid for the cost of carrying the
securities so its customers wouldn't lose any interest.
Bank of New York's inability to accept payments temporarily left
other banks with $20 billion on their hands. This diminished the need
of many banks to borrow from others in the federal funds market. Banks
use the market for federal funds, which are reserves that banks lend
each other, for short-term funding of certain operations. The cash
glut caused the federal funds rate to plummet to 5.5% from 8.375%
The electronic snafu is by far the largest of computer problems
that periodically have bedeviled the capital markets.
Almost all goverment securities transactions are settled
electronically through the New York Federal Reserve Bank. In this
system, computers of clearing banks are linked to one another through
a central computer, to enable banks to settle purchases and sales of
securities by customers.
According to Wall Street sources, the malfunction occurred at 10
a.m. Thursday as Bank of New York was preparing to change software in
a computer system and begin the days operations. Until Friday
afternoon, Bank of New York received billions of dollars in securities
that it couldn't deliver to buyers. The Fed settlement system, which
officially closes at 2:30 p.m., remained open until 1:30 a.m. Friday
in the expectation that technicians would be able to solve the
Rumors about bank problems often send commodity traders scurrying
to buy precious metals. In the platinum pit at the New York Mercantile
Exchange, the price for January delivery surged $12.40 an ounce to
$351.20 Friday on volume of 11,929 contracts, a 29-year record.
Reports that the Fed was investigating transfer problems at Bank of
New York prompted the platinum buying.
[end of quotation]
to a friend of mine who was peripherally involved in the
recovery from this 'snafu', and it seems that the primary error
occured in a messaging system which buffered messages going in and out
of the bank. The actual error was an overflow in a counter which was
only 16 bits wide, instead of the usual 32. This caused a message
database to become corrupted. The programmers and operators, working
under tremendous pressure to solve the problem quickly, accidently
copied the corrupt copy of the database over the backup, instead of
the other way around.
One thing I have often noticed is that the 'normal run' code of
software packages tends to get much more through testing then the
code for error recovery; not only is it more difficult to test, but
the general feeling of 'this code will never execute' demotivates
programmers. In this case, it sounds like the people at BONY never
held a 'fire drill' to figure out how to handle a corrupt primary
database. Does anyone else have examples where attempts at error
recovery magnified problems?
Date: Wed, 18 Dec 85
From: friend@nrl-csr (Al Friend)
Subject: $32 Billion Overdraft
From: Al Friend - SPAWAR
To: Risks Forum
Here is an interesting
article out of the Washington Post. It seems that
there is a very real potential for financial disaster lurking in the
electronic banking jungle:
[Washington Post, 13 December 1985, p. D7]
Computer Snarled N.Y.
$32 Billion Overdraft Resulted From Snafu
By John M. Berry, Washington Post Staff Writer
The Bank of New
York, the nation's 18th largest, had a brief $32 billion
overdraft on its cash account at the New York Federal Reserve Bank when a
computer failure last month snarled thousands of government securities
transactions, a congressional committee was told yesterday.
By the end of the day, the overdraft had been reduced to $24 billion, and
the bank actually had to borrow that amount from the New York Fed -- pledging
all of its assets -- in order to balance its accounts overnight.
Aside from the unprecedented scale of the borrowing, and the spillover
effects on the government securities market, the incident intensified concern
at the Federal Reserve over the vulnerability of the nation's financial
payments system to a technological glitch that could have disastrous
Federal Reserve Chairman Paul A. Volcker and New York Fed President
E. Gerald Corrigan went before a House Banking subcommittee yesterday to
describe how the computer failure occurred and how the Fed and the bank
dealt with the crisis it caused.
On Wednesday, Nov. 20, transactions involving more than 32,000 different
government securities issues poured into the Bank of New York, one of the
largest processors of such deals on behalf of others.
The bank's computer system was supposed to be able to cope with up to
36,000 issues, but a programming glitch developed and, unknown to anyone,
the computer began to "corrupt" the transactions and make it impossible
for the bank to keep them straight.
Because of the computer system breakdown, the bank could not instruct
New York Fed where to send the securities arriving at the Fed on behalf of
the bank's clients, and therefore could not get paid for them. The New
York Fed was automatically taking money out of the Bank of New York's cash
account to pay the sellers for the incoming securities, all of which are
represented simply by computer records, rather than the familiar paper
bonds still used by most corporations.
By Thursday evening, as hundreds of employes at a host of banks and
government securities dealers tried to sort out the problems caused by the
failure of the intricate and largely automatic network handling these
transactions, the bank had a $32 billion overdraft on its cash account at the
New York Federal Reserve Bank.
The bank's computer specialists finally came up with a "patch" for its
computer program -- a process described yesterday by its chairman,
J. Carter Bacot, as the electronic equivalent of patching a tire -- that
allowed it to begin to clear some of the backlog. But just after midnight,
the patch failed too, after the overdraft had been whittled down to about
The Fed kept both its nationwide wires for securities and cash transactions
open in the early hours of Friday morning. When the patch failed, the Bank
of New York was still able to borrow $700 million from other banks. The rest
was covered by a $23.6 billion loan from the New York Fed. As collateral,
the bank pledged all its domestic assets and all its customers' securities
it was allowed to use for such purposes. Altogether, the collateral was
worth #36 billion, according to the Fed.
The drama was not over. Around 5 a.m. Friday, the bank finally completed
reconstruction of its customers' transactions from Wednesday. By 10 a.m.,
it had done the same for the Thursday deals. But, meanwhile, the rest of the
government securities industry had begun its Friday activities, and securities
and an overdraft were piling up again in the Bank of New York's account at the
New York Fed.
"Faced with this situation," New York Fed President Corrigan told the
banking subcommittee, "at about 11:30 a.m., we temporarily stopped accepting
securities transfers for the account of Bank of New York in an attempt to
stabilize the situation somewhat and to see whether it was practical to
prevent further increases in the overdraft without causing excessive
disruption in the market more generally. . . .
"Operationally, this meant that holders of government securities who had
contracts to deliver those securities . . . to the Bank of New York for
one of its customers [in return for payment] were temporarily unable to make
delivery under those contracts," Corrigan said.
The stoppage lasted only for about 90 minutes that afternoon, and news of it
did not spread widely for nearly an hour. Yet that disruption at the clearing
bank was enough, Corrigan said, to make some market participants unwilling to
trade securities among themselves. "Perhaps most importantly, there was also
some evidence that investors were beginning to seek to break trades and
financing transactions with dealers serviced by the Bank of New York."
Shortly after noon, the Bank of New York was able to begin handling the
Friday transactions that had been piling up, and the Fed was again able to
accept securities destined for the bank. By that point the bank was operating
with a computer system that had undergone a major overhaul in less than 24
The crisis was over, but its final bill is still mounting.
The Bank of New York was out of pocket about $5 million, an amount equal to
about 7 percent of its earnings in the first nine months of this year, to pay
interest on the money it had to borrow that Thursday.
It is still negotiating with many of the parties who may have sustained
losses in transactions that were not completed on time. Such negotiations are
common, said an official of one major securities dealer, because a few
transactions are always going awry. This time it was thousands.
Some customers walked away in better shape. "Indeed, those individuals and
intistutions who bought securities in question received a windfall in that
they received interest for a day [on the securities], but did not incur any
cost of financing," Corrigan noted.
But any loss or gain in dollars, even with millions of dollars at stake, is
not the real issue. What worries both Federal Reserve officials and
participants in the government securities market is the potential for a
failure of the system.
On the average day, about $200 billion worth of government securities
transactions take place involving about 27,000 separate transactions, Corrigan
said. Some days the totals are far larger.
"Like it or not," Volcker told the subcommittee, "computers and their
software systems -- with the possibility of mechanical or human failure --
are an integral part of the payments mechanism. The scale and speed of
transactions permit no other approach.
"In the last analysis, no mechanical system can be entirely 'fail-safe'
and also be commercially viable," he said. "The costs would simply be too
high, and the money and Treasury securities markets could not operate at the
present level of efficiency."
The Fed chairman pointed out that, in this case, the Fed was available to
lend the $23.6 billion, on good collateral. "The effects in this instance
were of unprecedented magnitude, measured by the amount of the overnight
loan," he said. "But the effects in terms of market performance and risk
were well contained. . . . I believe it would be wrong to overdramatize this
Corrigan in his more detailed testimony sounded more notes of concern. "I
believe our actions were prudent, disciplined and appropriate. In saying
this, I should also confess that in some respects we were a bit lucky," he
Part of the luck was that the bank was able to get its computer going again
as soon as it did. Another part, Corrigan said, was that Thursday was not an
especially heavy day for securities transactions.
One government securities trader summed up the situation this way.
"We're all afraid something will go bump and send the market into a tailspin.
. . . The Fed is working night and day to figure out what it can do. The
banks are working night and day. But the amount of [trading] in financial
markets is so large that we feel this is the No. 1 financial problem of the
next few months. Banks have to be able to make settlements with each other."
Date: Sun 16 Feb 86 20:04:54-PST
From: Peter G. Neumann <Neumann@SRI-CSL.ARPA>
Subject: SF Federal Reserve Bank 2 Billion Dollar Goof
The SF Chronicle (7 Feb
86) had an article on what was "perhaps the biggest
banking blunder ever" (despite the Bank of New York just having had a $32
billion screw-up, reported in RISKS-1.31). On 21 January 1986, the Fed was
testing its computers and accidentally transferred $2B to 19 financial
institutions. A weekend test session had been constructed using 1000 actual
transactions from the previous Friday. The test program and data were
accidentally left around, and thus the transactions were repeated on Monday
morning. As opposed to the $32B case, all of the money was recovered, and
no actual losses were incurred. A spokesman "stressed, however, that $2
billion represents only 2 percent of the funds handled by the Fed each day."
(... peanuts ... chicken-feed ...?) In the future, testing will be done with
make-believe transactions and fictitious account numbers. Six employees
deemed responsible were suspended without pay for three days.
to W. Randolph Franklin <firstname.lastname@example.org> for reminding
me of that one. I had meant to include it earlier. PGN]
Date: Sat, 8 Mar 86 20:45:11 est
Subject: bank robbery
Organization: AT&T Technologies @ Burlington, NC
I read an excellent book
a few years ago simply entitled "Computer Crime".
[PRESUMABLY BY DONN PARKER? PGN]
I highly recommend it to the readers of mod.risks. Here are a couple
of example horror stories from the book (from memory, sorry):
a) A guy gets
a bank loan, when he gets his payment book he sends in the
*last* payment slip from the book with his first payment. The bank's
computer sends him a cheerful letter congratulating him on settling his
debt in a timely manner.
b) A guy opens
an account at a major NYC bank with several thousand dollars.
After he gets his personalized checks, he goes to a shady printer friend
and has the guy print up identical checks but with a bogus magnetic number
on the bottom. He then goes on a $1,000,000 check-writing spree. Every
time on large purchases they call his bank and electronically verify that
he can cover the check. Every time the sorting machine at the bank sees
the leading ?3?-digit code of a West Coast bank, and automatically mails
the check there. The West Coast bank's sorter kicks the check out to
manual sorting because it has a bogus account number. The human sorter
takes one look at the check and sees the name of the NYC bank and blithely
mails it back... They finally got onto him when one of the checks had
been through so many sorter and mailer machines it was nearly in shreds,
and the human sorter on the West Coast got curious enough to look at the
magnetic ink number.
c) Guy opens an
account in a Washington, D.C. bank. He rips off several
pads of blank deposit slips from the lobby of said bank, takes them to
a location (?maybe he worked at the place?) that has a magnetic ink
typewriter. He laboriously types his own account number on the bottom
of all the slips, then places the pads back in the lobby of the bank.
A month later he withdraws $100,000 and disappears.
The MAD Programmer --
919-228-3313 (Cornet 291)
alias: Curtis Jackson ...![ ihnp4 ulysses cbosgd mgnetp ]!burl!rcj
...![ ihnp4 cbosgd akgua masscomp ]!clyde!rcj
[OLD STUFF, BUT WHY NOT? WE HAVEN'T HAD THEM HERE BEFORE. PGN]