UPDATE 20101012

By a very nice coincidence I have bumped into this interesting paper (dating around 15 Jul 2008) - “BREAKING THE BANK - VULNERABILITIES IN NUMERIC PROCESSING WITHIN FINANCIAL APPLICATIONS” - ENJOY the reading!

Given I currently work in a telecom billing software company - I just cannot find enough words and meanings to confirm with sorrow that pretty-fucking-many of my fellow programmers do not give a shi…ny glass for avoiding this kind of problems. Worst, they don’t even realize it :-S…

PS: …and YES, Bank Of Cyprus (along with its new migrated Java/JSF-based banking application - a special post on this to follow) allows/uses:

• input like “1E+3″ which gets translated into “1000″
• “round-to-nearest, ties away from zero” for 3rd decimal, i.e. “0,004″ gets translated to “0,00″ and “0,007″ gets translated to “0,01″

Happy hacking…

Money

When it comes to speaking about money, a lot of people get interested. And nowadays most money discussion evolve around or near-by the EUR-USD exchange rates.

Some people (including me sometime ) are unhappy to depend and always lose their honestly earned savings because of some avid and greedy circles of interest are playing with exchange rates and make them uncontrollable…

[More:]

Some other people try to get into the game - they try to play and take advantage of this uncontrollable phenomena called exchange rates - they wake up with Yahoo Finance and XE sites on their desktop, they are always talking about “Did you see how USD went up/down today?"… Anyway, these small people (compared to the dominant circle of interest) they only have the false impression they sometime win (this is my opinion at least)

Real case

The point of this article however is - with IT era at power, everything might be possible (actually it is possible - money that are credited to people, which do not really exist, but they somehow exist only in the virtual space of the creditor PC).

What i mean by everything is possible? Two simple examples - it would be virtually possible (but since virtual/credited money are taken as granted reality, the concept of virtually can also be taken and pushed intro reality) two gain an exchange rate of 1 USD = 1 EUR (wouldn’t you be happy? ), or 1 EUR = 2 USD (again you’d be happy, right? ).

So, once I went to Yahoo Finance site. From what I know - it is a trusted site by many interested in accurate and updated financial information.

As I am not cold-blooded when there is something about software that deals with banking accounts, financial information and calculations, accounts, passwords, authentication, authorization, security and input validation in general, I tried some directed testing.

And surprise - with few carefully selected tests/values, we get the information which would enrich us if we could put such surprise output/behavior into a practical solution/attack.

1 USD = 1 EUR

Yahoo Finance - 1 USD to 1 EUR

1 EUR = 2 USD

Yahoo Finance - 1 EUR to 2 USD

Ideas

Now imagine the following scenario (even if it sounds utopical ):
1. Find a publicly available financial trading system/portal (FOREX maybe?! since there are a lot of brokers for FOREX accounts) which is susceptible to weaknesses like above (this is the hardest, but not impossible)
2. Get 1000 USD and trade/exchange them into 1000 EUR (using some kind of automation). Yeah, I know it looks silly, but it would require 10 million transactions. What this means - you should find at point 1 a VERY BUSY system/portal, where 10 mil transactions would not raise suspicions
3. Trade back 1000 EUR into 2000 USD. Yeah, again 10 mil transactions. Now you see why point 1 is the hardest ?
4. Repeat steps 2 and 3 as many times as needed/wanted.
5. Improvement to algorithm would be a distributed network of persons doing less number of transactions targeted among same or different financial systems.

Conclusions

Yes, it is not a critical bug that affects the entire human being and it’s entire ®evolution, because bugs exist by definition and similar bugs exist in many other places. But it affects at least our perception about Yahoo & Yahoo Finance, about global finances, about financial software and software in general.

I got the chance (lucky or not, time will show) work in quite a big company, which delivers billing solutions to the biggest telecoms in the world and I have been witness to how that software sometimes works with financial/billing data (roundings, precisions, conversions, error handling and so on).

If it would be to think in the same terms - the software for financial trading/information/exchange rates/stock markets is most probably developed by few big companies which deliver it to the companies of the same sizes (Yahoo, etc. - yes, there is a possibility Yahoo Finance develops in-house software, but I would rather refer to most big companies which buy ready software solutions). And without doubt those vendors have similar development, quality and managerial models like the company I work for. So, I am pretty sure you can find pretty, pretty-ugly even , bugs that can make impossible things happen and yes -

your money making dream may come true

Conclusions are up to you.

And among questions which may dig your mind, another question to be asked - if it would be to generalize, is the information provided by financial software/portals only theoretical (eventually with no liability associated) or those are real financial systems which one can trust given YOUR money can be the bet…

Some more things to add:

• many things seemed only theoretical in maths, until informatics have proven them possible in practice also
• “Things are impossible, until they are not”

You choose. You can make the difference!