Feeds

Reg readers crack case of the $23 quadrillion overcharge

<empty field> + binhex = Visa FAIL

Security for virtualized datacentres

It seems an empty amount field is the culprit in the programming glitch that caused some 13,000 holders of prepaid Visa cards to receive warnings that their accounts were overdrawn by more than $23 quadrillion.

At least, that's the theory advanced by several Register readers, who posit an 8-byte blank field was converted to binary format, giving it a value of 0x2020202020202020. Converted to an integer decimal, that translates to 2,314,885,530,818,453,536, an amount that's not far off from the number of cents these customers were charged for a wide variety of purchases.

To recap from Wednesday, Visa sent about 13,000 customers statements claiming their accounts were overdrawn because of a charge for exactly $23,148,855,308,184,500.00. The company quickly identified the problem, which it blamed on a "temporary programming error," and corrected the charges.

Of course, Visa didn't detail the programming error, and that made some of you curious. In a comment titled "Visa deserves glitchslapping?," an anonymous coward pointed out that the incorrect charges, which applied to purchases for cigarettes, gasoline, and sundry other items and services, came to exactly 2,314,885,530,818,450,000 cents, which when converted to binhex comes to 2020202020201250.

"It looks to me like somebody blank-filled a field, plopped the actual charged amount into the end (hex 1250, decimal 4688, likely amount $46.88), and then interpreted the entire field as a hex number," AC wrote. "If so, this is the kind of bug that would have been caught in even the most cursory testing, in which case the 'technical glitch' Visa talks about was not really in the software--bugs happen--but in their own shoddy procedures that allowed untested software to go live."

This still doesn't explain how 13,000 people could all be charged precisely the same amount for purchases whose real-world value were vastly different. Reg reader Stuart McConnachie, who also forwarded the binhex theory, guesses the identical overcharge is the result of a rounding error. When converting to a real number, only the first 15 digits were included, he said. The remainder were converted to zero.

While several of you were astonished that such an elementary mistake could have made it into Visa's live production, at least one reader was impressed that the company's computing system was robust enough to handle the error without crashing.

"I'm impressed at their systems' coders who wrote a system capable of coping with figures like that, and not falling over!" NogginTheNog wrote. "I mean I've heard of inflation-proofing, but really..." ®

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.