Irrelevant details

Let me backtrack for a bit, but feel free to skip the net banking technical details straight to the next section. I've never thought of myself of a great software tester, but my track record of locating implementation flaws in Internet banking systems, out of black-box observation of the system behavior, has been pretty solid.

Last year, I wanted to invest in some funds at one of the banks in which I have an account, but the entry barrier was a bit more than I wanted to invest in them. I figured I could put the money in and take it out on the next day. However, once I put the money in, the option of scheduling future operations on that fund became available. I was about to schedule a withdrawal, but then I wondered, what if I told the system to add the exact amount I wanted to invest in that fund on the next day, and then I canceled the first operation? Without much to lose, I gave it a try. In spite of having canceled the initial deposit, the subsequent one was accepted, even though it was below the entrance barrier. Cool, eh?

At another bank, I found out I could perform both operations on the same day, because it accepted more than one operation per day per investment fund. Quite useful for investment funds with high entry barriers and long periods of retention. I didn't quite expect the bank to honor those investments, I discussed the situation with the bank managers, but they didn't seem too concerned. “No harm is done, so, if the system lets you do it, by all means, go for it”, both said.

It was at yet another bank that I ran into a far more disturbing flaw, also last year. It permitted even initial deposits to be scheduled for future dates, but it was robust enough to prevent the trick above. However, one day it happened that I had scheduled a withdrawal from one fund and a deposit to another fund for the same day. The deposit wasn't performed, presumably because the bank system attempted to process it before the withdrawn funds were available. I.e., it didn't find enough funds for the operation, so it didn't perform it. That behavior sucks, but that's not the really interesting part.

The interesting part was that I then canceled the scheduled operation, to perform it manually at a time I could see the funds were available, and I was surprised to find that my balance was still the amount I intended to invest. Looking at the transaction log for the day, I saw an entry that credited that amount, which was supposed to cancel the debit that it hadn't performed. I took note of it, mentioned it to the bank manager, and didn't think back of it. I couldn't believe that balance would survive long and, indeed, it disappeared overnight.

Last week, I had an identical situation occur to me, and I was surprised that the problem hadn't been fixed after so many months. Annoyed that the operation I'd requested hadn't been performed, I canceled it, performed it manually, and then, just to vent out my frustration, requested another investment using the virtual funds I'd been given. I told the bank manager what was going on, got a call from some technical person to whom I described the bug in more detail, and relaxed. I had been told just a week before that investment requests that would get me to a negative balance wouldn't be honored, so I was pretty sure at least one of the two requests would bounce. Surprise! It didn't, and the next day I had a very negative balance.