Hacker News new | past | comments | ask | show | jobs | submit login

Probably a race condition. I once worked at a bank where the core banking system had a bug where if you asked account data for user X it would about once in a thousand queries return data for some unrelated user Y if the system was under a high load.

The official, vendor-certified "fix" was that since the reply to this query contained the user ID, when calling this API you should always write a do-while loop like:

    do {
      accountsReply = bankCore.getAccountsForUser(myUserId)
    } while (accountsReply.userId != myUserId)
This massive, embarrassing bug was not really documented anywhere, i.e. "silent information". You just "had to know" when writing code against this API that once in a blue moon, it could return data for the wrong user. But only in production, since the test environment was never under such heavy load it could trigger the race.

So, OT, but I wonder if this explains my recent atm withdrawal error on the part of wells fargo?

A $300 atm, card-present withdrawal several hundred miles away (at a golf course country club) from where I had used the card less than an hour before.

Skimmer + camera for pin is sort of the only other explanation, and I'm fairly paranoid about checking for skimmers.

I've seen photos of some very convincing skimmers that I'd have no hope of detecting despite being pretty paranoid about them myself.

Rooted point-of-sale devices are also a possibility - that's what led to the big Target hack.

I finally saw a gas station with a chip and pin reader at the Bucees in South Texas, and my spirits were uplifted considerably. Gas stations seem to be both the ideal place to install a skimmer and the companies most dragging their feet upgrading to the tech that will eventually make card skimmers obsolete. It's frustrating how behind we are on this.

I pick gas stations based on whether they support contactless payments.

Going far afield now, but a skimmer isn't going to get my pin, right? This was a card-present, atm cash withdrawal that happened.

So POS systems store pins? I can't imagine them being certified if they do, or for what reason they might.

AFAIK, the POS hacks all ended up with cc numbers, no pins.

There are skimmers that fit over the PIN pad, or that have cameras pointed at it.

POS systems aren't supposed to store PINs, but a compromised one certainly could.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact