You are on page 1of 3

T H E P R O F E S S I O N

Fossbakk’s daughter’s account


number was 71581555022, but she
inserted an extra 5 and keyed in

The $100,000 715815555022. The user interface


accepted only 11 digits in this field
(the standard length of a Norwe-

Keying Error
gian account number), thus truncat-
ing the number to 71581555502.
The last digit is a checksum based
on a modulo-11 formula. This will
detect all single keying errors and
Kai A. Olsen, Molde University College and University of Bergen errors where two consecutive digits
are interchanged. Inserting an extra
5 changed both the ninth and tenth
digits.
The average checksum control
Losing $100K hurts, will catch only 93 percent of the
cases in which such errors occur.
but other input mistakes
For Fossbakk, the final eleven-digit
can cost much more. number was a legal account number.
However, only a small fraction of
all legal account numbers are in use.
Further, the chance of mistyping the
account number so that it benefits
lt houg h it sou nds to catch her mistake. Yet this did not a dishonest person without income

A disastrous, making a
$100,000 mistake seems
relatively minor when
stockbrokers have lost
millions by hitting the wrong key.
The following case proved to be dif-
ferent, however.
happen. The system’s developers had
neglected to build in a simple check
that would detect if the correct input
were missing.
This case raises questions about
what the minimum validation proce-
dures from a banking system devel-
or assets is overwhelmingly low in a
homogeneous country such as Nor-
way. Our user was thus extremely
unlucky. The person who received
her $100,000 transaction and kept
the proceeds has been sentenced to
prison, but this does little to help
An ordinary bank customer, Grete oped for ordinary users should be. It Fossbakk get her money back.
Fossbakk, used Internet banking also challenges us, as system design-
to transfer a large amount to her ers, to help users avoid such errors. LITIGATION
daughter. She keyed one digit too Today’s users operate alone in Fossbakk took the case to the
many into the account number field, front of a computer, with interme- Norwegian Complaints Board for
however, inadvertently sending the diates and colleagues replaced by Consumers in Banking. This board
money to an unknown person. This computer systems. This new reality deals with disputes between consum-
individual managed to gamble away makes it important to have interfaces ers and banks. The board has two
much of the sum before police con- that can offer as good as—or even representatives for the consumers
fiscated the remainder. better—error detection than that and two from the banks, with a law
Subsequently, the case received found in previous manual systems. professor as chair. In a three-to-two
extensive media coverage in Nor- vote, Fossbakk lost. The chair voted
way. The Minister of Finance criti- FOSSBAKK CASE for the bank, arguing that “she made
cized the bank’s user interface and The Fossbakk case provides an an error and has to take responsibil-
requested new and improved Inter- illuminating example. The Internet ity.” He also regretted that Nor-
net banking regulations. Suddenly, system she employed when mak- wegian regulations set no limit for
the risk to Internet banking had ing her fatal mistake was one com- a consumer’s loss in these cases, as
become apparent to both the govern- mon to a large group of Norwegian there would have been if Fossbakk
ment and ordinary citizens. banks. Reviewing this case provides had lost her debit card.
Clearly, the user made a slip. She insight into the types of typos that Fossbakk is now taking the case
also had the chance to correct the users make, the psychology behind to court, backed by the Norwegian
typo before she hit the confirm but- “confirmation,” and the pitfalls Consumer Council. She argues that
ton. However, as we shall see, the inherent in many Web-based trans- she typed 12 digits and that the bank
system also had every opportunity actions systems. Continued on page 106

108 Computer
T H E P R O F E S S I O N

Continued from page 108

system should have given an error entered 30 transactions each from a captured all but three. That is, of
message in this case, instead of ignor- predetermined test set. After remov- the nearly 1,800 transactions, three
ing all typed digits after the first 11. ing some outliers, this gave data on (0.2 percent) would have passed the
She has acknowledged she would 1,778 transactions. banking interface’s error-detection
have no case if only 11 digits had routines. Multiply this by the nearly
been typed. The bank argues that she Results 200 million Internet transactions
cannot prove by any measure of prob- Our student testers got 124 account performed each year in Norway,
ability that she keyed 12 digits. They numbers wrong, 7 percent of the and we see that this small percent-
further state that there cannot be dif- transactions. This error rate is higher age hides a massive problem.
ferent rules of responsibility depend- than we would expect in a real sys- In an improved interface, with a
ing on the number of digits given. tem. First, since analyzing faults is “too long” check, along with the
Finally, they stress that she confirmed our initial task, the simulator does modulo 11 routine, all errors made
the $100,000 transaction. not offer any error messages. How- in our test would have been cap-
At this point, I was called in as an ever, the user must confirm the trans- tured—except in cases where some-
expert witness for Fossbakk. In my action, just as in the real system, and one entered an account number from
opinion, and I should expect that of the count will not include any errors another transaction in the set.
most other computing professionals, corrected before confirmation. Analysis of customer identification
a system should give an error message numbers, also a part of the transac-
when the customer types a too-long It seems nonchalant tion, showed the same result. Add-
number. Clearly, such a test can be ing an extra digit in a sequence is a
inserted with a minimum of effort. to code software that lacks normal mistake. Missing a digit in a
In fact, the Financial Supervisory a detect-too-long number. sequence is also easy. This test found
Authority of Norway has required all these errors most commonly. If we
banks to implement this functionality ignore the error of typing another
based on the Fossbakk case. Second, the testers enter a large set account number from the set, “too
Reasonably, we could argue that of transactions. In some cases, the long” errors occur in 41 percent of
the bank showed negligence when account number for the preceding or the cases, “too short” errors in 35
developing the user interface in ques- following transaction has been used percent, and wrong 11-digit num-
tion. However, can we prove, beyond instead. This could happen in real bers in 24 percent.
doubt, that Fossbakk keyed 12 dig- life, but will be much more frequent Given these statistics, it seems non-
its? Since any digits beyond 11 were here since testers enter the trans- chalant to code software that lacks a
stripped from the HTML form, no actions from a list. Third, the test detect-too-long number. Since none
information log exists that can tell situation does not involve any real of the people who entered an extra
us what happened. money. We suspect that users would digit or missed one managed to fin-
verify transactions more carefully ish with an 11-digit number by mak-
BANK SIMULATOR when using a live system. ing yet another error, we can state
The answer to this case cannot be While the overall error rate might with high probability that Fossbakk
found in the literature. It seems that be higher, there seems to be no reason entered a 12-digit account number.
researchers lost interest in study- why the distribution of different error
ing keying errors when keypunches types should be any different from Confirmation
disappeared. We therefore decided what we would find in a real sys- This leaves us with the argument
to get our own data by implement- tem—an exception being the case in that she confirmed a $100,000
ing an “Internet bank simulator,” a which an account number is replaced transfer to the wrong account—as
simple interface that works similarly by another from the data set. did the students in 124 of our test
to the system Fossbakk used. In 29 percent of the cases with a cases. In addition, for every tenth
Our system consists of two forms. wrong account number, the num- transaction, the simulator replaced
In the first form we entered the data, ber ran too long. In half the cases the typed number with a similar-
date, customer identification number, where this happened, students made looking number before confirmation.
message text, amount, and account the same error as Fossbakk, insert- For example, it replaced the number
number. After hitting the “pay” but- ing an extra digit in a sequence of 70581555022 with 70581555502.
ton on this form, the data appeared in two or more identical digits. The In only five out of the 178 cases, 2.7
a new form for confirmation, allow- bank interface’s strategy of skipping percent, where this was done did the
ing the user to either confirm or edit digits beyond 11 would have given users recognize the error and correct
the displayed information. Students the correct number in 64 percent of the number.
from a college and some high schools, the cases. Of the remaining abbre- It appears that most people per-
69 testers altogether, engaged in viated numbers, the modulo 11 test form the inspection while keying,

106 Computer
not when the whole number is dis- If Fossbakk had used the manual ples from these areas have already
played onscreen. In many ways, this system instead—by writing a letter revealed misinterpretations between
is efficient. While keying, we can to her bank requesting the trans- systems and users that caused seri-
concentrate on one digit at a time, action—no responsible employee ous consequences. For all systems,
and after keying we have a large would have removed the 12th digit we must, as computer professionals,
number. If this seems correct, we hit of the account number in hopes this protect users from their own errors,
the “confirm” button. would correct the error. intercept all detectable errors, and
Psychologist Donald A. Norman We should expect more. The bank- give informative warnings when we
explains this behavior in his book, ing system could offer the account believe the user might have made an
Psychology of Everyday Things owner’s name as confirmation when error. The “she made an error and
(Basic Books, 1988). Here, a user an account number is entered. In must take responsibility” defense
confirmed deletion of his “most cases where this conflicts with pri- is too simple. We need systems that
important work.” According to Nor- vacy issues, a first name or alias work in collaboration with the user
man, the user confirms the action, could be used. The system could give such that the overall error rate drops
not the file name. Thus, the “con- a warning message whenever a pre- to a minimum. Yes, we need respon-
firm” part of the transaction, while vious pattern is violated. For exam- sible users, but a good system can
having some legal implications, has a ple, if we pay a utility bill of $100 handle most slips and typos they
minimal effect on detecting errors. to $300 each month, we should get make, as this case shows. N
a warning if the reported amount
ACCOUNTABILITY is way off in either direction. Fur- Kai A. Olsen is a professor at Molde
Like many new IT applications, ther, e-invoices and other automatic College and the University of Bergen,
Internet banking is effective. As procedures can limit the number of and an adjunct professor at the Uni-
users, we enjoy reduced costs and transactions that must be keyed in, versity of Pittsburgh. Contact him at
24/7 availability. However, trans- reducing the overall error rate. Kai.Olsen@hiMolde.no.
ferring real money based on instruc-
tions from possibly inexperienced Editor: Neville Holmes, School
humans who might slip up means n Fossbakk’s case, the banking
we must look to the system for help.
Developers must require that it
intercept as many errors as possible.
I system erred. Next time, it might
be a weapons system or medical
information system that fails. Exam-
of Computing and Information
Systems, University of Tasmania;
neville.holmes@utas.edu.au.

l f o r
Cal icles
Art e C o m putin
g

E Pe rvasiv s on t
he lat
est
IEE ul p a p e r
, u s ef ible sive, er va
a c ce s s men ts in p
seek s velop ics
viewe
d de g. Top
e putin
peer-r ou s c o m
biquit s of t w
are
b il e , an d u logy,
mo c h n o
te
ware g an d
e hard sensin
includ l-w o r ld n,
re , rea erac tio
s: s tru c tu t er int
d eline in f ra
an - co
m p u
r gui n , hu m g
A ut ho c/ io cludin
uter.o
rg /m inte r a c t
a tio ns, in y.
.comp s co n s
ide r privac
www .htm y s t e m u r it y, an d
u th o r an d s se c
sive /a bilit y,
p e r va
a ils: m e n t, scala
r det y
e deplo
Furth uter.o
rg
ive
co m p er vas
p e r va
sive@
.org/p
S
TEM

pute r
SYS
OUS
U IT

om U B IQ

w w.c
E AND
O B IL
w M

April 2008 107