19-Jan-87 20:17:08-PST,10435;000000000000 Mail-From: NEUMANN created at 19-Jan-87 20:15:51 Date: Mon 19 Jan 87 20:15:51-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.41 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Monday, 22 January 1987 Volume 4 : Issue 41 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Audi 5000 recall (Dave Platt) UK EFT Risks (Brian Randell) Another Bank Card Horror Story (Dave Wortman) Stock Market behavior (Rob Horn) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Fri, 16 Jan 87 10:09:47 PST From: dplatt@teknowledge-vaxc.ARPA (Dave Platt) To: risks@csl.sri.com Subject: Audi 5000 recall Audi has announced a total recall of all pre-'87 Audi 5000s equipped with automatic transmissions. The recall is an extension of the earlier, voluntary callback of these cars to equip them with the shift-lock device, and to inspect and if necessary correct the idle valve. Audi is not, at this time, replacing any microprocessor components, nor have they admitted or agreed that any such replacement is necessary. [The National Highway Traffic Safety Administration has been informed of "5 deaths and 271 injuries related to the problem." PGN] ------------------------------ Date: Mon 19 Jan 87 20:06:26-PST From: Peter G. Neumann Subject: Air Traffic Control Safety -- 1986 To: RISKS@CSL.SRI.COM SF Chron 15 Jan 87 via Cox News Service: Reports of near collisions involving commercial aircraft jumped 37.6% nationwide in 1986... 329 near collisions involving at least one commercial aircraft... (239 in 1985) 49 of the 1986 accidents were clasified "critical", meaning that chance rather than pilot action prevented a collision... FAA officials dismiss the notion that the air traffic control system is not back up to speed. Agency officials attribute the increase in part to an improved reporting system, heightened public awareness about air safety, and increased air traffic. SF Chron 16 Jan 87, p 25 (UPI): Air traffic controllers at Southern California's primary radar center destroyed evidence, falsified reports and lied to investigators to conceal errors that placed airplanes on collision courses... [quoting article from th Orange County Register] "On February 16, an 18-passenger Skywest Airlines commuter jet and a six- passenger private plane were within 3.8 miles of each other and on a collision course when an air traffic controller reportedly turned off the computer that was tracking them." ... "On February 13, a conflict alert signal went off three times, warning a controller that a 105-passenger DC-9 and a 12-passenger private jet were within 2.5 miles of each other and on a collision course. ... the controller turned off the alert each time to try to conceal his error." ------------------------------ From: Brian Randell Date: Mon, 19 Jan 87 13:00:21 gmt To: RISKS@csl.sri.com Subject: UK EFT Risks EXTENT OF UK EFT RISKS The Jan 15 issue of Computer News carried an account of a talk by Detective Inspector John Austen of the Computer Crime Unit at New Scotland Yard which contained statistics and comments about the use of EFT in the UK, and of the possible risks due to criminal action. It is contained in a lengthy article describing a BCS Security Committee Seminar for the National Computer Users' Forum, held recently in London. I found the following comments, especially the statistics quoted, particularly interesting/alarming, so thought them worth reporting to RISKS: "EFT now represents 83% of the value of all things paid for - money transferred - in Britain. Money, as an invisible export is a major and vital part of our GNP. Foreign exchange markets in London transfer $200bn daily using EFT via satellite. The transactions take a very short time, and once complete there is no calling them back. A lot of people are aware of this. And many, both here and abroad, are prepared to steal from EFT systems. The rewards are tremendous." "Companies, and even the economies of smaller countries, could be crippled by a sustained hit on EFT systems. Terrorists, such as the Middle East factions, the IRA and the Red Army Faction are particularly aware of this - and they need money. The Red aRmy Faction has already, unsuccessfully, made moves to intercept EFT in Germany. They and others will try again." Brian Randell - Computing Laboratory, University of Newcastle upon Tyne ARPA : brian%cheviot.newcastle.ac.uk@cs.ucl.ac.uk UUCP : !ukc!cheviot!brian JANET : brian@uk.ac.newcastle.cheviot ------------------------------ Date: Mon, 19 Jan 87 10:51:12 est From: Dave Wortman To: risks@CSL.SRI.COM Subject: Another Bank Card Horror Story The automatic teller machines (ATMs) supported by our local bank are fairly typical. Each customer has a magic card that references a checking account, a savings account, a credit card and perhaps some other accounts. These are called "checking", "savings", "other#1", etc. The ATM system never discloses the real account number. I recently had a very disconcerting run in with this system. My bank card and accounts have been in existence for several years. Recently I went to my local bank and opened a new account. Unbeknownst to me, the act of opening a new account changed the designation of accounts on my bank card. What had been my primary checking account was bumped to other#3 and my new account became my primary checking account. Apparently the bank card uses indirect references since these changes happened some night without the bank getting their hands on my card. I do not know if the problem was a human error in the setting up of my new account or a programming error in the ATM system software. I was lucky, the new account I opened happened to be in a foreign currency and so the ATMs started rejecting all transactions against my "checking" account. I discovered the explanation given above only after a couple of frustrating weeks and a couple visits to my bank. Things could have been a lot worse! If the new account had not been rejected immediately by the ATM then I might not have discovered the problem until the next round of bank statements a month or so hence. In the meantime my accounts could have become hopelessly fouled up. Independent of whether my problem was caused by a processing error or by a software error, I think my experience demonstrates several inadequacies in the design of the ATM "system". 1. the carefully negotiated interface between the user and the bank should NEVER change without the knowledge of both parties. Normal procedure is for it to change only upon written request by the user. 2. There should be a better mechanism for the user to verify that the interface defined by the bank card corresponds exactly to the user's expectations. 3. There should be more immediate feedback in the system in the case of errors or changes. Because of the foreign currency problem described above, I happened to get a fairly immediate indication that something was wrong. In the worst case, I might have not received any indication that something was wrong until the first bank statements for the new account arrived (typically 1.5 MONTHS). ------------------------------ Date: Thu, 15 Jan 87 22:13:57 est From: wanginst!infinet!rhorn@harvard.HARVARD.EDU (Rob Horn) To: risks@sri-csl.arpa Subject: Stock Market behavior The impact of computer trading on the stock market, and in particular the ``triple witching hour,'' has not gone unattended by the stock market directors and regulators. Their response has shown considerably more insight into market behavior than might be expected. They have not considered computers to be the problem. The problem of the ``triple witching hour'' is that during a few hours on the third friday of each third month (typically from 3-4PM) there is an immense burst of market activity as major participants rearrange their computer selected portfolios. (This particular time is triggered by the expiration time of a key financial component in these ``computer based'' trades.) Before these trading programs, hearing that someone needs to sell 100,000 shares of IBM quick, like in the next 5 minutes, meant that there was a major problem at IBM. Many people still react in panic when they hear such news. These habits and expectations where being greatly shocked by massive shifts like this which merely reflected trivial adjustments between stock prices and interest rates. For the previous two witching hours, and for the forseeable future, market makers are now required to publish their required major stock trades several hours in advance on these Fridays. This gives all the other participants time to evaluate the trades and determine what they mean. It also seems to be working. Both Friday's had trading volumes just as huge as other such Fridays, but did not suffer from the sudden pricing shocks. Prices were quite well behaved with no unusual changes. Based on prior behavior the odds that two in a row would be this orderly is between 10-20%. March really tell whether this added information flow is really all that is necessary for the stock market participants to properly interpret the meanings of these massive stock trades. It does look promising. Rob Horn UUCP: ...{decvax, seismo!harvard}!wanginst!infinet!rhorn Snail: Infinet, 40 High St., North Andover, MA ------------------------------ End of RISKS-FORUM Digest ************************ -------