This Tuesday morning, I went to bed carrying the weight of an experiment that gave me a temporary balance of almost BRL 10 billion (about USD 5.7 thousand million) in one of my bank accounts. Seriously. No wonder I couldn't sleep very well. I kept thinking how the day would end, and that was before it occurred to me that it could have been far, far more. If you found out a way to have a virtually unlimited supply of money for a day, what would you do?
Irrelevant details
Let me backtrack for a bit, but feel free to skip the net banking technical details straight to the next section. I've never thought of myself of a great software tester, but my track record of locating implementation flaws in Internet banking systems, out of black-box observation of the system behavior, has been pretty solid.
Last year, I wanted to invest in some funds at one of the banks in which I have an account, but the entry barrier was a bit more than I wanted to invest in them. I figured I could put the money in and take it out on the next day. However, once I put the money in, the option of scheduling future operations on that fund became available. I was about to schedule a withdrawal, but then I wondered, what if I told the system to add the exact amount I wanted to invest in that fund on the next day, and then I canceled the first operation? Without much to lose, I gave it a try. In spite of having canceled the initial deposit, the subsequent one was accepted, even though it was below the entrance barrier. Cool, eh?
At another bank, I found out I could perform both operations on the same day, because it accepted more than one operation per day per investment fund. Quite useful for investment funds with high entry barriers and long periods of retention. I didn't quite expect the bank to honor those investments, I discussed the situation with the bank managers, but they didn't seem too concerned. “No harm is done, so, if the system lets you do it, by all means, go for it”, both said.
It was at yet another bank that I ran into a far more disturbing flaw, also last year. It permitted even initial deposits to be scheduled for future dates, but it was robust enough to prevent the trick above. However, one day it happened that I had scheduled a withdrawal from one fund and a deposit to another fund for the same day. The deposit wasn't performed, presumably because the bank system attempted to process it before the withdrawn funds were available. I.e., it didn't find enough funds for the operation, so it didn't perform it. That behavior sucks, but that's not the really interesting part.
The interesting part was that I then canceled the scheduled operation, to perform it manually at a time I could see the funds were available, and I was surprised to find that my balance was still the amount I intended to invest. Looking at the transaction log for the day, I saw an entry that credited that amount, which was supposed to cancel the debit that it hadn't performed. I took note of it, mentioned it to the bank manager, and didn't think back of it. I couldn't believe that balance would survive long and, indeed, it disappeared overnight.
Last week, I had an identical situation occur to me, and I was surprised that the problem hadn't been fixed after so many months. Annoyed that the operation I'd requested hadn't been performed, I canceled it, performed it manually, and then, just to vent out my frustration, requested another investment using the virtual funds I'd been given. I told the bank manager what was going on, got a call from some technical person to whom I described the bug in more detail, and relaxed. I had been told just a week before that investment requests that would get me to a negative balance wouldn't be honored, so I was pretty sure at least one of the two requests would bounce. Surprise! It didn't, and the next day I had a very negative balance.
Megabucks out of thin air
Once I came up with a plan to restore my balance, I wondered how far the bug went. I visited the web site and scheduled for the next business day (today) an investment of the highest amount possible: BRL 9,999,999,999, and told the bank manager about it, asking her to cancel it if it would cause any trouble. This morning, I checked that the operation hadn't taken place, and it was still there, so I proceeded to cancel it. And then I laughed for a couple of minutes as I saw a balance of nearly BRL 10 bi on my account.
I sent another e-mail to the bank manager and crashed in bed. I started to worry that the police might show up; that the bank manager hadn't seen my e-mail the day before and couldn't cancel the operation, and it would cause some big trouble for the bank; that the bank was going to call and offer me all sorts of investment opportunities; that I'd run into another bug because of such a huge number, and then it would overflow and I'd be stuck with insurmountable debt.
While I agonized over it, I realized I hadn't explored all the possibilities. I had scheduled only one operation for that day. What if I scheduled many? Say, with a few dozens of such operations, at USD 6 bi a piece, for nearly 24 hours I could be “richer” than Carlos Slim, Bill Gates, Warren Buffet, Larry Ellison, Eike Batista and the other top 10 richest people in the world, plus the family that owns WalMart, all together.
I sent yet another e-mail to the bank manager, but before I decided whether or not to give that a try, the bank called me back this afternoon and told me they'd fixed the bug, and the fix would go live overnight. The anxiety and the excitement were over. I still had a balance of BRL 10 bi for some 12 more hours, but, put in the perspective above, it didn't sound like a lot any more.
Facing the moral and ethical dilemma
Only then did I start wondering what good could I have done if, instead of being honest and helpful to the bank, I had taken advantage of the bug to get as much money as I possibly could and do good things for humankind.
I would have to give up my life as I know it, and have to live on the run or even put an end to it, without any certainty that the good I'd tried to do was carried out for good. Assuming, of course, that the attempts to transfer any significant fraction of these funds out of the bank before the end of the day would even succeed rather than get me in jail.
Still, I wondered, how much would it take to distort the stock market enough to crash the stocks of Microsoft, Apple, Oracle, Adobe, etc, so they'd stop doing harm? How much would I have to transfer away from this multi-national bank for it to go insolvent itself, and take a lot of the international financial market that rules the world with it? Heck, how much would it take to buy enough stock to control all these banks and non-Free Software businesses and, why not, even some somewhat-Free and nebulous computing businesses as well, and then donate all the stock and remaining funds to the network of FSFs?
It's too late now, and I'm somewhat comforted by not having thought of it while it still was. I'd have faced a very difficult moral and ethical dilemma otherwise. But now that I thought of it, I'm having a bit of a hard time convincing myself that sacrificing my own life as I know it wouldn't have been a small price to pay to get all of these businesses to do good for humankind, instead of pursuing maximum profit at the expense of humankind.
What do you think? What would you have done, given this opportunity?
So blong...