Is 23,148,855,308,184,500 a magic number, or sheer chance?

Question

News reports such as this one indicate that the above number may have arisen as a programming bug.

A man in the United States popped out to his local petrol station to buy a pack of cigarettes - only to find his card charged $23,148,855,308,184,500.

That is $23 quadrillion (£14 quadrillion) - many times the US national debt.*

In hex it's $523DC2E199EBB4 which doesn't appear terribly interesting at first sight.

Anyone have any thoughts about what programming error would have caused this?

I was just wondering the same when I read an article on CNN about this. Especially since my company charges credit cards. This is the kind of potential bug that keeps me awake at night. — Dinah, Jul 15 '09 at 19:54
Well Obama did say that he had a new stimulus plan in the works to ease the deficit... — Christopher Klein, Jul 15 '09 at 19:56
I understand that Visa and other credit-card companies typically charge a 1 to 3% comission on transactions. On this transaction, that would be over 200 Billion dollars. I believe they should have logic that requires human approval for any transaction over $100,000 (eg. $1,000 comission). — abelenky, Jul 15 '09 at 19:58
Exactly what kind of credit card does this guy have that that transaction went through and triggered a mere $15 in overdraft fees... Gas station also probably unhappy about the 2% credit card processing fee on that. — Nick Bastin, Jul 15 '09 at 19:59
@Christopher I really like that. One John Doe will now be financing our country, everyone else is exempt from taxes. Here's $100 for good measure. — samoz, Jul 15 '09 at 20:03
See http://www.theregister.co.uk/2009/07/15/quadrillion_dollar_visa_overcharge/ — Nathan Koop, Jul 15 '09 at 20:11
@tim. I guess it's may not be sufficiently "programming-related". However, I've got a 'real' answer, so I feel it's a real question! — Roddy, Jul 15 '09 at 20:15
What I don't understand is why he got a bill for a prepaid card. — Nosredna, Jul 15 '09 at 20:18
@nosredna - I am guessing that you pay some amount up front (say $1000) and then you get statements periodically showing how much is left on it. I don;t know though — Tim, Jul 16 '09 at 02:18
@Dinah: no, I think this is a trivial (by perception, not by actual complexity) bug. Nobody* will actually believe they owe that amount. *FSVO nobody. — Adriano Varoli Piazza, Jul 16 '09 at 14:32
Maybe this is some kind of new anti-smoking campaign. ("See how much smoking really costs you!" :-) — Slapout, Jul 16 '09 at 18:02
@Adriano like no one believes RIAA will sue Jamie Thomas-Rasset 1.92 Million USD for 24 songs downloaded? http://arstechnica.com/tech-policy/news/2009/06/jammie-thomas-retrial-verdict.ars — pageman, Aug 09 '09 at 07:39
if about 13000 people from a population of 303 million were affected, then the chance of it happening (13000/303000000 = 4.3e-5) puts it on the same order of magnitude as an uninitialised 16 bit number having a specific value. Just sayin'. (1/65535=1.5e-5) (I know that population != credit card transactions, but I don't have any statistics on those) — Markus, Aug 09 '09 at 09:04
Really? You're gonna bump it because you want to remove the dollar sign (these are dollars we are talking about) and add `0x` to it? — GManNickG, Aug 14 '09 at 01:13
@GMan - yeah, a bizarre edit by someone! As a Delphi coder, I use "$" for hex naturally. — Roddy, Aug 14 '09 at 12:09
I just up-voted this Question, which put the count to 255. Then I clicked to make it a favorite which brought that count to 127. THIS ENTIRE THING IS SPOOKY. — micahwittman, Nov 27 '09 at 08:20
Scary. I hgad to "favourite" my own question just to get it past the 127 value! — Roddy, Nov 27 '09 at 11:19
The new guy made a few fixes to the old COBOL code that everyone is afraid of — John La Rooy, Mar 19 '10 at 21:06
Whoa, a number 23 in the beginning is indeed magical, I've heard about it in the LOST TV show. — Dan Ganiev, Sep 18 '10 at 19:48

score 1447 · Accepted Answer · edited Sep 07 '10 at 06:08

1447

Add the cents to the number and you get 2314885530818450000, which in hexadecimal is 2020 2020 2020 1250.

Do you see the pattern? The first six bytes have been overwritten by spaces (hex 20, dec 32).

edited Sep 07 '10 at 06:08

Shaihi

3,952
4
27
47

answered Jul 15 '09 at 19:56

Guffa

687,336
108
737
1,005

56

Once again proving that whitespace is not innocuous. – Eric Jul 15 '09 at 19:58
547

if this is true, you just won a prize for "best debug of the year" :) – Stefano Borini Jul 15 '09 at 19:58
2

Like a buffer (or stack!) overflow – gbarry Jul 15 '09 at 19:59
14

So I guess silence really is golden. – samoz Jul 15 '09 at 20:01
82

VISA might need him more than NASA. – Brandon Jul 15 '09 at 20:02
2

Probably mail that comment to the company, I'm sure they'd be interested in hearing from you. – samoz Jul 15 '09 at 20:02
61

Looks like he bought a carton, not a pack - hex 1250 = dec 4688, or £46.88 – John Rasch Jul 15 '09 at 20:02
157

nerds: find out brand and amount of cigarettes a man smokes by debugging his wrong credit card report ;) – Stefano Borini Jul 15 '09 at 20:07
7

Thats why I always call .Trim(), just to be safe. – Frank Schwieterman Jul 15 '09 at 20:09
3

@John Rasch: it's dollar's not pounds. It happened in the US. The BBC does give the pounds equiv. in the article though. – Dinah Jul 15 '09 at 20:12
4

@John Rasch: Since it was a US buyer, it would be hex 1250 = dec 4688 or **$**46.88. That is a bit of a difference. Not sure why TFA also gave a price in pounds? – Mike Cooper Jul 15 '09 at 20:13
1

@Dinah,@Mike - meh, I had dollars originally than copy/pasted the pound sign because it was a UK article, oh well I can't edit it now! – John Rasch Jul 15 '09 at 20:15
1

For all we know the price could have been $12.50. Or some of the price could have been overwritten. – Nosredna Jul 15 '09 at 20:17
1

0x1250 could also be $18.80 (if cents are kept separately), or possibly the string Ctrl-R + P. – Wedge Jul 15 '09 at 20:31
11

As I added the two zeroes for the cents, that suggests that the amount is stored as cents in a 64 bit integer. If the two last bytes were untouched, that would make the original amount $46.88 + n * $655.36, where n is likely to be zero. – Guffa Jul 15 '09 at 21:03
1

$46.88 seems like about the right price for a carton of cigarettes in New Hampshire. – rmeador Jul 15 '09 at 22:17
7

The real question is: why would they store transaction amounts in a 64bit unsigned integer? Sure, 32 bits aren't enough for purchases >32 million, but maybe those should be treated specially anyway... – perimosocordiae Jul 16 '09 at 00:39
16

Perhaps anticipating the inflation, avoiding the $21M bug... :) – Guffa Jul 16 '09 at 01:22
4

can someone notify the media? i bet they would follow up on this if they could ever understand it – JoelFan Jul 16 '09 at 02:13
5

@Stefano - they're Lucky Strikes. Duh. – Don Branson Jul 16 '09 at 03:22
15

Best debug of the year? It was the very first thing I tried when I saw this. – Loren Pechtel Jul 16 '09 at 03:23
1

[x] Check here to make whitespace visible – wilhelmtell Jul 16 '09 at 04:04
2

I once wondered why 49.7 days was the magic time for Windows issues, since 2^22 seconds was 48.5 days. Then I read that it was 2^32 milliseconds. – Andrew Grimm Jul 16 '09 at 05:06
2

@perimosocordiae: it's not necessarily unsigned. The 1st nibble is 2 so that's: 0010. The first bit is likely the sign bit. – Dinah Jul 16 '09 at 16:55
20

Damm. Nice. Shame this thread is CW, you deserve those points. – Simon P Stevens Jul 16 '09 at 18:26
3

Now I know why you don't ask questions: you have all the answers. Nice show. :) – Robert S. Jul 16 '09 at 20:59
I think it supposed to be BCD, not 2's complement binary, so it is $12.50, not $46.88. There is more than one way to store numbers! This might be a COBOL problem – Gerry Coll Aug 13 '09 at 22:09
2

@Gerry: It's definitely not $12.50. If it would be BCD then the value doesn't correspond to spaces, so there is no 1250 leftover... – Guffa Aug 13 '09 at 22:38
Explanation for 12.50 and how this happened is here: http://stackoverflow.com/questions/1133581/is-23-148-855-308-184-500-a-magic-number-or-sheer-chance/2642339#2642339 – Hans Passant Apr 28 '10 at 09:31
In the end it's always important to call `trim()`. – Mob Nov 22 '11 at 11:57

Synetech · Answer 2 · 2011-11-25T03:28:30.350

Hold on a second; there’s something fishy going on.

While the space-padded explanation certainly seems good, it may be (at least partly) specious.

VISA said that there were “fewer than 13,000” customers affected by the snafu with the Visa Buxx pre-paid cards. I’ve found news on several so far. Josh Muszynski in New Hampshire, Jason Bryan in Tennessee, Ron Seale in Texas, Karen Taylor’s teenage son in Bethel, and a teenage girl, Elizabeth Lewis in Owatonna .

The thing is that all of them have the exact same charge: $23,148,855,308,184,500.00. If the problem was the space-padding, then how is it that all of them had the exact same $0x1250 ($46.88) charge? Two of them had purchased cigarettes at gas stations, another two had paid at restaurants, Lewis bought eggs and milk, the last one at a drug store. Do all these varied items happen to cost the same? $46.88 for a restaurant bill seems okay, but for a pack of cigarettes? for milk and eggs‽

The space-padding error makes sense, except it does not account for the 0x1250 constant. Why is it that all of them ended up with 0x2020 2020 2020 1250 instead of 0x2020 2020 2020 2020 or different numbers in the last WORD?

Hmmm, if only 13,000 customers were affected, it may be that somehow that exact, specific charge triggered the error. In that case, it is more than just a field error. If it was just the text field being interpreted as a 64-bit integer, then why didn’t other amounts cause it, thus affecting everyone, not just <13,000. Still, how is it that 13,000 people could have just happened to charge the exact same amount in the same week?

They say it’s a “temporary programming error”, and it may well be, but could it be a hacking thing? In that case, it probably would be a magic-number. In fact, it may be a combination of both: some hacker putting a 0x1250 automatic charge, that got combined with the space-padding error, causing one or both errors to be detected.

The Register thinks that the answer is indeed the padded-field error, but does not expand on why they are all the same, although one of the comments mentions the number possibly being rounded to the nearest $100 (unlikely since banks and banking software explicitly go to lengths to ensure precision).

(There is also a report of a similar, earlier error.)

Jason Bryant’s bill:

Jason Bryant’s bill

Elizabeth Lewis’s bill:

Elizabeth Lewis’s bill

Ron Seale’s bill:

Ron Seale’s bill

Josh Muszynski’s bill:

Josh Muszynski’s bill

Another one in salem: http://www.1010wins.com/Visa-Accidentally-Bills-New-York-Teen--23-Quadrill/4867372 — Otto Allmendinger, Jul 24 '09 at 16:58
That article doesn’t specify the number, but I think it is safe to assume that it is identical to all the others. — Synetech, Jul 24 '09 at 18:03
Possibly the number hex 1250 = dec 4688 is the minimum to cause some sort of extra methods of fraud checking. If it is exactly equal to this a bug in the code is introduced? — PeteT, Aug 09 '09 at 04:12
+1 can you imagine what would happen if the 13,000 customers did a chargeback at the same time? :P — pageman, Aug 09 '09 at 07:43
@petebob796 actually each byte is treated separately, so 1250 (12 50) is 18 and 80. 18 is a control char and 80 is capital P (at least in ASCII). Hmmm... Ctrl+P? — WildJoe, Aug 09 '09 at 07:49
$12.50 is a relativly small and round numer. It's not at all surprizing that out of millions of transactions 13,000 had that exact amount. But it does need to be combined with some other logic flaw that triggered the overwrite. — Tom A, Aug 23 '09 at 20:35
12.50 is small and round, but it's a completely different number from 0x12.50. And if there's anyone out there paying $12.50 for one pack of cigarettes, I'm glad I quit. — , Nov 22 '09 at 17:22
Roger and TomA, it is not $12.50; that is a hexadecimal number. The decimal number (and value) is $46.88; hardly a nice, round number, and certainly not a common value for all those different items purchased (cigarettes, restaurant, milk & eggs). By the way, you think $46.88 (or even $12.50) for cigarettes is bad? try paying that for milk and eggs. — Synetech, Nov 25 '11 at 03:16

score 62 · Answer 3 · answered Jul 16 '09 at 14:08

What happens when you make a purchase by card is that the software immediately goes online to ensure you have sufficient funds for the purchase, but only places a hold on the funds for the transaction. At the end of the working day the software then gathers all the transactions placed in the last 24hrs and submits them to the acquiring bank for processing.

The submission to the bank is known as settlement, and its done by sending a plain text file in a very rigid format. (This was all developed decades ago and the number of systems now using it makes it hard to modernise)

Each transaction appears in the file as a line of text, and part of that is the transaction value. This field should be 11 numeric characters (zero padded on the left hand side) and will always hold the value in lowest common denominator (in this case cents). 11 numeric characters caters well for values in any currency.

Looks like the payment processor in this case had made some changes to their submission software and erroneously replaced the zero padding with space padding. Quite how this got by a) service provider, b) acquiring bank and c) Visa without being picked up escapes me. The net value of that settlement file (13,000 high value transactions) would have been astronomical, and maybe that also was a contributing factor somewhere.

"11 numeric characters caters well for values in any currency." -- what about Zimbabwean dollars? — quant_dev, Aug 09 '09 at 11:43
That's a good comment. But if it was a software glitch, then there's no proving that a) service provider, b) acquiring bank and c) Visa all saw it at all. It could have arisen at any point. — Isaac Lubow, Aug 29 '10 at 04:05

score 20 · Answer 4 · answered Jul 16 '09 at 03:11

20

If you remove the trailing zero, this validates as a VISA card number. My guess is they swiped the card then manually entered the number, thinking the swipe had failed.

answered Jul 16 '09 at 03:11

9

lol - Have we just published his Visa Card number?.. What was his name again? – ian_scho Jul 16 '09 at 15:32
4

p.s. THIS is the most likely answer, the 200+ upvotes for the first answer are by geeks :) There are around 50+ Billion Visa Transactions a year. – ian_scho Jul 16 '09 at 15:37
14

No, it was a bug, not a usage error. About 13000 customers were affected by this bug. – Guffa Jul 16 '09 at 15:52
8

What's the likelihood that the first six bytes would be spaces by sheer chance? – Robert Harvey Jul 16 '09 at 15:56
1

Unlikely.. there were multiple transactions with different customers, all involving the exact same amount! – Roddy Jul 18 '09 at 11:38
John Rasch: Really? I didn't know that! So why do we always have to indicate whether it's Visa, Mastercard, etc. when we're shopping online? – Tyler Aug 09 '09 at 04:12
@MatrixFrog: Not always. Some sites do recognize the card just by the number. – Chetan S Aug 09 '09 at 07:23
1

@MatrixFrog: It's a legacy left over from Visa/Mastercard merchant contracts that require merchants to force the user to identify the card. This was a really bad attempt at improving security by obscurity - making the assumption that it's hard to guess the card issuer if you only had the number. The issuer was verified against the value that user selected. However the lead card number patterns are well known to developers and CC thieves so it's not really "required" any more. – Paul Alexander Aug 13 '09 at 05:59
How would you be able to enter such a big price to any payment system? Apparently, databases support $ quadrillion, but not the 4 millionth entry of anything (assuming the ID number is a 32-bit integer). :-p – Constantino Tsarouhas Oct 25 '11 at 20:23

score 10 · Answer 5 · answered Apr 15 '10 at 02:13

The ultimate mystery is still where 12 50 is coming from. They are the ASCII codes for Ctrl+R, P. Which happens to be the secret keystrokes you have to type to enter the validation code for QuickBooks.

Link: Where to enter Validation code

Quite a coincidence. I wonder what happens when you type these keys in the wrong place...

score 7 · Answer 6 · answered Apr 15 '10 at 02:42

If you shift left 64-bit representation 8 bits left (multiply by 256) You will get a well formed credit card number and 3 empty positions for thise 3 secure extra numbers (all zeroes for some reason). There is only 1 out of 10 chance that random number gives a well formed CC number.

5926 1069 5889 5232 000

score 6 · Answer 7 · answered Jul 16 '09 at 03:17

6

If you use the binary equivelant (1110101110110100) decode of the number 23148855308184500, you get K鑛, which is the Mandarin character for mining and ore. Kmine could mean "knowledge mine," or something like kmine Holdings Ltd. Perhaps there's a correlation between K(mine or ore) and Bank of America or Visa?

answered Jul 16 '09 at 03:17

56

I think everything is much more deeper that this. If you multiply this number by the height of Pyramid of Khufu and then multiply every third number by 2012 you will get exactly 1/666 length to the Alpha Centauri. – serg Jul 17 '09 at 15:15

Is 23,148,855,308,184,500 a magic number, or sheer chance?

7 Answers7

Linked