For people who don't know, this bank (HDFC) was dinged and penalized by the central governing bank (Reserve Bank of India) because of the frequent outages of their banking systems.<p>They restricted the bank from issuing new credit cards for a year which is a big penalty all things considered. Also, they were given a deadline to get their tech stable and they actually brought in an IT provider for the bank to fix things which was bit high handed. But the bank was very big in the country and a failure can have cascading affects which was the reason said by the central governing bank.<p>I believe it was the first of the kind in the country to penalize a bank because their tech was unstable.
Honestly, not too bad. At least it's organized as recognizable functions. It just has a lot of useless repetitions that should've been implemented as lookup tables or format strings.<p><pre><code> datestr += '<option value="" selected>-mmm-</option>';
datestr += '<option value="01">Jan</option>';
datestr += '<option value="02">Feb</option>';
datestr += '<option value="03">Mar</option>';
datestr += '<option value="04">Apr</option>';
datestr += '<option value="05">May</option>';
</code></pre>
and<p><pre><code> case "alphanumhyphen":
if(l_str.length >0 && l_str.search("[^A-Za-z0-9\-_]") >= 0 ){
if(p_alertFlg){
alert( p_fldTitle +" should contain Alphabets or Numbers or - or _");
}
return "alphanumhyphen";
}
break;
case "numeric":
if(l_str.length >0 && l_str.search("[^0-9]") >=0 ){
if(p_alertFlg){
alert( p_fldTitle +" should contain Numbers");
}
return "numeric";
}
break;
case "decimal":
if(l_str.length >0 && l_str.search("[^0-9.]") >=0 ){
if(p_alertFlg){
alert( p_fldTitle +" should be Numeric.");
}
return "decimal";
}
break;
</code></pre>
What is the correct term to describe this type of code?<p>I used to call it "Spaghetti Code". But I recently learned that it's incorrect. "Spaghetti Code" only refers to programs with messy and unclear control flows (especially unstructured programs that abuse <i>goto</i>), it's not the correct term for code with useless repetitions.
Flexcube is the same software package that caused Citi to accidentally send $900 million.<p><a href="https://arstechnica.com/tech-policy/2021/02/citibank-just-got-a-500-million-lesson-in-the-importance-of-ui-design/" rel="nofollow">https://arstechnica.com/tech-policy/2021/02/citibank-just-go...</a>
Doesn't look too bad to be honest, considering when it was written. There are some oddities like the functions "returnTrue" and "returnFalse". Other than that, don't fix what ain't broken?
They're pretty optimistic about how long this script will be in use:<p>```
if (l_y < 1900 || l_y > 9999)
{
l_err = 1 ;
l_errstring = "Year is invalid.";
}
```
On the topic of banks and software, I can't understand for the life of me why almost all of the banks in Canada and US have comical level of security. Most don't offer 2FA (of all the banks on Canada, the only one with 2FA is TD if I recall). Those who do only have 2FA through SMS so good luck travelling out of country. Many still have pin-only passwords with 4-8 digits limit...
Interesting to note that one of the consultants [1] who worked on this codebase 20 years back is now an architect in the same company.<p>```<p>25//2001 Gopi Yedla Changed code for new FD opening<p>```<p>Service company that wrote the code has changed it's name from i-flex to Oracle Financials.[2]<p>Imagine finding the code you wrote today in a random internet discussion in 2040.<p>[1] <a href="https://www.linkedin.com/in/gopiyedla/" rel="nofollow">https://www.linkedin.com/in/gopiyedla/</a><p>[2] <a href="https://www.firstpost.com/business/biztech/i-flex-solutions-is-now-oracle-financial-services-1865643.html" rel="nofollow">https://www.firstpost.com/business/biztech/i-flex-solutions-...</a>
Okay, so, as you can see in the first page, it is in fact not from 2001, but instead at least 2017.<p>This is like saying that Windows 10 is from 1985. Just because the first version came out then doesn't mean the latest version did.<p>Also, just because something is old does not make it bad. How old is `mv`?
Honestly kudos to the team, I was expecting much worse.<p>I can't imagine having some JS I wrote in the early 2000's on the front page of hacker news for the world to see.
Given how old it is, it is pretty good. Maybe better than 80% of what else is out there.<p>Luckily today we have build tools to prevent us showing our dirty laundry in public.
I am obsessive about backwards compatibility, and I test back to Netscape 2.0 (the first JS platform). The magic of JS feature check abilities is that you can totally cover every browser.<p>There's a little bit of testing you have to do, because early browser wars resulted in intentionally added incompatibility gotchas, but it's not that bad.<p>The Web is an amazing and unique platform unlike almost any other available to us. We're so lucky to have it.
<p><pre><code> No part of this work may be reproduced, stored in a
retrieval system, adopted or transmitted in any form or by any means,
electronic, mechanical, photographic, graphic, optic recording or otherwise,
translated in any language or computer language, without the prior written
permission of i-flex Solutions Limited.
</code></pre>
This language would seem to make it legally awkward to even visit the web site, much less have this discussion.
<i>2001</i> ? That's positively recent and modern compared to Lockheed-Martin and their "our target platform is IE7 on XP, let's use a random JS script for DHTML menus we swiped off Geocities page in 1998 for Netscape 4 and IE4".<p>... to be honest I think that while it was one of the worst dependencies, it was still ages beyond the code they wrote themselves ¯\_(ツ)_/¯
When I see somewhat obtuse code like this, I often want to see how well I could refactor it using modern techniques. No frameworks or anything crazy, in this case just vanilla JS, but using current best practices and enhancements in the both the language and JS at the browser level.<p>It's arguably a waste of time, but it does it always seems like a fun challenge. I'm sure I'm not alone in this.<p>Is there a more constructive use of that time, while getting the same dopamine hit? I suppose the obvious answer is freelance markets, but I doubt many people are paying out for "just" refactoring.
Hdfc & SBI being my major banks since last one-two decades, SBI's online banking is way better than HDFC's although former is a government bank.
Traditional companies just don't know about building software. They often start an IT transformation initiative because a consultancy firm told them they have to do. But at best, still all the middle managers don't buy the idea and don't commit to it. Even when they do, they lack knowledge and expertise to be successful and company doesn't know how to train them. So they end up doing some stuff that may sound fancy on paper (Oh we are doing Serverless), but they are still building crappy integrations and they suffer from bad communication structure.<p>Banks are innovating in traditional banking. They make fancier branches and better ATM machines, but they fail to innovate in software space while their customers are increasingly using more digital interfaces. And that's how they can't compete with modern FinTech players when it comes to development pace. They are just suck at software and they are lots of middle managers that unintentionally make it even harder.
The red flag is in the first 20 lines of code, after the comments. The original variable definitions were all formatted nice so that the values line up. Then later coders came along and added more stuff but didn’t bother following the original formatting, messing it up.<p>It’s a sign of the attitude of the programmers and probably reflects the quality of the actual business logic code as well.
I love this<p><pre><code> function returnFalse () {return false}
</code></pre>
and the fact that their home cooked date_val() function does not use their home cooked isLeapYear() and daysInMonth() functions, but uses its own, pretty much unreadable, leap year determination algorithm.<p><pre><code> var l_k=parseInt(l_y%100)
var l_m=parseInt(l_y/100)
if (l_d == 29 && ((l_y/4)!=parseInt(l_y/4)))
{
l_err=1 ;
l_errstring = "Date is invalid.";
}
if(l_k ==0){
if (l_d == 29 && ((l_m/4)!=parseInt(l_m/4)))
{
l_err=1 ;
l_errstring = "Date is invalid.";
}
}</code></pre>
I have been using this bank for a while now and never bothered to check their client side code.<p>I am surprised to see their js based encryption code.<p><a href="https://netbanking.hdfcbank.com/jsdir/des.js" rel="nofollow">https://netbanking.hdfcbank.com/jsdir/des.js</a><p><a href="https://netbanking.hdfcbank.com/jsdir/HmacSHA256.js" rel="nofollow">https://netbanking.hdfcbank.com/jsdir/HmacSHA256.js</a><p><a href="https://netbanking.hdfcbank.com/jsdir/rsa.js" rel="nofollow">https://netbanking.hdfcbank.com/jsdir/rsa.js</a>
This reminds me of the issue i had faced on setting up account on HDFC. I entered a very long password. When i tried to login it kept failing. I was sure of the password. So clicked on reset password. Bank sent me plain password in email. And the password was cut off to 8 chars!. This happened decade ago though.
People are just spreading the rummer about the Banks with out knowing the Security Impact. Mr.Mihir Chaturvedi have you know the impact ???? OR just spreading this news for the publicity or fame ????
In the section 'modification history' at the top of the file, it has entry.
> 18/07/2017 4.2 MEHUL SHAH FLEXENH-194- R_ZINE ONE<p>So, not exactly 2001.
Hm last comment from 2016.<p>But considering no date libraries were used and all browsers are covered, this is nice code.<p>To me the new array() is a bit odd, was var array = [] not available yet?
"The Ken" had an good article on the state of Indian bank's IT systems - <a href="https://the-ken.com/story/sorry-for-the-inconvenience-why-your-banks-systems-keep-failing/" rel="nofollow">https://the-ken.com/story/sorry-for-the-inconvenience-why-yo...</a> (behind paywall but a good read).<p>These are the "star" private banks, let's not get into the state of public banks.
Interesting timing, given that I'm currently running through hoops with a simple address change with their bank. Their web & mobile apps suck bigtime, and it looks like they aren't even making an effort to make online transactions easier.