02/24 - Changing the ClieOp3 file and the hash totals with the elfproef

Several financial applications can generate batch payment files, which can be used in electronic banking applications. In the Netherlands these files are in the ClieOp3 format and contains the approved payments from the company account to other accounts. The ClieOp3 file will be saved in a folder (which can be a network share). The clieOp3 file will be uploaded to the electronic banking application. Before the bank processes the payment, the bank needs to verifications from the company. These users check the hash totals and the total amount to make sure that the payments and bank account numbers are correct. The ClieOp3 file can contain several batches and for each batch a batch trailer record is calculated and included. This batch trailer record contains the total amount, the total of the account numbers and the number of items.
So for example if we want to make 10 payments from account number 101.066.848 to the following bank account numbers: 265.491.118 343.679.906 509.446.671 243.459.238 123.456.789 569.997.518 521.735.416 543.282.252 465.826.105 602.496.071 The sum of the bank account numbers would be 5.199.539.564 (all the numbers above plus ten times the from account number).

The ClieOp3 format is complemented with an electronic order letter. This letter accompanies a batch and is send to the bank separately. The electronic order letter also contains some batch totals including the total account numbers and the number of items. These totals are used by the bank to check if the batches are received correctly. However, only the rightmost 5 digits of the total account numbers are used in the electronic order letter. In this example the total would be 39.564. So when I would like to change the last account number in the ClieOp3 file from 602.496.071 to 123.456.789, I have to make sure that the sum in the batch trailer record is updated and that the rightmost 5 digits of the sum correspond with the previous sum. This means that I will have to change the second to last account number from 465.826.105 to 944.865.387.

Unfortunately, there is another check in the Netherlands, which is called the elfproef (which is comparable with the ISBN-10 check. Basically multiplying each digit by its position in the number (counting from the right) and taking the sum of these products modulo 11 is 0.

This means that the new number we generated for the second to last account is not correct. The result of the elfproef leaves 77 and should be zero. So the bank account needs to be changed to meet the elfproef. Fortunately, the electronic order letter only checks for the rightmost 5 digits. When only the leftmost 5 digits are changed, the total of the account numbers in the electronic order letter will not change. So changing the second to last bank account number from 944.865.387 to 265.865.387 leaves the control total in the electronic order letter unimpaired.

So the ClieOp3 file contains the following account numbers: 265.491.118 343.679.906 509.446.671 243.459.238 123.456.789 569.997.518 521.735.416 543.282.252 265.865.387 123.456.789 The sum of the bank account numbers in the ClieOp3 files needs to be adjusted would to 4.520.539.564.

This means that anyone with access to the ClieOp3 file can change the account numbers in such a way that when the ClieOp3 file is checked against the hash, the file will turn out correct. So the people that verify the bank payments should check every single bank account instead of only the hash totals.

It should be noted that only the person that needs to generate the ClieOp3 file needs write access to the folder where the file is saved. The person that uploads the file to the banking application only needs read access.

The person that saves the file is also the person that can change the CieOp3 file. So even if the rights on the folder are restricted, it will be necessary to verify the bank account numbers in the electronic banking application.

View the original article here

This post was made using the Auto Blogging Software from WebMagnates.org This line will not appear when posts are made after activating the software to full version.