23 April 2014

Finance technology etc

Elton Cane - Independent

113 | posts 440,256 | views 54 | comments

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.
A post relating to this item from Finextra:

Halifax facing chip and PIN fraud lawsuit

07 January 2008  |  14429 views  |  0
UK high street bank Halifax is facing a lawsuit brought by a customer who claims that fraudsters cloned his chip-based card and withdrew £2100 from his account at ATMs.

Update on Halifax EMV lawsuit

12 February 2009  |  7261 views  |  7

We were contacted recently by Alain Job, who filed a lawsuit last year against Halifax over an alleged fraud instance on his EMV chip card, for which the bank is holding him responsible. Our news story here, and good analysis by Finextra Community members here.

Alain says the case is due to be heard in April this year and wanted to answer some of the questions people had in the blogs and comments on Finextra after we ran the story. His statement:

"The card in dispute was EMV, and Halifax has refused to produce the card unique key and is saying it has destroyed the disputed transactions' authentication data (following card issuer advice, Visa in this case) even from back up computers, which is extraordinary in such a case.

"I maintain that I had my card with me throughout the disputed transactions  and Halifax is simply saying that, as the places where the transactions  occurred were close to my (former) house, it must have been me, adding that there was no attempt to take money from the account after I had reported the fraud.

"Halifax's defense is simply that it is not aware of any instance of a Chip and PIN card being cloned and used to withdraw money from ATMs in the UK."

I don't know if Halifax's defense is actually more sophisticated than Alain describes. But if they have destroyed all records of the transaction cryptograms - the code created during the transactions using the chip's secret key - then they can't possibly prove that either the chip or a copy of the chip was used.

If they're only relying on geographic co-incidence of the transactions, and Chip and PIN's supposed security track record - as Alain describes - I suspect they are on pretty shaky ground.

Or am I missing something else that Halifax might have up its sleeve?

TagsCardsSecurity

Comments: (7)

Marite Ferrero - CardSwitch Technology - London | 12 February, 2009, 19:03

 

Authorization request message is key to solving this case.

It can show if it was due to a 'fallback'. It can show how the card was 'read' and authenticated. If a yes card was used, its surprising that it (yes card) wasn't used to do other fraudulent transactions.

Authentication is different than authorization. Authentication happens before Authorisation. Authentication is local. Authorisations are online.

Halifax contention that it must be Alain Job's card since it happened in the same geographical area is rather flimsy. 

 

David Griffiths - gryffle - Hertford | 13 February, 2009, 10:58

So ...

This case is becoming more interesting, or not.

You are spot on Marite, the authorisation message would solve the issue, but neccessarily satisfactorily.

The authorisation message would confirm whether the withdrawals were fallback transactions.  If they were fallback, the card could easily have been cloned (magstripe copy from the chip or the stripe), and used with a shoulder surfed PIN.  It is possible that this happened, and the Halifax switched off the fallback ability on the ATMs following the reporting of the fraud, which would explain why the fraud stopped after it was brought to the attention of the Halifax people.  Mag stripe copies are easy to make, and might well result in local "phantom" withdrawals - not beyond the realms of possibility.  

I am not sure what you mean by a "yes" card.  There are a number of ways that a chip card may be copied or spoofed, all of which impact devices in different ways.  The best ones in the POS world do clever stuff that I can't talk about; but the same trickery won't work on an ATM.  Regardless of what a "yes" card might tell an ATM, the ATM will always contact its host to check, and part of that check involves the PIN - as there are no offline PIN ATMs.  The crim (or Alain Job) could not have completed the fraudulent transactions in any way, shape or form without the correct PIN, and Mr Job says he changed it. 

The reason the card may not have been used in retail environments may well be due to the clone being created on a white plastic card, which the ATM would be oblivious to, but Johny Whitesocks in Carphone Warehouse might spot. 

The authentication argument is interesting: assuming the card is an SDA chip copy, the ATM SDA authentication process would confirm the "genuine" status of the card.  However, the ARQC that accompanied the authorisation request would fail authentication at the host, because the unique AC key on the chip is not accessible to the outside world, and so would not be present on the copied (cloned if you like) chip.  The host systems would reject the withdrawal request, as the card would have been identified as counterfeit.  We know the money was taken, so it sort of excludes the chip approach.  And I would tend to agree with the Halifax statement that there are no cases of chip and PIN fraud (using a chip) against any ATMs - authorisation (unless develpers are on drugs) requires a valid ARQC.

So, where does that leave us?  It leaves us with the possibility of the magstripe data being written to a white plastic card, after being copied at an ATM or POS device, whilst some geezer (or camera) looking over Mr Job's shoulder writes down the PIN.  All of this we know can happen - just ask BP.  However, most of this kind of fraud is shipped overseas now, to areas where chip and PIN ATMs have not yet reached - if it happened over there, it would be recognised as a magstripe clone, and the Halifax would cough up - but it happened over here. 

So, where else does it leave us?  It leaves us wondering if the Halifax cannot produce the cryptogram because there wasn't one.  It leaves us wondering if the ATMs in question were fallback capable.  Visa are not the card issuer, and it is unlikely that Visa would have advised the Halifax to destroy the evidence.

So where does that leave us with the phantom withdrawals? 

In the old days, PINs were harder to harvest, because they were only ever used at ATMs.  When a "phantom" withdrawal occured, and it was local to the cardholder, it wasn't unreasonable to assume that the cardholder must have had something to do wit it, and should bear the loss (PINs were valuable).  The argument that you have allowed your PIN to be compromised was good enough. 

Not so now, however, with shoulder surfing opportunities at every POS, and card copying equipment readily available.  The point here though, is that the shoulder surfer must (almost by definition) be local to the cardholder.  If this is the case, it is not surprising that the transactions were local also.  Whilst, in the past, the "local" argument was robust enough to fend off all "phantom" withdrawal allegations, in the age of Chip and PIN, it is not.  The local geezer with the copied card and PIN is likely to use the card locally.  End of argument.

So ... "Halifax contention that it must be Alain Job's card since it happened in the same geographical area is flimsy" is in my opinion, correct.

One of the features of chip and PIN is its ability to sign individual transactions, using unique keys.  The reason for this is to be able to provide undeniable proof that a transaction is genuine, and to prove that it was completed using a specific card.  The ARQC and the TC will prove that the card used to perform the transacton was Alain Job's chip and PIN card, and not a copy.  If the Halifax can produce either of these, and they are verified, Mr Jobs is wasting his time, and mine. 

Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv | 13 February, 2009, 13:14

It has been known for thieves to take the genuine card, use it and return it, unnoticed by the rightfull owner. If the bank has security cameras this may be checked.

David Griffiths - gryffle - Hertford | 13 February, 2009, 14:08

Doh!

The simplest solutions are usually the best.

Marite Ferrero - CardSwitch Technology - London | 13 February, 2009, 16:14

David, my mention of a 'yes card' is because I don't know the details of the case (such as what kind of machine was used to withdraw the cash, what year did this happen, is this SDA or DDA?).

I do find it strange that only Alain's card got skimmed and used in the same area. Or perhaps other non-halifax cards were? There's lots that we don't know.

But it does not matter really. The auth message requests are gone. Halifax needs to prove that it is the same chip/same pin. It's not the responsibility of the cardholder to prove the weakness of the machine or system that authorised the fraudulent transaction.

David Griffiths - gryffle - Hertford | 16 February, 2009, 10:27

The "yes" card is a bit of a red herring: the transaction is either chip or not-chip, and "yes" cards are still chip cards.  Chip transactions generate one flavour of data, non-chip transactions generate another.  If it's chip, there will be a TC (it might not be genuine, but there will be one); if it's not-chip, there won't.

I think I explained how it could be that the "skimmed" cards only appeared in and around the victims locality, and how they disappeared once the fraud was reported (it's just a guess though).  However, only a small number of these frauds come into the public light, and they will be distributed across a lot of financial institutions, so one is never going to see the full picture.

But as you say, the auth message is gone.  Halifax can't prove that this was a chip and PIN transaction, they can only prove that the PIN was used, and that it was correct.  As for the "weakness of the system": it still seems to me to be a simple and straightforward case, either I am missing something, someone isn't telling the whole truth, or we are in previously unchartered territories.  I guess we'll just have to wait until the trial, to see what the Halifax has up its sleeve. 

A Finextra member | 27 February, 2009, 09:10

Dear all, very interesting discussion, I agree mostly with all technical explanation- we at Banka Koper started with PIN&chip migration 2004 already, all cards are DDA and we have rich experience. 2,3 years ago we have confronted with exactly the same case. Knowing technology issues we focused investigation also on so called "soft mechanisms" e.g. transaction time, ATM placing, etc. The final findings (sure, after few weeks) it were really very trivial: son of the victim, teenager,  has snatched away the father's card during the night (after midnight), and after succesfull ATM withdrawal gave it back. But the father should never accept this fact if shouldn't proven by ATM camera shot (even not the best one). Sometimes the truth is really unexpected and simple.

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Elton

Will regulation strangle or enable 'quasi-banks'?

26 March 2014  |  925 views  |  0  |  Recommends 0 TagsRisk & regulationInnovationGroupFuture Finance

Good at maths? Ask your bank for a better mortgage rate

03 March 2014  |  1240 views  |  0  |  Recommends 1 TagsRisk & regulationRetail bankingGroupFuture Finance

Do frictionless payments make you spend more?

26 February 2014  |  1096 views  |  0  |  Recommends 0 TagsCardsPaymentsGroupFuture Finance

Microfinance at a crossroads

03 February 2014  |  2078 views  |  1  |  Recommends 1 TagsMobile & onlineRetail bankingGroupFuture Finance

Are QR codes at a dead-end?

23 January 2014  |  2819 views  |  2  |  Recommends 0 TagsMobile & onlinePaymentsGroupFuture Finance
name

Elton Cane

job title

Journalist copywriter and marketer

company name

Independent

member since

2012

location

Brisbane

Summary profile See full profile »
Writer and media production person

Elton's expertise

Who is commenting on Elton's posts

Eugene Danilkis
Andrew Smith
Ketharaman Swaminathan
Chris Thorpe
Matt Scott
Brett King
Neil Burton
Dave Kershaw