A Finextra member 12 February, 2009, 19:03 0 likes

Authorization request message is key to solving this case.

It can show if it was due to a 'fallback'. It can show how the card was 'read' and authenticated. If a yes card was used, its surprising that it (yes card) wasn't used to do other fraudulent transactions.

Authentication is different than authorization. Authentication happens before Authorisation. Authentication is local. Authorisations are online.

Halifax contention that it must be Alain Job's card since it happened in the same geographical area is rather flimsy. 

A Finextra member 13 February, 2009, 10:58 0 likes

So ...

This case is becoming more interesting, or not.

You are spot on Marite, the authorisation message would solve the issue, but neccessarily satisfactorily.

The authorisation message would confirm whether the withdrawals were fallback transactions.  If they were fallback, the card could easily have been cloned (magstripe copy from the chip or the stripe), and used with a shoulder surfed PIN.  It is possible that this happened, and the Halifax switched off the fallback ability on the ATMs following the reporting of the fraud, which would explain why the fraud stopped after it was brought to the attention of the Halifax people.  Mag stripe copies are easy to make, and might well result in local "phantom" withdrawals - not beyond the realms of possibility.  

I am not sure what you mean by a "yes" card.  There are a number of ways that a chip card may be copied or spoofed, all of which impact devices in different ways.  The best ones in the POS world do clever stuff that I can't talk about; but the same trickery won't work on an ATM.  Regardless of what a "yes" card might tell an ATM, the ATM will always contact its host to check, and part of that check involves the PIN - as there are no offline PIN ATMs.  The crim (or Alain Job) could not have completed the fraudulent transactions in any way, shape or form without the correct PIN, and Mr Job says he changed it. 

The reason the card may not have been used in retail environments may well be due to the clone being created on a white plastic card, which the ATM would be oblivious to, but Johny Whitesocks in Carphone Warehouse might spot. 

The authentication argument is interesting: assuming the card is an SDA chip copy, the ATM SDA authentication process would confirm the "genuine" status of the card.  However, the ARQC that accompanied the authorisation request would fail authentication at the host, because the unique AC key on the chip is not accessible to the outside world, and so would not be present on the copied (cloned if you like) chip.  The host systems would reject the withdrawal request, as the card would have been identified as counterfeit.  We know the money was taken, so it sort of excludes the chip approach.  And I would tend to agree with the Halifax statement that there are no cases of chip and PIN fraud (using a chip) against any ATMs - authorisation (unless develpers are on drugs) requires a valid ARQC.

So, where does that leave us?  It leaves us with the possibility of the magstripe data being written to a white plastic card, after being copied at an ATM or POS device, whilst some geezer (or camera) looking over Mr Job's shoulder writes down the PIN.  All of this we know can happen - just ask BP.  However, most of this kind of fraud is shipped overseas now, to areas where chip and PIN ATMs have not yet reached - if it happened over there, it would be recognised as a magstripe clone, and the Halifax would cough up - but it happened over here. 

So, where else does it leave us?  It leaves us wondering if the Halifax cannot produce the cryptogram because there wasn't one.  It leaves us wondering if the ATMs in question were fallback capable.  Visa are not the card issuer, and it is unlikely that Visa would have advised the Halifax to destroy the evidence.

So where does that leave us with the phantom withdrawals? 

In the old days, PINs were harder to harvest, because they were only ever used at ATMs.  When a "phantom" withdrawal occured, and it was local to the cardholder, it wasn't unreasonable to assume that the cardholder must have had something to do wit it, and should bear the loss (PINs were valuable).  The argument that you have allowed your PIN to be compromised was good enough. 

Not so now, however, with shoulder surfing opportunities at every POS, and card copying equipment readily available.  The point here though, is that the shoulder surfer must (almost by definition) be local to the cardholder.  If this is the case, it is not surprising that the transactions were local also.  Whilst, in the past, the "local" argument was robust enough to fend off all "phantom" withdrawal allegations, in the age of Chip and PIN, it is not.  The local geezer with the copied card and PIN is likely to use the card locally.  End of argument.

So ... "Halifax contention that it must be Alain Job's card since it happened in the same geographical area is flimsy" is in my opinion, correct.

One of the features of chip and PIN is its ability to sign individual transactions, using unique keys.  The reason for this is to be able to provide undeniable proof that a transaction is genuine, and to prove that it was completed using a specific card.  The ARQC and the TC will prove that the card used to perform the transacton was Alain Job's chip and PIN card, and not a copy.  If the Halifax can produce either of these, and they are verified, Mr Jobs is wasting his time, and mine. 

Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 13 February, 2009, 13:14 0 likes

It has been known for thieves to take the genuine card, use it and return it, unnoticed by the rightfull owner. If the bank has security cameras this may be checked.

A Finextra member 13 February, 2009, 14:08 0 likes

Doh!

The simplest solutions are usually the best.

A Finextra member 13 February, 2009, 16:14 0 likes

David, my mention of a 'yes card' is because I don't know the details of the case (such as what kind of machine was used to withdraw the cash, what year did this happen, is this SDA or DDA?).

I do find it strange that only Alain's card got skimmed and used in the same area. Or perhaps other non-halifax cards were? There's lots that we don't know.

But it does not matter really. The auth message requests are gone. Halifax needs to prove that it is the same chip/same pin. It's not the responsibility of the cardholder to prove the weakness of the machine or system that authorised the fraudulent transaction.

A Finextra member 16 February, 2009, 10:27 0 likes

The "yes" card is a bit of a red herring: the transaction is either chip or not-chip, and "yes" cards are still chip cards.  Chip transactions generate one flavour of data, non-chip transactions generate another.  If it's chip, there will be a TC (it might not be genuine, but there will be one); if it's not-chip, there won't.

I think I explained how it could be that the "skimmed" cards only appeared in and around the victims locality, and how they disappeared once the fraud was reported (it's just a guess though).  However, only a small number of these frauds come into the public light, and they will be distributed across a lot of financial institutions, so one is never going to see the full picture.

But as you say, the auth message is gone.  Halifax can't prove that this was a chip and PIN transaction, they can only prove that the PIN was used, and that it was correct.  As for the "weakness of the system": it still seems to me to be a simple and straightforward case, either I am missing something, someone isn't telling the whole truth, or we are in previously unchartered territories.  I guess we'll just have to wait until the trial, to see what the Halifax has up its sleeve. 

A Finextra member 27 February, 2009, 09:10 0 likes

Dear all, very interesting discussion, I agree mostly with all technical explanation- we at Banka Koper started with PIN&chip migration 2004 already, all cards are DDA and we have rich experience. 2,3 years ago we have confronted with exactly the same case. Knowing technology issues we focused investigation also on so called "soft mechanisms" e.g. transaction time, ATM placing, etc. The final findings (sure, after few weeks) it were really very trivial: son of the victim, teenager,  has snatched away the father's card during the night (after midnight), and after succesfull ATM withdrawal gave it back. But the father should never accept this fact if shouldn't proven by ATM camera shot (even not the best one). Sometimes the truth is really unexpected and simple.