A post relating to this item from Finextra:
07 January 2008 | 16431 views | 0
UK high street bank Halifax is facing a lawsuit brought by a customer who claims that fraudsters cloned his chip-based card and withdrew £2100 from his account at ATMs.
I can’t understand this; I would have thought that the people at the Halifax know what has happened, and I would have thought that they would be pretty sure about it. They have records of the cards issued, the transactions completed, the locations, and
the manner in which the card was processed. The Halifax knows if the transactions were performed on the original issued card, or on a cloned magnetic stripe card. The Halifax knows that the customer’s PIN was changed, and can tell if the “fraudulent” transactions
matched the customer’s existing withdrawal patterns.
Alain Job, on the other hand, knows that he didn’t make the withdrawals. He knows he changed his PIN, and he knows the card never left his possession. Mr Job is so sure that he knows that the withdrawals aren’t his that he is prepared to take on the big
boys in court. If he is prepared to go this far, it’s quite likely that his story is the truth.
Historically, on the matter of phantom withdrawals, the banks have made their case on the grounds that ATMs cannot transact without there being a valid card and a valid PIN – the ATM simply will not work without both of them. The security of the PIN has
always been seen as the responsibility of the cardholder, and phantom withdrawals are therefore always the result of the cardholder allowing the PIN to be compromised. This argument has been used successfully many times in the past, and has been considered
to be a robust defence, as the only real opportunity for stealing PINs was shoulder surfing at an ATM.
Chip and PIN has undoubtedly made transaction fraud much more of a challenge for the criminal. Regardless of the Cambridge University headline grabbing, scaremongering nonsense, card fraud isn’t easy – it’s all been opportunist hype, because most of the
so called chip “cloning” fraud was only possible in the first place because of the sloppy card issuers that created this particular “cloning” loophole (it doesn’t exist in the specifications). However, what Chip and PIN has also provided are vastly increased
opportunities for PIN harvesting: supermarket shoulder surfing provides much more scope for capturing PINs than ATMs ever could. But this improved harvesting capability is tempered by the fact that the cards cannot be successfully copied (except for the loophole
already mentioned) for use in online chip transactions – if they could, the boffins in Cambridge, with all of their fancy technology and insight, would have already done it!
On balance, it looks like Mr Job probably didn’t make the transactions, and it looks likely that the people at the Halifax know this. The Halifax isn’t fighting this case on a technology platform; it is fighting to maintain the established Card / PIN /
ATM relationships that allow them to say “Mr Jobs, it must have been you. It could not have been anyone else, unless you gave them your PIN, in which case, it’s still down to you!” “This is how it’s been for years, and this is how we’d like it to continue.”
The reality is that Alain Job’s card could have been cloned (mag stripe), and his PIN could have been harvested in any of many retail locations.
If the card wasn’t cloned and the transactions really are his, that’s easy to prove and the case should take only minutes, the bank wins and the Card and PIN argument stands.
If he wasn’t responsible for the transactions, but the supporting evidence revolves around transaction time and ATM location rather than the potential for fraud inherent in the technology (which would be in The Halifax’s best interests), then Mr Job is still
responsible because he “divulged” his PIN – in this scenario, no mention is made of the cloned card. If this is the case the bank can accept that the transactions are indeed fraudulent, but it’s still his fault, and they can tell him to be more careful in
the future; and the Card and PIN argument stands.
If we accept the argument that PIN harvesting isn’t that much of an obstacle to fraud and that obtaining the necessary track 2 data is not rocket science, the security angle changes and the disputed withdrawals become more of a problem for the issuer. The
card was cloned and the PIN was harvested without the knowledge of Mr Job. If he was disputing a Point of Sale transaction (or several), under the same circumstances, the bank would have paid up – The Halifax has an issue here because the disputes relate
to ATM transactions.
If the bank looses, and is forced to admit that cardholders are indeed at risk from cloned cards and harvested PINs, it will severely weaken every card issuer’s main phantom withdrawal defence – that you need a card and PIN to initiate a transaction and
if the card is stolen and the PIN is compromised, it’s your fault. If the bank admits that Alain Job was the victim of a series of fraudulent withdrawals, it will have to admit that they were initiated on mag stripe clones (because Alain still has the original
chip card and Alain didn’t do the transactions). The bank will also have to admit that shoulder surfing could have harvested the PIN, indicating that it might not have been “divulged” at all. The card and PIN argument falls.
I am not in possession of the facts, and so I am really only guessing, but my guess is that the people at the Halifax know what happened but will probably use the ATM card and PIN defence, so avoiding any technology questions. Mr Job will be concentrating
on trying to prove he was somewhere else at the time, rather than trying to show that the bank’s technology could have allowed the fraud to take place, or better still, getting the Halifax to prove that it couldn’t! The court will, however, decide that card
and PIN argument still stands as it always has done, and Mr Job will be out of pocket. I would like to be proved wrong.