Blog article
See all stories »

An article relating to this blog post on Finextra:

Halifax facing chip and PIN fraud lawsuit

UK high street bank Halifax is facing a lawsuit brought by a customer who claims that fraudsters cloned his chip-based card and withdrew £2100 from his account at ATMs.

See article

Whose cash is it anyway?

I can’t understand this; I would have thought that the people at the Halifax know what has happened, and I would have thought that they would be pretty sure about it.  They have records of the cards issued, the transactions completed, the locations, and the manner in which the card was processed.  The Halifax knows if the transactions were performed on the original issued card, or on a cloned magnetic stripe card.   The Halifax knows that the customer’s PIN was changed, and can tell if the “fraudulent” transactions matched the customer’s existing withdrawal patterns.

Alain Job, on the other hand, knows that he didn’t make the withdrawals.  He knows he changed his PIN, and he knows the card never left his possession.  Mr Job is so sure that he knows that the withdrawals aren’t his that he is prepared to take on the big boys in court.  If he is prepared to go this far, it’s quite likely that his story is the truth.  

Historically, on the matter of phantom withdrawals, the banks have made their case on the grounds that ATMs cannot transact without there being a valid card and a valid PIN – the ATM simply will not work without both of them.  The security of the PIN has always been seen as the responsibility of the cardholder, and phantom withdrawals are therefore always the result of the cardholder allowing the PIN to be compromised.  This argument has been used successfully many times in the past, and has been considered to be a robust defence, as the only real opportunity for stealing PINs was shoulder surfing at an ATM. 

Chip and PIN has undoubtedly made transaction fraud much more of a challenge for the criminal.  Regardless of the Cambridge University headline grabbing, scaremongering nonsense, card fraud isn’t easy – it’s all been opportunist hype, because most of the so called chip “cloning” fraud was only possible in the first place because of the sloppy card issuers that created this particular “cloning” loophole (it doesn’t exist in the specifications).  However, what Chip and PIN has also provided are vastly increased opportunities for PIN harvesting: supermarket shoulder surfing provides much more scope for capturing PINs than ATMs ever could.  But this improved harvesting capability is tempered by the fact that the cards cannot be successfully copied (except for the loophole already mentioned) for use in online chip transactions – if they could, the boffins in Cambridge, with all of their fancy technology and insight, would have already done it!    

On balance, it looks like Mr Job probably didn’t make the transactions, and it looks likely that the people at the Halifax know this.  The Halifax isn’t fighting this case on a technology platform; it is fighting to maintain the established Card / PIN / ATM relationships that allow them to say “Mr Jobs, it must have been you.  It could not have been anyone else, unless you gave them your PIN, in which case, it’s still down to you!”  “This is how it’s been for years, and this is how we’d like it to continue.”

The reality is that Alain Job’s card could have been cloned (mag stripe), and his PIN could have been harvested in any of many retail locations. 

If the card wasn’t cloned and the transactions really are his, that’s easy to prove and the case should take only minutes, the bank wins and the Card and PIN argument stands.

If he wasn’t responsible for the transactions, but the supporting evidence revolves around transaction time and ATM location rather than the potential for fraud inherent in the technology (which would be in The Halifax’s best interests), then Mr Job is still responsible because he “divulged” his PIN – in this scenario, no mention is made of the cloned card.  If this is the case the bank can accept that the transactions are indeed fraudulent, but it’s still his fault, and they can tell him to be more careful in the future; and the Card and PIN argument stands.

If we accept the argument that PIN harvesting isn’t that much of an obstacle to fraud and that obtaining the necessary track 2 data is not rocket science, the security angle changes and the disputed withdrawals become more of a problem for the issuer.  The card was cloned and the PIN was harvested without the knowledge of Mr Job.   If he was disputing a Point of Sale transaction (or several), under the same circumstances, the bank would have paid up – The Halifax has an issue here because the disputes relate to ATM transactions.  

If the bank looses, and is forced to admit that cardholders are indeed at risk from cloned cards and harvested PINs, it will severely weaken every card issuer’s main phantom withdrawal defence – that you need a card and PIN to initiate a transaction and if the card is stolen and the PIN is compromised, it’s your fault.  If the bank admits that Alain Job was the victim of a series of fraudulent withdrawals, it will have to admit that they were initiated on mag stripe clones (because Alain still has the original chip card and Alain didn’t do the transactions).  The bank will also have to admit that shoulder surfing could have harvested the PIN, indicating that it might not have been “divulged” at all.  The card and PIN argument falls.

I am not in possession of the facts, and so I am really only guessing, but my guess is that the people at the Halifax know what happened but will probably use the ATM card and PIN defence, so avoiding any technology questions.  Mr Job will be concentrating on trying to prove he was somewhere else at the time, rather than trying to show that the bank’s technology could have allowed the fraud to take place, or better still, getting the Halifax to prove that it couldn’t!  The court will, however, decide that card and PIN argument still stands as it always has done, and Mr Job will be out of pocket.  I would like to be proved wrong.


Comments: (4)

Paul Penrose
Paul Penrose - Finextra - London 11 January, 2008, 10:48Be the first to give this comment the thumbs up 0 likes


Excellent post. It should make for an interesting test case. If Halifax anticipates that Mr Job has any chance of winning the argument in court then they will quietly settle up - the banks can't afford to set a precedent that could be used in other phantom withdrawal claims.

A Finextra member
A Finextra member 14 January, 2008, 08:14Be the first to give this comment the thumbs up 0 likes Might become the "Bosman of Chip-and-PIN".

I truly believe, though, it will come down to "how did they steal the PIN?" question and therefore won't have an impact on technology as such.

I don't think the fact that bank reacts so slowly is a good "something-is-wrong" indicator. It rather proves that whatever has happened it's pretty important for Halifax to make everything perfect to avoid screwing up. Banks can't afford the chain of "MC Donald's coffee" claims to start from this case. And out of court settlement won't help with this. They should achieve some closure of this incident, otherwise it will be just a matter of time before similar [whether justified or not] cases.
Keith Appleyard
Keith Appleyard - available for hire - Bromley 14 January, 2008, 12:39Be the first to give this comment the thumbs up 0 likes

My daughter had her Halifax CHIP and PIN Debit Card cloned in April 2006. She was a Student in Oxford, and 25 transactions totaling £1,500 were done all over Oxfordshire in towns & at stores she doesn’t usually frequent.

But how could she prove it wasn’t her, or that she hadn’t given the Card & PIN to an accomplice?

Fortunately she was also using the ‘real’ Card in Cambridge some 100 miles & 2 hours drive away within 20 minutes of one of the fraudulent transactions – so the Card couldn’t be in 2 places at one, or in the hands of an accomplice.

Presented with these facts, Halifax promptly capitulated, and gave back all of the money, not bothering to try & quibble about any of the disputed transactions.

I don’t have any CHIP & PIN Cards – I rely upon Signature as a rudimentary biometric. However, over the Christmas period, approximately 50% of my purchases at Bluewater were completed without Signature - the young kids in the shops presume you’ve put in a PIN even when I’ve made no attempt to – they just aren’t alert.

A Finextra member
A Finextra member 15 January, 2008, 15:00Be the first to give this comment the thumbs up 0 likes

I completely agree.  If they are EMV transactions, there is no case.  Only the bank knows if they really are, but then so does Job, and he says they are not.  They can't both be right!  The question we have to ask ourselves is: if the transactions are genuine, what sort of person would take on an organisation of this size?

Now hiring