We were contacted recently by Alain Job, who filed a lawsuit last year against Halifax over an alleged fraud instance on his EMV chip card, for which the bank is holding him responsible. Our news story
here, and good analysis by Finextra Community members
here.
Alain says the case is due to be heard in April this year and wanted to answer some of the questions people had in the blogs and comments on Finextra after we ran the story. His statement:
"The card in dispute was EMV, and Halifax has refused to produce the card unique key and is saying it has destroyed the disputed transactions' authentication data (following card issuer advice, Visa in this case) even from back up computers, which is
extraordinary in such a case.
"I maintain that I had my card with me throughout the disputed transactions and Halifax is simply saying that, as the places where the transactions occurred were close to my (former) house, it must have been me, adding that there was no
attempt to take money from the account after I had reported the fraud.
"Halifax's defense is simply that it is not aware of any instance of a Chip and PIN card being cloned and used to withdraw money from ATMs in the UK."
I don't know if Halifax's defense is actually more sophisticated than Alain describes. But if they have destroyed all records of the transaction cryptograms - the code created during the transactions using the chip's secret key - then they can't possibly
prove that either the chip or a copy of the chip was used.
If they're only relying on geographic co-incidence of the transactions, and Chip and PIN's supposed security track record - as Alain describes - I suspect they are on pretty shaky ground.
Or am I missing something else that Halifax might have up its sleeve?