Halifax facing chip and PIN fraud lawsuit
07 January 2008 | 16411 views | 0
UK high street bank Halifax is facing a lawsuit brought by a customer who claims that fraudsters cloned his chip-based card and withdrew £2100 from his account at ATMs.
Alain Job told UK newspaper The Guardian that he changed the PIN supplied by the bank to a number that only he knew and was in possession of his card when fraudsters raided his bank account.
But the Halifax claims that whoever took the money had access to both Job's card and PIN.
Job is in the process of bring his case against the Halifax to court.
The case casts further doubts over the effectiveness of chip and PIN which was introduced in the UK two years ago in order to eliminate skimming scams where fraudsters copied data stored on the magnetic stripe of a credit to make cloned cards.
Although chip and PIN contributed to a drop in domestic fraud levels fraudsters have switched to using cloned cards abroad in places where chip and PIN hasn't yet been implemented.
Security expert Mike Bond told The Guardian that as well as mag-stripe cards chip-based cards can be copied and cloned, although the technique is more cumbersome and expensive as it involves stealing the PIN and copying a secret key stored on the chip which is used by banks to validate cards.
Bond says that, whilst it is possible that criminals have found a cheaper way to extract data from the chip, there is no evidence that this has happened.
A cheaper way for fraudsters to clone cards is to create a "yes card", says Bond, which doesn't contain a copy of the original card's PIN and secret key.
Instead, the fraudster copies the rest of the chip's data to a smart card. This "yes card" will work with chip-and-pin implementations using a security technique called Static Data Authentication (SDA), says Bond, which enables chip readers to authenticate a transaction without directly contacting a bank.
However, this technique does not explain Job's losses because all ATMs contact banks for authentication, says the report.