Halifax, the UK retail bank, has scored a victory in a closely-watched 'phantom withdrawal' case that put the security of Chip and PIN on trial. Halifax customer Alain Job sued the bank after he was held liable for making eight disputed cash machine withdrawals from his account. Job was left £2,100 out of pocket from the series …
All the evidence was held by one party in the trial (as its impossible for the other party to obtain it) and was junked by said party.
Was that before or after the case was raised?
I used to work for the Halifax and I got the distinct impression at the time that the introduction of chip and pin was conveniently used to shift responsibility from the banks to the cardholder. Basically it seemed that if there was a fraudulent transaction involving the PIN, if it was a chip and pin card they had a 'The customer must have done it or been negligent - not our fault' policy.
I have read reports that the PIN on a card can be intercepted on a compromised machine as it's not encrypted the entire time and I'd love to see banks get beaten down in court over that one.
He's suing a bank.
I want some of whatever he's on...
Won't ever win
The banks have far too much money tied up in the currenty ATM system to allow any proof of fraud through cloned cards.
The government, and its "justice" arm have too much money invested in the banks to upset them.
This case will never be proved even if the person who actually did it turned up in court with witnesses, videos and DNA samples.
Banks, the origional greedy sticky fingered lying cluts.
They will do everything to save them money, while costing you more. I for one hopes he wins this case, and wish that judges had a little more technical training to cope in this day and age.
Chip and Pin is rubbish
Good lunk to him I say. Anyone with any nouse will know that chip and pin can be copied just like the old cards. Yes, it's harder, but nothing for organised criminal gangs. The cards are available on the black market and so is the hardware required. No problem. The technology isn't a secret either and secrecy is never a good way to protect it anyway, as it always leaks.
Chip and pin was simply a way of shifting the responsibility onto the cardholder and away from the trader and card company. After all, it's 'perfect', can't be cloned etc.etc. (all this was said about the original mag stripe cashpoint cards) and therefore it must be the cardholders fault. They just must have given away their PIN etc. Utter rubbish......
He may or may not be telling the truth, but there are certainly loads of people out there footing the bill for a poorly thought out rubbish system.
Chip and Pin security
One thing I have noticed about Chip and Pin is it makes it far easier to commit fraud where the cardholder is present. The cardholder could be anybody e.g. when i get a train ticket from rail staffs handheld machines that do not support chip and pin and you have to sign, the staff NEVER check the signature on the back. They used to prior to chip and pin, why not now? it makes no sense.
Also, once when I paid for petrol at a BP station I got the pin wrong 3 times. The teller accepted it anyway on the grounds that her machines keypad was "playing up". Only later did I realise it was the wrong card entirely and therefore the wrong pin I persevered with. So in some cases, with a queue building up behind you, you do not need a pin at all.
And of course if you do happen to find out the pin and get the card, you will never be questioned or suspected...even if the name on the card is clearly not yours i.e. a 6 foot bloke called Geraldine - staff do not even touch the cards anymore.
Here's my conspiracy theory...
Yet another step backwards for the wretched consumer. We are penned in by government, corporations, and criminals - all three of whom want our money in ever-growing slabs. Moreover, all three want to minimize their own outlays (as we all know, a penny saved is a penny earned).
Credit cards and debit cards are good news for financial corporations: they increase the size and number of transactions (on which they get a cut) while also decreasing their overhead costs. So far, so good.
Unfortunately plastic cards are prone to fraud. The banks' response, on the whole, is to lobby for the law to pin all the blame on consumers. Since governments are utterly clueless about anything remotely technical, they have recourse to getting advice from "experts" - in this case, of course, representatives of the banks. To no one's great surprise, the experts advise government and the courts that it's all the fault of the damn consumers, and they can eat the costs.
People who have their UK ID card cloned will suffer the same problem. The authorities refuse to admit its possible, even though it almost certainly will be.
Knowing you are innocent will be cold comfort when you are up before a court on a fraud charge where the primary evidence *is* your ID card.
Ok, here we go...
Phantom withdrawals are not the same thing as a cloned card being used. A phantom withdrawal is where the money 'disappears' from an account having been logged as dished out by an ATM, or transfer for which there is no evidence of a requested transaction. They are most certainly not commonplace.
I wasn't aware that there had been any cloned c&p cards yet?
Does seem a bit odd that Hallifax would destroy the card, particularly when such a small ammount of money is involved, I would have thought they'd just pony up the cash to shut the guy up. I wonder if there is something else going on here?
Odd that there is no cctv evidence also.
Recently had my card cloned - But by who?????
Recently had a withdrawal made on my card from LJUBLJANA.
When I contacted the Bank they told me my card must have been cloned when I last used it. When I told them I had never used the card and I could prove this because my statements show there had never been a withdrawal/swipes on this card, they said well you obviously disposed of the card in a unsecure manner or shared the details with somebody else. No I haven't and I can prove that, can you prove your systems are that secure.
I got an immediate refund, but I guess I was lucky that I had never used my card. If I had of used the card I'm sure they would have made it a lot more difficult.
So you see systems are only as secure as the bank are prepared to pay to make them.
Anon obviously, because Big Brother is watching us not the crooks
why not a fake?
its not impossible to pretend to be another card
it just involves some hardware thats not accessible to noddy crooks
and who'd have thunk that a bank would destroy evidence.....
or a judge wouldn't believe the plaintive in a none trivial case
I can believe it...
There's a pub nearby, where we used "Chip 'n' pin" on our bank cards to pay for beer. In Finland, cash use is relatively - by UK standards - unusual.
Many of us regulars have been astounded that occasionally after a moderate session, €100-200 has vanished from our accounts. So, looking at the e-statement, I've apparently drunk 20+ beers a night, even without going there. Put €230 into my current account Monday (from my 'slush fund', where my dole goes), and it vanished in a couple of days. Nordea bank doesn't want to know. Pub sends me to Nordea, Nordea refers me to the pub. I think I'll refer myself to a lawyer, but it's hard to prove. Keep receipts? Doesn't prove anything, I could've thrown some away.
Changed card this week, cash only from now on. Same as my friends.
Not as bad as it first seems
Text of judgement here: http://www.alikelman.com/jobhbos.pdf
HBOS destroyed the evidence that would have shown if the chip or the mag stripe had been used. The judge takes pains to point out that he isn't ruling on chip and pin in general, but more on the balance of evidence in this particular case.
so to prove it's not a cloned card they produced the information that could have come from a cloned card?
Given that there's CCTV all over nowadays isn't it possible to just look at the photo of him using it or not?
Time chip and pin scrapped
As it is a ruse to make us liable for bank cock ups.
Who expected that?
Wow. I'm blown away. Really. I never expected that the bank would produce the proof that it needed to show that chip & pin is completely utterly absolutely safe and that this whining beeatch is obviously just a paedophile terrorist out to try and destabilise the economy at the expense of those utterly-impeccably-behaved banks that never do anything even remotely suspicious, and certainly don't operate behind closed doors. And that his legal team don't sound to have been able to examine the evidence directly. Why would they need to? The Bank said it was all ok. And we trust & love The Bank. I bet this man is part of the BNP, so he obviously deserves everything he gets. Not that he got anything. Of course not. No. Did I say that it was completely safe? I'm sure I did.
Go about your business citizen. All your cash is belong to the Lloyds/TSB/Halifax/Bank of Scotland Corporation!!
Halifax had junked evidence...
"Halifax had junked evidence that might have ascertained if a cloned card was used. The original ATM card and the Authorisation Request Cryptogram were destroyed by Halifax."
WTF?!? Don't bank with them then!
Are there not other sources of evidence though?
I am no CSI wannabe, but given the UK is the serveillance capital of the world, wouldnt one of the CCTV cameras placed everywhere have picked him up at the ATM itself?
I know cameras tend to point at ATM's in busy places, like in train stattions and city centers etc. So would it have been a big problem for someone to have reviewed the tapes for the days the transactions were made?
Or, could it be that even though we have all these cameras in the UK, we dont hang on to the video for very long? And, chances are that even if there were no camera looking at people at the ATM itself, surely one of these spy devices would have picked him up in the vicinity of the ATM around the times the transactions were made?
Or am I just being too clever for my own good?
Looks like the right decision..
..the transcript of the judgment is available here: http://www.alikelman.com/jobhbos.pdf - reading through it, I'd think that M. Job would be ill advised to appeal.
Chip and pIn is flawed
The only reason CnP was introduced was to allow banks to drop liability on stolen funds onto the card holder. TThis was hotly disputed by the banks at the time.
From discussions (ok scare stories) with folks in the industry and cases like this I have no intention of upgrading to a CnP card no matter how hard they keep trying to get me to sign up.
I know of two people locally who have closed accounts because of thier distrust of the banks and thier trying to force CnP on them.
Thankfully Nationwide has yet to try to force me - just keeps sending me wanna free this or that - sign this CnP agreement. :-/
*cough* Munden *cough*
Anyone who banks with Halifax after the Munden case can only have themselves to blame if they suffer a phantom withdrawal. He should consider himself fortunate that he didn't face criminal charges after complaining.
Burden of proof
Without knowing specifics about the case and its evidence, it's difficult to make an informed judgement. The question is, who has the burden of proof, Halifax or its customer. If it's the petitioner (ie the customer), then the question is why Halifax destroyed the evidence. If it's the respondent (ie Halifax), then the ruling makes no sense at all.
Basically, Halifax cannot prove that the customer made the transaction, nor can they prove that he didn't. The customer cannot prove that he didn't either, though. I am wondering if anyone actually bothered checking CCTV in the store where the card (or its clone) was used, surely we have enough of those in this country...
The claimant doesn't have much luck
I've just read the judgment (http://www.alikelman.com/jobhbos.pdf) for this case. I noticed that in 2005 the bank issued a replacement card which didn't arrive at the claimant's address and was fraudulently used. Then again after the claimant reported the fraudulent transactions in 2006 the bank issued another replacement card which also didn't arrive and was fraudulently used. In both instances the bank accepted the claimant didn't receive the cards and refunded the fraudulent transactions.
Lets shit on the little man shall we? Banks are the scourge of this world. I do not trust them but unfortunately we have to use them.
I hope he does appeal
The mythical impenetrable security of Chip and Pin has been proven wrong time and time again. All we need now is for banks to admit it's not a perfect system. But they won't. And now it seems the court won't listen.
I really do think that court cases involving technology need someone who knows about technology being the magistrate. The number of technology myths there are just create confusion for them.
18 years ago I worked for an electroinics firm that put mini cameras into Cash Machines.
Do these no longer exist? This would be proof beyond doubt whether the defendent made the transaction or not.
The whole point of chip and pin was to allow banks to duck their responsibility. Now they can blame the victim for any fraud and wash their hands of it.
Was there no video of the transaction? There should have been. That would show if the cardholder or A.N.Other made the withdrawal. If A.N.Other, the police should have been called.
Rather than assist it's customer, the bank would rather do them over and keep their vast, unjustified profits. This is the same behaviour that caused them to screw the world economy. Utter bastards.
"Anon obviously, because Big Brother is watching us not the crooks"
Or maybe not anon after all?
Chip and PIn security has failed
The security for the chips has failed. It failed within months of its launch
Its been proved by various cambridge academics and been proved by me direct to the goverment that the security is for the bank not for the consumer.
Shifting blame onto the consumer.
Obviously nobody has done rsearch with this case. There are papers oncline showing serious failings of the system
Someone commented earlier that staff never check signatures... Why should they bother? Signatures are a totally worthless method of identifying someone.. Whenever i had to sign something it looked different every time and was never checked. Plus it's prominently shown on the back of the card for anyone to copy.
Some american stores would ask for photo ID that matches the details on the card, not perfect but much better than having someone make some arbitrary pen mark.
A pin is also not perfect, but still better than a signature.
The biggest problem is the way banks have used this as an excuse to shift the blame. They took a perfectly reasonable and useful mechanism which has been used in mainland europe for years, and used it to try and weasel out of their responsibilities to customers. £2100 may not be very much for a bank, but to many people that's a lot of money and could completely screw their life up.
Cut up your cards.
Make an appointment with your Bank Manager, and have him witness the card being rendered useless. Don't let him order you a replacement! Better still, close your account and force your employer to pay you in cash.
Use cash for everything. As we all know, cash can't be copied. And its easy to trace if someone steals it from you. NOT!
Bank cards make your life simpler and safer. Yes, banks have a responsibility to make sure it is secure, and unfortunately, if you don't trust them on that front, your option is to return to using cash, which absolves the bank of ALL responsibility.
...every criminal in the country is going to be working on chip-and-pin fraud now, because they'll never get prosecuted. After all, if even one criminal gets prosecuted for using a cloned card, the whole "it's impossible" defence will fall apart.
Anyone actually read the judgement?
This is a terrible case to use as an example, and the judge makes a point of saying that this should in no way be seen as a test case. The defendant has a poor story - the facts (only atm's near his address used; no attempts at withdrawal after his reporting of the 'fraud'; previous cards never arriving) didn't help at all.
I would like to have seen a recommendation that the banks keep their records for MUCH longer, given that they prove chip vs magstripe use, and thought that Halifax were very lucky to get away with not being able to produce the full records, especially as they admitted having them at the time of the report and destroying them AFTERWARDS!
Terrible case for such an important question - I hope that we get a more reasonable one in the near future.
About a quarter century ago my brother had a new card intercepted (a house converted to flats, and no seperate mailbox). The crook could put a signature on the card. Luckily, my brother checked why the card hadn't arrived, and in those days there was a signature on the payment slip.
That security number on the back doesn't make a difference in that case, but you have to "activate" the card. That's where personal data theft can pay off, letting you answer the security questions.
But Chip and PIN does make stealing the card alone pretty useless. You can do "cardholder not present" without a physical card. You have to get hold of the PIN, and that doesn't get sent out every time a new piece of plastic gets sent out.
So all this is an improvement. But new tech brings new loopholes, and a lot of different people need to understand the tech enough to be able to talk sensibly.From the decision-makers in the banks to lawyers in court. The Judge? It helps, but let the lawyers explain it.
What the future holds (aaargh)
For many years Western banking institutions have been longing for a cashless society. Cash is very expensive to; produce, transport securely, count, sort and distribute again (goes around in a circle you see). HM Gov, banks and retailers see a future where our credits (cash equivalent) are held and transferred entirely electronically. This would save them oodles of dosh.
There are advantages, especially in developing nations, where electronic banking on mobile devices is a replacement for a lack of banking infrastructure. This gives peeps a chance to save or even look at business start-ups, using a growing number of localized, community-based banking facilities. (Not the overweight capitalist greed-mongering institutions we are used to, not yet anyway).
But I dread the day that UK gov and banks announce the end of 'spensiv' cash and all our credits start flying around cyber space willy-nilly with the onus on securing, tracing and recording the flow firmly lodged with the individual.
Groats and bartering are the only way forward - you fix my cam-belt timing and I'll disinfect you computer etc. etc.
Please change the record, Chip and Pin was brought in to protect customers from rampant fraudulant use of cards and the pathetic ease with which magstripes can be cloned. It was not to foist the bank's responsibillity to refund fraudulant use of cards onto customers. Chip and pin has worked and fraud has dropped a massive ammount.
Can I just add..Broken chips....
I work part time in a pub to help out a friend, and one thing I have noticed is that when a customer wants to pay by card scary things happen.
If the chip is damaged/un-readable by our machine then it just says to use the mag stripe.
I did an experiment with my own bank card by taking a hammer and a sharp knife to damage the chip reading surface (the simcard like bit) and was told by the card machine after 3 attempts to use the mag stripe.
Now imagine this....
Mr Bloggs has his card details stolen, and a duplicate is made from the info on the mag stripe. To simply get around the chip and pin bit, all he has to do is use a damaged chip and then all he has to do is wait for the check out person to use the mag stripe so he can then forge the signiature.....
Am I being a bit naive or not?
My experiment worked, and I know cards can be cloned.....
Anyone else have any thoughts?
Have you read the Cambridge academic's (I can't remember the guy's name off-hand) proof of faults in C&P, anyone who knows anything about how C&P works knows that they are utter rubbish and never likely to work in the real world.
Not a test case, but still symptomatic of HBOS
Whilst the bloke in this case does seem to be a numpty, HBOS's reaction does seem to be typical.
About 10 years back, my sister had a student account with the Halifax Building Society (as it then was). Like all students, she got her interest-free overdraft. Great. And like a number of students, she exceeded this occasionally and was charged accordingly. Also OK.
But then she got a job after uni, and wanted to close her account. The conversation (over several months, multiple bank managers and various departments of Halifax) went something like:-
"I'd like to clear my student overdraft and close my student account, please."
"That'll be (overdraft+several hundred quid) please."
"Eh? Here's my latest statement saying how much my overdraft is, and here's the letters listing all the charges I owe you."
"No, pay us what we're asking."
"Where did the extra come from?"
"We don't know, and we're not going to tell you, so just pay us all this money or we'll blacklist your credit rating."
"OK, here's the money I know I owe you. Here's a letter saying I won't pay the rest until you tell me where those charges came from."
"Here's a credit rating blacklist. Have a nice life."
Had my sister been some future-free dosser, then maybe they wouldn't have wanted her as a future customer. But since she was a newly-trained corporate lawyer, and at the time was going out with a high-earning City trader, this is probably not the cleverest move for their future business. As far as our family is concerned, the Halifax can forget about ever seeing us as customers.
Its the same with Mastercard securecode/Verified by Visa
They will try and make us liable for fraud on the Internet next.
Big Brother's accounting wing.
"For many years Western banking institutions have been longing for a cashless society. Cash is very expensive to; produce, transport securely, count, sort and distribute again (goes around in a circle you see). HM Gov, banks and retailers see a future where our credits (cash equivalent) are held and transferred entirely electronically. This would save them oodles of dosh."
It would also allow governments to analyse every single monetary transaction made by any member of the population.
If you stop to think about it, it is truly extraordinary the amount of information which is currently gathered about each of us as we go about our normal business. Current practice allows government to monitor, or potentially monitor, or most of our communications (Phorm, Jacqui's uber-database,) our movements, (Oyster, CCTV, ANPR,) and many of our purchases, (credit/debit card records), along with all of the many and various databases relating to benefits, health, various licenses and voting registrations.
The excuse for this is that the records are not all held centrally by government and are not joined up, but are instead fractured and used piecemeal for various tasks.
All of it is accessible by government in some form or another, however, and it would not be beyond the wit of man to link all these sources of information together.
If a cashless society was also introduced, quite apart from the immense potential for fraud, it would also bring about the inevitable scenario of every single transaction we are involved in being logged and stored, from the purchasing a car to giving your grandson a tenner for his birthday. Every transaction could be automatically examined for legality and, potentially, taxed.
There is a reason why we still have cash. We don't keep despite the fact it can't be traced. It is BECAUSE it can't be traced.
What we spend our hard-earned on is our business.
@ Dave Bell
"But Chip and PIN does make stealing the card alone pretty useless. You can do 'cardholder not present' without a physical card. You have to get hold of the PIN, and that doesn't get sent out every time a new piece of plastic gets sent out."
You what? Getting hold of the PIN is the easy part: just hold a knife against someone's throat and they'll soon tell you it. Keep the knife in place whilst an accomplice makes a test purchase in a nearby store, and have them call you using a mobile phone that used to belong to the victim to confirm the success or otherwise. Then rough them up a bit; no more than necessary to buy you sufficient time to max out the card before they can report it.
(This is actually the subject of a patent application in my name. Only, I'm claiming the method for being robbed rather than the method for committing the robbery; because the perpetrator has most probably legged it, whereas the victim can easily be sued for stealing my precious intellectual property that I thought of first.)
I agree with m'Lud...for once!
Looking at the judgement, I think the judge was right.
Whilst I think there are possible issues around C&P, they're not being shown up in this case.
'chip and pin has worked'
It may be from online sources - who knows, but since chip and PIN came in i've had my visa cloned twice and my bank card once. Before then? Never a problem..
@M A Walters
It is pretty clear from that article that the customer raised the action against the bank, and therefore the burden of proof lies against him. This time, the bank does not have to prove anything, just show that he is talking crap, and in this case it looks like he was trying to pull a fast one, and didn't do a very good job.
"But Chip and PIN does make stealing the card alone pretty useless"
Unless you're paying for goods/services online.
Chip and Pin in ATM's - Where exactly?
My 'horsey' bank card recently foobar'ed up and stopped me withdrawing money from cash machines - it rejected the card as unreadable.. However, it still worked perfectly in retailers Chip + Pin machines, and allowed me to get funds using the cashback mechanism. I believe this was due to the magnetic stripe being zapped rather than the chip knackering up.
Several cash machines, both new (installed within the last 12 months) and old, and even the banks own machines didn't seem interested in reading the card, so unless I got really unlucky with dodgy machines, Id say that chip reading ATM's are few and far between.
Good luck to 'yer man though, although I think me may have better luck participating in a quest to find some golden rocking horse poo.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market