--- begin forwarded text
Date: Sat, 22 Oct 2005 01:58:34 -0400
To: Philodox Clips List [EMAIL PROTECTED]
From: R.A. Hettinga [EMAIL PROTECTED]
Subject: How ATM fraud nearly brought down British banking
http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/print.html
The Register
Biting the hand that feeds IT
The Register » Security » Identity »
Original URL: http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
How ATM fraud nearly brought down British banking
By Charles Arthur (feedback at theregister.co.uk)
Published Friday 21st October 2005 09:52 GMT
This is the story of how the UK banking system could have collapsed in the
early 1990s, but for the forbearance of a junior barrister who also
happened to be an expert in computer law - and who discovered that at that
time the computing department of one of the banks issuing ATM cards had
gone rogue, cracking PINs and taking money from customers' accounts with
abandon.
The reason you're hearing it now is that, with Chip and PIN cards finally
in widespread use in the UK, the risk of the ATM network being abused as it
was has fallen away. And now that junior barrister, Alistair Kelman, wanted
to get paid for thousands of pounds of work that he did under legal aid,
when he was running a class action on behalf of more than 2,000 people who
had suffered phantom withdrawals from their bank accounts. What you're
about to read comes from the documents he submitted last week to the High
Court, pursuing his claim to payment.
Phantom withdrawals were a big mystery when the banks and building
societies began to join their ATM networks together in the 1980s. Kelman at
that time was a barrister (who argues cases in front of a judge, rather
than only slogging away in legal chambers) specialising in intellectual
property law. He got interested in computing in the 1980s when the National
Computing Centre asked him to advise the Midland Bank on its computer
system.
What quickly became clear was that the law needed a system to provide proof
that events had happened so that legal cases could be made. You might say
that the computer debited the account, but to a barrister (and more
importantly, a judge) that's not enough. Did the computer do it at random?
In that case it's like a tree branch falling - an accident. Or did a person
program it to do so? In which case the person must be able to testify about
the precise circumstances when a debit could happen. Sounds daft, but the
law rests on proving each step of an argument irrefutably.
In February 1992 Kelman got a call from Sheila MacKenzie, head of the
Consumers' Association (which publishes Which? magazine), who said that
members were complaining by the dozen about phantom withdrawals, and was he
interested? Kelman was, and met MacKenzie, with two of the association's
members, Mr and Mrs McConville from Liverpool, who had had a number of
phantom withdrawals from their Barclays account. They already had a
solicitor, but needed someone with computer expertise in the law to make
their case. Kelman at this time was able to charge £1,750 per hour - each
hour being broken into six-minute chunks. Oh, and don't forget VAT too.
That's £206.62 per six minutes.
He showed his value pretty quickly, pointing out that banks must have a
legal mandate to debit someone's account. If they take it away from a
customer without a mandate, they must refund it. So the legal point of
phantom withdrawals hinged on the question: if a PIN is typed into an ATM
with a card that matches an account number, is that a mandate by the
customer for the bank to debit their account?
As long as you didn't breach the terms of the contract by leaving your card
lying around (which would give implicit authority for use), then you, as
the customer, could simply say that the withdrawal was not mandated, and
demand your cash back.
How could the banks respond? They'd have to give all the phantom withdrawal
money back where they could not show that the customer had typed in the PIN
- unless, that is, they claimed that their systems were infallible. Yes,
only by going where no computer system had ever gone before could the banks
deny that phantom withdrawals were (1) taking place and (2) their
responsibility to refund.
You'd think it would be open and shut. You haven't dealt much with banks,
have you? Kelman took the case on legal aid and decided to bundle up more
than 2,000 peoples' cases into a single class action against all the high
street banks taking part in the ATM network. He trawled newsgroups for
information on how crackers might decode ATM cards.
He also met two key people in the course of his research. The first, early
on, was Andrew Stone, an ex-con who had been done for fraud, who claimed to
had taken £750,000 from ATMs by combining techniques such as
shoulder-surfing and grabbing receipts from ATMs (which in those days often
had the full account number
