Bankers’ Christmas present

December 25th, 2011 at 08:39 UTC by Ross Anderson

Every Christmas we give our friends in the banking industry a wee present. Sometimes it’s the responsible disclosure of a vulnerability, which we publish the following February: 2007’s was PED certification, 2008’s was CAP while in 2009 we told the banking industry of the No-PIN attack. This year too we have some goodies in the hamper: watch our papers at Financial Crypto 2012.

In other years, we’ve had arguments with the bankers’ PR wallahs. In 2010, for example, their trade association tried to censor one of our students’ thesis. That saga also continues; Britain’s bankers tried once more to threaten us so we told them once more to go away. We have other conversations in progress with bankers, most of them thankfully a bit more constructive.

This year’s Christmas present is different: it’s a tale with a happy ending. Eve Russell was a fraud victim whom Barclays initially blamed for her misfortune, as so often happens, and the Financial Ombudsman Service initially found for the bank as it routinely does. Yet this was clearly not right; after many lawyers’ letters, two hearings at the ombudsman, two articles in The Times and a TV appearance on Rip-off Britain, Eve won. This is the first complete case file since the ombudsman came under the Freedom of Information Act; by showing how the system works, it may be useful to fraud victims in the future.

For your Christmas entertainment, we offer the bank statement which told Eve of the fraud; the initial exchange of letters between Eve’s lawyers and the bank; the ombudsman’s routine initial ruling against Eve, and her protest; the correspondence between the ombudsman and Barclays; Eve’s appeal and expert opinion; the verdict; and the offer of settlement. And let’s not forget the Thunder. A Merry Christmas to all!

Entry filed under: Academic papers, Banking security, Internet censorship, Legal issues, News coverage, Politics, Security economics

10 comments Add your own

  • 1. m  |  December 25th, 2011 at 11:02 UTC

    Wow, I read the whole thing and the very end was a kick in the pants when the ombudsman refused to award the victim legal expenses. Does FOS really think that a legal process of this magnitude could successfully be completed by a layman without any assistance while still maintaining a full time job?

  • 2. Ross Anderson  |  December 25th, 2011 at 11:51 UTC

    Barclays paid Eve’s legal bills in full. In fact, the decision was theirs; the Ombudsman found in Eve’s favour only after Barclays decided not to proceed with the case. The Ombudsman was “plus royaliste que le roi” in other ways too, saying in effect that the fraud was really her fault although the law didn’t let them find against her this time. Despite all the evidence, they couldn’t accept that it could have been an inside job or a technical attack. A proper court would have approached the case with a more open mind.

  • 3. Caoilte O'Connor  |  December 26th, 2011 at 00:02 UTC

    Thank you for posting this. It was powerful stuff. Powerfully reminiscent of a personal run-in with RLP.

    I was particularly shocked by the casual assumption by the ombudsman that a person (assumed not to need a solicitor) and a corporation (that can be safely assumed to retain as many as it needs) can be treated as equal parties. The moment that Barclaycard made its first of many mistakes it should have been ordered to pay damages plus expenses.

    Sadly the FOS comes off as soundling like a shill and the whole thing feels like it has been swept under the carpet.

    Thanks again. I love your blog.

  • 4. Jonathan Rosenne  |  December 26th, 2011 at 18:15 UTC

    The article seems to suggest the PIN in question may have been a customer selected PIN. The newspaper says it had not been changed since November 2006.

    Customer selected PINs, if this is indeed the case, are rather easy to guess. Instead of the ca. 5000 trials needed to discover a cryptographically generated PIN, half a dozen or so will do for a customer selected PIN. The fraudster would not need to target Eve, he could have picked up in this way some twenty or thirty cards and half of them would have succeeded with the standard 6 trials.

  • 5. Keith Tayler  |  December 27th, 2011 at 19:40 UTC

    Well done Ross. As I have said before with other ombudsman cases you have blogged, we must try to dismantle the ombudsman system in this country. Ombudsmen admit they are bias, which means they totally disregard of the rules of evidence, actively prevent the complainant from having access to witness statements, make irrational statements, and, as I was informed by Sir David Yardley, have to accept the interpretation of the law as presented by the Council because they were permitted to employ lawyers and I was not! (Even if I had had a lawyer his/her interpretation would not be regarded as lex lata) The FOA has helped, but I think it will be the FOA that goes before the ombudsmen do.

    Happy hogmanay

  • 6. Nick P  |  January 3rd, 2012 at 19:33 UTC

    Like how you slammed the bank and court so well in your expert letter, Ross. It was nice.

  • 7. Surreptitious Evil  |  January 9th, 2012 at 12:07 UTC

    Customer selected PINs, if this is indeed the case, are rather easy to guess. Instead of the ca. 5000 trials needed to discover a cryptographically generated PIN, half a dozen or so will do for a customer selected PIN.

    Why? I appreciate that somebody with knowledge of a specific customer may be able to guess what the customer will have chosen more efficiently than brute-force but as the PIN is of the same format, I can’t see why you would reliably get such a massive improvement.

  • 8. Chris  |  January 10th, 2012 at 21:12 UTC

    Amazing work, why can’t industry take these things seriously instead of always play the defensive card? The behaviour of people in perceived positions of power in situations such as these really make it hard for me to have faith in humanity. Luckily people like Ross are there to provide a ray of light.

  • 9. Jonathan Rosenne  |  January 12th, 2012 at 21:56 UTC

    To Surreptitious Evil: Several studies show that similar to what happens with passwords, customers tend to select the same common PINs, such as 1234, 5555, 3333 etc, or something related to their birthday or phone number etc. There are several ways a thief can obtain this data, for example a pickpocket.

  • 10. Neil  |  February 17th, 2012 at 15:29 UTC

    Next time you’re in the supermarket look carefully at the PIN keypad. Notice the wear on the keys. Notice how ‘1′ has the most wear. If you’re really astute, you might even notice a pattern of wear decreasing with increasing number. Possibly Benford’s law at work?

    Or as one Asda cashier mentioned to me the other day, most people’s year of birth starts with ‘19′. Perhaps in another 4 years the numbers ‘20′ might be increasingly common (assuming you have to be at least 16 to get a bank card these days).

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

December 2011
M T W T F S S
« Nov   Jan »
 1234
567891011
12131415161718
19202122232425
262728293031