Financial Ombudsman on Chip & PIN infallibility

The Financial Ombudsman Service offers to adjudicate disputes between banks and their customers who claim to have been treated unfairly. We were forwarded a letter written by the Ombudsman concerning a complaint by a Halifax customer over unauthorised ATM withdrawals. I am not familiar with the details of this particular case, but the letter does give a good illustration of how the complaint procedure is stacked against customers.

The customer had requested further information from Halifax (the Firm) and the Financial Ombudsman Service (this Service) had replied:

However this Service has already been presented with the evidence you have requested from the Firm and I comment on it as follows. Although you have requested this information from the Firm yourself (and I consider that it is not obliged to provide it to you) I conclude that this will not make any difference, because this Service has already reviewed this information.

The right of parties in dispute to see the evidence involved is a basic component of justice systems, but the Financial Ombudsman has clearly not heard of this, but then again they are funded by the banks. While the bank can have their own experts examine the evidence, the customer cannot do the same. Although the Financial Ombudsman service can review the evidence, giving it to the customer would allow them to pursue further investigation on their own.

The Firm has provided an ‘audit trail’ of the transactions disputed by you. This shows the location and times of the transactions and evidences that the card used was ‘CHIP’ read.

Without access to the audit trail and information concerning how it was produced, it is almost impossible for the customer to know the precise details of the transaction. Based solely on the letter, there are still a number of important unanswered questions. For example:

Was the card in question SDA or DDA?
SDA cards can be cloned to produce yes cards, which will accept any PIN and still work in offline transactions, where the terminal or ATM does not contact the bank. This type of fraud has been seen in France (pp. 5–10).
Was the ATM online or offline at the time of the transaction?
Although ATMs are generally online, if Chip & PIN terminals fail to dial up the bank they may continue to work offline and so accept SDA clones. Could this have happened with this ATM?
What was the application cryptogram presented in this transaction?
When a Chip & PIN card authorises a transaction, it produces an application cryptogram which allows the bank to verify that the card is legitimate. A yes card would not produce the correct application cryptogram.
What is the key for the card?
The application cryptogram is produced using a cryptographic key known only by the card and bank. With this and some other information the customer could confirm that the application cryptogram really came from his card. Since the card has long since been cancelled, releasing this key should not be a security risk. If the banks are not storing this information, how can they be sure that their systems are operating correctly?

It seems unlikely that the Financial Ombudsman knew which of these events have occurred either, otherwise I would have expected them to say so in their letter.

As we have already advised you, since the advent of CHIP and PIN, this Service is not aware of any incidents where a card with a ‘CHIP’ has been successfully cloned by fraudsters so that it could be used by them successfully in a cash machine.

Besides the scenarios mentioned above, our demonstration for Watchdog showed how, even without cloning a card, a Chip & PIN terminal could be fooled into accepting a counterfeit. Assuming this ATM read the chip rather than the magnetic stripe, our attack would work just as well there. The situation surrounding this particular case might preclude a relay attack, but it is one of many possibilities that ought to be eliminated in a serious investigation.

Although you question The Firm’s security systems, I consider that the audit trail provided is in a format utilised by several major banks and therefore can be relied upon.

The format of the audit trail is no indication of whether the information it records is a true and complete representation of what actually happened and it is almost ludicrous to suggest that. Even if it were, the fact that several banks are using it is no indication of its security. To actually establish these facts, external scrutiny is required and, without access to bank’s systems, customers are not a position to arrange for this.

So the banking dispute resolution process works well for the banks, by reducing their litigation costs, but not well for their customers. If customers go to the Ombudsman, they risk being asked to prove their innocence without being given access to the information necessary to do so. Instead, they could go directly to the courts, but while the bank might accuse customers of not following proper procedures, if they win there they can at least send in the bailiffs.

6 thoughts on “Financial Ombudsman on Chip & PIN infallibility

  1. What this suggests is the need for measures of self-defence:

    1 Use credit cards, not debit cards, so as to take advantage of the £50 limit on liability under sections 84 and 171 of the Consumer Credit Act 1974.

    2 Get signature cards, not PIN cards. Issuers vary in their readiness to provide them. Weaknesses of eyesight, motor control or mental capacity are likely to induce more sympathy than a dislike of the risk allocation régime.

    3 Do without access to ATM machines. If this is inconvenient, carry the necessary PIN card only when needed for cash withdrawal, and take stringent precautions against theft or loss.

  2. I don’t wish to dispute any of Steven’s or Nicholas’s points and also do not have any details of the case, but would suggest the a couple of further, non-technical attack methodologies:

    1. Have a duplicate card issued on the account. I don’t have access to Halifax ones but both sets of (credit) cards my wife and I use have the same number and the same CVV2 values. I doubt that these are differentiated in the audit trail. Certainly, when we had to get one cancelled, they had to cancel both.

    2. In a “friends and family” or bank staff fraud scenario, write in and get your PIN re-advised. Pre Chip & Pin, they would amend the mainframe account record and send you out a new and different pin. This cannot be done under C&P as you need access to the card to change the pin on that, so they can only send you the current pin. Nick the re-advice letter (which the victim was not expecting anyway) and borrow the card from time to time.

    It is worth pointing out that the bank’s customer complaints teams do not include security experts and very rarely will they pass details of an issue to the security function. I doubt that the Financial Ombudsman has any either.

    Also, very unlikely that it was a DDA card – I don’t believe that any of the UK banks are rolling these out as yet. Wouldn’t mind being wrong on that, though 🙂

    S-E

  3. The letter from the Financial Ombudsman is pretty much a standard response from a UK Ombudsman. I have studied hundreds of decisions from various Ombudsmen bodies and have with few exceptions found them to be an affront to reason and justice. A notable exception was the NHS Ombudsmen 2002 report that attempted to correct the bizarre decision of the House of Lords, (1998) Re L (By his Next Friend GE).
    In 2004 I was informed by the Financial Ombudsman office that they had as a rule to accept that the data and information from banks was always correct. In 1993, Sir Peter Yardley, Local Government Ombudsman, explained in a letter to me that the rule was that he had to accept a local authority’s interpretation of the law not the complainant. He also used his powers of Ombudsman (that of a Judge) to instruct the police to withhold information from a complainant. I could site endless other examples.
    The Ombudsman system exists to exhaust complainants; a process that produces much heat but very little light.

  4. Financial services employees are beaten about the head on a daily basis about their personal obligatiions to prevent their employers being fined by the FSA.

    About £1.5m is the going rate when the FSA summarily rules.

    Nobody legal ever went to work for a bank to steal. But plenty of villains do. It’s easy. “Yes, Boss, I can sell until the sales are coming out of my ears* (*possibly an anagram of the orifice the applicant talks out of.)”

    I read today that “the Banks” are set to declare £38bn in profits last year.

    £1.5m is small change.

  5. In my own experience, the UK Financial Ombudsman Service failed to be THOROUGH in our case, the Company, being failed by a Bank, the Firm.

    Once I made my case about the delays/Maladministration of the Firm’s commercial loan procedure that took, not five-weeks, but five-months, thus proving financially detrimental to begin trading, we expected the FOS to establish the period in which the bank agreed to lend and when it finalised the loan. Instead, the approach by the FOS to be thorough in their investigation to our original complaint was dismissed… ignored! A conflict of interest I say. The FOS would tll you that they are ‘Independent’ of the banks. But they are funded by the banks! Are we to believe that the Powerful and Arrogant bank did not have any say in the way the FOS is run? We are still seeking redress in our case.

  6. “Although you question The Firm’s security systems, I consider that the audit trail provided is in a format utilised by several major banks and therefore can be relied upon.”

    Millions of flies can’t be wrong, eh?

Leave a Reply to IAS Cancel reply

Your email address will not be published.