Chip and PIN on Trial

The trial of Job v Halifax plc has been set down for April 30th at 1030 in the Nottingham County Court, 60 Canal Street, Nottingham NG1 7EJ. Alain Job is an immigrant from the Cameroon who has had the courage to sue his bank over phantom withdrawals from his account. The bank refused to refund the money, making the usual claim that its systems were secure. There’s a blog post on the cavalier way in which the Ombudsman dealt with his case. Alain’s case was covered briefly in Guardian in the run-up to a previous hearing; see also reports in Finextra here, here and (especially) here.

The trial should be interesting and I hope it’s widely reported. Whatever the outcome, it may have a significant effect on consumer protection in the UK. For years, financial regulators have been just as credulous about the banks’ claims to be in control of their information-security risk management as they were about the similar claims made in respect of their credit risk management (see our blog post on the ombudsman for more). It’s not clear how regulatory capture will (or can) be fixed in respect of credit risk, but it is just possible that a court could fix the consumer side of things. (This happened in the USA with the Judd case, as described in our submission to the review of the ombudsman service — see p 13.)

For further background reading, see blog posts on the technical failures of chip and PIN, the Jane Badger case, the McGaughey case and the failures of fraud reporting. Go back into the 1990s and we find the Halifax again as the complainant in R v Munden; John Munden was prosecuted for attempted fraud after complaining about phantom withdrawals. The Halifax couldn’t produce any evidence and he was acquitted.

39 thoughts on “Chip and PIN on Trial

  1. I wish him the best and hopefully rapid success.

    Two things have changed in his favour in recent times.

    Firstly the credit crunch making it clear to just about anybody alive (and hopefully M’learned friends) in the UK that the Banks cannot be trusted with what they do and say. On a previous appeal a “winding up” order was over turned because “the leagl bods” argued it was outrageous to sugest that due to their size and assets they did not have the ability to pay and the judge bought it. Which we now know to be at best a fancifull statment…).

    Secondly British Gas lost in court and the Judges summing up indicated that technilogical failings could not be blamed as people had designed and built the technology and therefor any failing was down to poor workmanship and managment should have been aware of this.

    Finaly the company secretery of the Halifax is well aware that his computer programs produce garbage printouts that do not make sense to me or his staff or a calculator… I have written to him with regards to that, and the fact it has not been explained by him or others is the reason I’m getting to the point of putting the Halifax “to proof” or inviting him to explain it to a judge in London.

  2. I too wish him luck.

    I have had a small technical problem with my debit card which my bank have fixed but now claim could not have happened. Last year a opened a LLoyds TSB account and was sent a debt card which I used a couple of times before ringing the bank on an unrelated matter (cheque lost in there clearing cycle – another systems failure). I had to give my debit card number before speaking to a human and when the human came on the line I was told that the debt card did not exist. Indeed I was informed there was no record of such a card being issued and it certainly could not work in an ATM because it did not exist (at the time they had to accept that it had worked). After two days my card was put onto the system and existed. A week later I rang the bank again (cheque still lost) and was again informed that the card did not exist. This time it was decided to reissue me a new card and ’cancel’ my non-existing card.

    Okay these things happen, but what I do find difficult to accept is that I am now being told by every LLoyds employee that it could not have happened and that I should go away and sit in a dark room to contemplate the magnitude of my error.

  3. @ Keith,

    The question is these days,

    How can you tell the difference between Lloyds and Halifax (bank of Scotland) staff on the end of a phone or letter these days?

    The second question is of course,

    And does it matter?

    As they appear to be sinking rapidly to the lowest common denominator due to senior managment attitude / direction…

    Hopefully “m’learned frieds” can do to the banks what the Government and FSA where either incapable of or chose (for personal benifit?) not to do. Which is make judgments and rules (case law etc) that will bring the “masters of the universe” down to earth with a bumb and nail their feet there. So that their behaviour becomes such that the likes of the “common man on the Clapham Omnibus” finds it reasonable…

  4. Thank god LBT reports on banks, and how problematic truth can be.

    Ombudsmans often are the good cop of the game, and that is not all for the good.

    As money becomes more digital, banks acceptance of absorbing risk is diminishing.

    Thus, our money is a game, and reporting on it, is very helpful.

  5. Mmmmm, the Job case will be an interesting one, that is certainly without doubt, no matter which way it turns out. Seeing as Nottingham is not too far away, I’ll look in to try to attend the hearing… having collected and followed phantom withdrawals cases for some years now, it is rare that — at the impetus of a customer — a case gets pushed all the way to court.

    Sorry to do the obvious cliche, but I am wondering whether this story will have the same ending as the biblical Job or not 😉

    Mike

  6. Cybergibbons and others interested in Brit Gas case,

    You can read an html of the three lord justices reasoning at,

    http://www.bailii.org/ew/cases/EWCA/Civ/2009/46.html

    The right honarable jacob Lj had a few choice expressions to enjoy as did the other Lj’s and those previously sitting in judgment.

    Or you can find a much wider disussion and analaysis by various persons “legal or otherwise” by googling,

    “british gas” jacob harassment judgment

    Most of it is quite readable, and the reasoning is readily understandable.

    There is also a nice bit where jacob lj effectivly raps Brit Gas’s legal team over the knuckles for trying to pull the wool over the lj’s eyes by (deliberatly?) with holding information derived from a case they cite which shows their argument to be fataly flawed.

  7. The angle that always strikes me is the one-sided nature of the arrangement with the banks. Contracts are supposed to provide a guarantee that there is something in it for both sides.

    But here the banks, who don’t like the statutory framework of signatures, are imposing a system entirely of their choice which only protects them and forces the customer, already at a disadvantage, to prove a negative in the event of a dispute.

    Why can’t I have an 8-digit PIN if I want one and can remember it? The first 10 or so digits of PI and E are well-engraved on my memory and I can add 1 mod 10 to them if needed. Tthe protocol allows for up to 10 digits and 4 allows only 10,000 variations reduced to much less when 1111 or 1234 or even my mother’s birthday of 0505 are excluded and is pathetically easy to watch at supermarket tills – especially by the bored staff at the CCTV monitors.

    Or why can’t the PIN machines ask for a different selection of digts from a PIN each time like on the Internet banking for the bank I use which asks for 3 different ones each time (out of a 6-digit number) – they do the same over the phone. Why should I have a securer system when I’m sitting at my desk at home with no one breathing down my neck than I have when I’ve got a queue of people behind me waiting to pay for their groceries?

    Or how about being allowed to interpose my own choice of security device between the card and the PIN terminal as an alternative or addition to the PIN? It might read a fingerprint (from a different fingers each time) or it might look at an iris or both depending on my whim or the ever-changing device’s whim.

    You can’t make anything totally fraud-proof but allowing the customer to enhance his/her own security if required should redress the balance a bit.

  8. It is interesting to note in the report of the case, the last bit about video not being available…

    I would be very interested to know a few things such as,

    Where the “non video” withdrawals made at machines that had video equipment?

    If they did have equipment why was it not working?

    Does Mr Job use these particular ATMs?

    Does Mr job use other ATMs without video cameras?

    Does Mr job only use ATMs with video cameras?

    Maybe it is of little relevance but it might well indicate that there is further information that needs to be investigated.

    Oh and “how to disable a CCTV camera…

    There is a device known as a HERF gun (High Energy Radio Frequency), it basicaly produces very high levels of microwave energy focused into a narrow appature plane wave by an appropriate antenna.

    There are a number of ways you can generate HERF mostly by thermionic valve (yup I did say “valve”). Of those you can use the easiest is probably the cavity resonantor magnetron.

    These are fairly easily available for quite small sums of money. Easy now questions asked are Microwave Ovens and boat mounted radar.

    Of these the microwave oven is the bargin with 35GBP getting you all the bits you need. My prefrence however would br for a 3cm radar.

    Either way a little knowledge and metelwork experiance will enable you to convert your chosen device into a HERF gun. Oh and for “portability” most low cost UPS’s will with a little aditional wiring soldered in easily produce the required level of power at ~220V.

    A couple of years ago as an experiment we built one in a “flight case” with UPS and batteries.

    Although heavy it did quite happily “fry” electronics very very quickly at well over 50ft. (It also quite happily cooked a pork chop hanging a couple of feet infront of the horn (so not only electronics that can be fried, the operator as well if they don’t build/use with care).

    For rather dull reasons the low cost CCTV cameras used for security in plastic domes etc are very vulnerable to centimeter radiation and can be easily put out of action.

    The damaged caused is often not visable, and even when it is, it is usually put down to “simple failure” not deliberate action….

  9. While I first thought it was a terrible outcome, I’ve just spent time reading the ruling: http://www.alikelman.com/jobhbos.pdf

    Doing so makes me think perhaps it was the appropriate ruling for this case.

    That’s not to say that Chip and Pin fraud does not take place, but in this particular case it looks like it didn’t.

    IMHO

  10. Here is a scan of a page of the evidence presented by the Halifax. Basically it’s a hex dump and the court had to rely on a Halifax chap saying that the highlighted ‘04’ bytes meant that ‘we win this case’ (technically, that this was a successfully verified chip transaction). The evidence designed into the EMV spec for dispute resolution — the logs with ARQC, ARPC and TC cryptograms — had been discarded; the judge (and his predecessors in the trial) had balked at ordering the production of the keys needed to verify them had they been retained. The defence experts didn’t have any access to the systems that generated the ‘04’ bytes, or even to a description of them in other than the vaguest of terms. On such an opaque printout did the case turn.

  11. For the purpose of this comment i cannot use my real name, the reason …….. i work for a well known bank!

    I am not going to talk and talk about this as for me this really is a bus mans holiday!

    Let me just first start by saying that whilst I appreciate that everyone is entitled to their own opinion, unless you have worked in a fraud section of a bank with access to the information that I have access too it is a bit of a one sided story. The people who have this happen to them are convinced the card is copied/cloned (understandably so), the people at the bank say the opposite. Now I am not someone who will support the bank at every given opportunity, far from it. I agree with the majority of people regarding account charges, overdraft fees etc. However there is one issue that I will back the bank on to the death …….. Chip and PIN.

    You only have to read the recent court ruling to realise that since chip and pin was introduced 300 million chip enabled cards have been sent out to customers and there has not been 1 instance of a chip card being copied. Even the sceptics have to admit that is some pretty damn good stats!

    If a chip card had been copied and used then the fraudster would not know when the card was cancelled so would continue to use the cash machine until eventually the card is retained by the machine. As soon as it is retained the card would be in the machine and bang, there you have it evidence of a copied card which used a chip. This has never happened in the 2 and a bit years that chip and pin has been used.

    I am not saying that a chip card cannot be copied, what I am saying is that the copy of that card cannot then be used in a uk atm machine. Sure it can be used abroad (where chip and pin isn’t present) or over the internet or phone where the actual card is not needed but In a cash point, no. Security features mean that if the chip cannot be read by the cash point and the original card has a chip then the money will not be dispensed, simple.

    In the majority of cases where the original card is used to make the transaction and the customer has not authorised this it turns out to be someone known to the customer (mostly a family member), it must be as they have taken the card, used it and then put it back again, unless of course a stranger is entering the home of said person to put the card back again ……. Doubtful! Some people say there card is locked in a safe at home, how do you suppose a stranger got it from there ….. he didn’t it was a thieving relative!

    So to sum up, before going to court and incurring nearly £50,000 charges and Mr Job has I would suggest looking closer to home if the bank say the card has not been copied. Trust me it is VERY easy to tell! I should know I work there!

  12. I don’t see why I should trust anyone who claims to work for a bank! The banking industry claimed in 2005, and again in 2006, that no UK ATM would perform magstripe fallback transactions. This was untrue. We found ATMs doing fallback again and again, and as late as 2007 – after the transactions disputed in the Job case. Maybe they still are doing fallback – we haven’t checked recently.

    The simple fact is that the UK is failing to comply with EU law. The payment services directive requires member states to provide a fair, effective, low-cost dispute resolution mechanism. The Financial Ombudsman Service just doesn’t cut it.

  13. Anyone know why Mr Job felt it neccessary to ‘hide’ the card in the garden if he was convinced that someone had a copy of his card?!?! surely it would be irrelevant where his card was if someone had a copy!

    Hiding a card in the garden is really not normal behaviour! that sounds like something you would do if you were trying to hide the card from someone in specific …….. like someone you live with!

  14. @Joe bloggs
    As you work for a bank, you will probably never be victim of a similar problem like the experience i have to go through with my family for more than 3 years now.
    You seem to suggest that because a chip and pin card can’t be copied, there isn’t any other way of debiting the money from a customer account.
    one would at least want a credible bank in the United Kingdon to respect the EMV protocol dispute rules which requires that a bank produces transaction cryptograms of a disputed transaction.
    The very fact that Halifax said they destroyed this vital element should have given you some caution in what you wanted to say.
    At the moment, we are not even sure if the money was taken at all through the said ATMs cash machines, as the bank wouldn’t produce the receuipts from the ATMs tills, you would agree with me that even your conner shop can produce the receipts of their till whenever requirred.
    I hope to believe that you are not suggesting that, my daughters, or my late wife were the one who grabbed the card, used it and brought it back; these are people i have live with for more than 5 years in the uk with a bank account and money in it without ever to go through this.
    Could you now explain, why banks pay back money to similar victims like me because they can prove they were somewhere else at the moment of the disputed withdrawalls if the Chip and Pin was so secured?

  15. Hi, I certainly hope that I will never be in a similar situation, and I do feel for the position you are in, no one deserves this. I am certainly not saying that any of your family are responsible, but if it is the original card that was used then it must be someone who was able to take it and put it back again. I understand that you don’t believe that it was the original card but from my personal experience if there is any doubt then it just gets refunded, maybe this is not the case with Halifax, again I cannot comment on that. That said if your statement at the time of the transactions said they were taken from a cash point then that’s where they were taken from, I cannot see the Halifax falsifying your bank statements to make you think they came from there if they didn’t.

    You mentioned above about other ways of debiting an account. If the money came out of a cash point then it came out of a cash point, simple. However I absolutely agree with you regarding the destruction of the data that was needed. That is suspect and as a major bank I cannot see why this cannot be produced. My personal opinion is that if they cannot show the money came from a cash point and it was chip read then they should refund the money, but again that is just my personal opinion. I am inclined to think that this data was lost, although that is just me speculating.

    What I have said regarding a chip and pin card not being copied is because in my experience of dealing with this sort of fraud, I have never seen a chip card be able to be copied and used in a uk atm machine. As I have said above, the security feature regarding fallback to magnetic stripe should stop this. I have not seen any instance where transactions fall back and are read by the magnetic stripe when the original card is a chip and pin card (in the last 2/2.5 years). If other people have seen this then fair enough, however, I can only comment on the experience I have.

    As far as I can guess the only reason I can think that this would be refunded if someone was able to prove they were somewhere else is because their card was not a chip card. Therefore it can be copied and the copy used whilst they have the original somewhere else.

    My final view on it is that if Halifax are so willing to go all the way to court to prove it was the original card used then they must be pretty sure. Like yourself, if you are willing to go all the way to court then I have no doubt that you too are innocent, but, someone must be responsible. If it is the original card used then that person must be someone who was able to access the card, use it and then put it back. Please Mr Job’s do not take this as a personal attack at yourself, it is by no means meant in that way. I wish you all the luck with this case.

  16. Mr Joe i appreciate your comments and the clarifications you tried to make.
    The real fact of the matter is that, the secrecy surrounding card fraud complaints is calling for suspicion that the real level of this crime is unknown.
    banks should have interest in letting any member of the public know exactly the level of fraud reported but we now know that there isn’t any data available either from the police, the FOS or bank on which we can assess the level of the chip and pin fraud complaint to admit your assertions about the safety of the Chip and Pin. the peole i referred to all had Chip and Pin cards and the money was given to most because they had an alibi you can check on http://www.finextra.co/whosemoneyisitanyway comments line and you will understand.
    If a major bank can’t recreate data that any other business has to keep for 6 years then it could be better banking in Zimbabwe.
    Again it is not personal, but as someone apparently working in the bank fraud investigation team, having the assumption that chip and pin can not be clone is the wrong way to start your analysis, it is not because you haven’t seen it that means it should not exist.
    If nobody from my household didn’t take the card and i say i did not authorize anyone to take my card and conduct the disputed withdrawals i would still expect the bank to admit liability.
    The fact the bank knew i was complaining should have made them to keep all my banking relating data safe.
    They had the money from the tax payers which i could not access therefore they could go to any court, why didn’t the bank prosecute me if they thought i wanted to swindle the money away from them?
    It is me today but remember no man is an island.

  17. Mr Job I completely agree about the recorded levels of fraud. This is something that should be made public. My concern is that time and time again I attempt to report this type of fraud to the police but more often than not they do not want to know and immediately file the crime as undetected (some forces do not even bother logging the crime!!)

    In regards to what you say about “someone apparently working in the bank fraud investigation team, having the assumption that chip and pin can not be clone is the wrong way to start your analysis” I’m afraid I completely disagree with this. I am 100% confident that at present chip and PIN cards cannot be copied and used in a UK ATM machine, there has been no evidence of this and I truly believe that if this had been possible then at least 1 card would have been recovered and therefore the industry would have proof that this is taking place. Until I see that proof I think the whole ‘chip and pin isn’t secure’ argument has no weight at all as there is no proof that it has failed.

    Therefore my personal opinion is that if Barclays can show that the chip in your card was read in each transaction then my feeling is that you as a card holder are liable as it is beyond the banks control to protect you someone taking your card from a ‘secure’ place. If the bank cannot provide this documentary evidence then yes I agree that you should be refunded.

    I think we may have to just agree to disagree on some of these points.

  18. I have recently had this type of crime happen to me, and I have to say that I totally agree with Mr Job. Joe as it has not happened o you or someone you know personally, and you work in a bank, I can understand you scepticism about this type of fraud. However transactions occured on my account when I can say 100% that my card was with me.
    My card was swallowed at an ATM the following day of the fradulent activity which was how I found out the transactions had taken place (after calling my bank). The bank agreed that my card was read at the ATM where it was swallowed but could not produce the card, hence it has most likely been destroyed (how convenient). I sleep with a lock on my door so noone could have either got to my card or got it back to me, bar some kind of flying machine to my window.
    I am not saying that my card was cloned as I have no idea about the complexities of bank fraud and identity theft, but something has occured whereby money has been taken from my account without my autorisation, through no negligence of my own, and noone has taken my card from me and returned it without my knowing.
    It would seem far more likely to even a totally independent third party that perhaps instead of the many people that report ‘phantom withdrawals’ being liars, that perhaps criminals have done now what they have managed to do for many many years… get one step ahead of those who might seek to stop them.
    In my case as with MrJob it seems unlikely Halifax is going to reimburse me. They would not even go into any sort of investigation like using cctv at the argos or cash machine where the transactions took place in order to see the assailant.
    The banks don’t seem to care as long as they don’t lose out, and of course noone that can do what ever type of activity goes into this crime is not going to openly advertise it.
    Perhaps this type of crime will only be exposed with enough publication, or perhaps the victim using his/her card at the same time as the perpetrator, but even then the bank probably pays the money back, the customer is happy and everybody else none the wiser. One things for sure, until something like this happens pleas from the victims of this crime will continue to fall on deaf ears from both the banks, the police and the apparently independent ‘bank funded’ FOS.

  19. Hi Mr Bovell, yep that does sound strange but to be honest i am a fed up with the whole argument, it gets really boring (that isn’t having a go at you by the way, so please don’t think it is)

    As i said before unless someone discovers a ‘copy’ of someones card with a chip in it then i think there is no proof that it can be done. As soon as this can be proved i would back people 100%.

    As i stated before i have no loyalty to the bank (it is just a job, have a go at me if you like, i’m not really bothered). I work in this industry and there hasn’t been 1 cloned card found that had a chip in it, so how can the chip be read in the machine if it is not present in the card???

    As for the CCTV, well don’t get me started, i get so angry with the police on this front. The police don’t care (as i have been told by officers on many occasions) because it is considered low level crime. Asking a police officer to get cctv is like getting blood from a stone in most cases, obviously there are exceptions to the rule and sometimes helpful officers do everything they can, this is few and far between though!

    If CCTV was installed in ATM’s then the problem would be solved as you could see who made the transaction. If you know them then great it is solved, if you don’t then the police could try help identify them.

    Anyway as I said I am bored with the whole argument now. To me it is fairly black and white, if it can be proven that it was your card then someone known to you must have used it and put it back, if it cannot be proven you should get your money refunded.

Leave a Reply

Your email address will not be published. Required fields are marked *