RSS Alerts

Related Links

Related Stories

  • What level of authentication is needed?
    Usability and context are often more important than the absolute effectiveness of authentication. It's why the simple password refuses to die, reports William Knight.
  • Chip & PIN invades Australia
    The Chip & PIN system pioneered by French banks in the 1980s - and rolled out across the UK and Europe in recent years - is to be extended to payment cards in Australia, Visa's operation there has announced.
  • Data lost, not found: Why data loss is still prevalent in many organisations
    Eighteen months on from the HMRC data loss scandal - where contractors lost the details of 25 million Britons - Stephen Pritchard investigates why there is little evidence that the rate of privacy breaches is falling
  • More analyis on the ATM phantom withdrawal court case ruling
    Hard on the heels of last week's long-awaited ruling on the first ATM phantom withdrawal case to pass through the courts, Alistair Kelman, a barrister and presenter on Infosecurity's webinar programme, has posted an interesting report and analysis on his website.
  • Biometrics reach maturity
    In both the identity management and security arenas, the use of biometric technology is increasing apace. Sebastian Fox looks at how the business application of biometric technology is shaping the reality of our everyday lives more than ever before...

News

Judge rules in favour of bank in first UK phantom ATM withdrawal case

05 June 2009

A judge has ruled in favour a UK bank after a customer took the bank to court regarding eight ATM withdrawals that he claimed he did not make.

This is the first time that a case has gone completely through the courts in a phantom ATM withdrawal case - many previous cases have been dropped, allegedly because a pre-court settlement was reached.

The litigant in the case - Alain Job - claims he lost more than £2000 from his account in early 2006 and, after being rebuffed by the bank using its complaints procedure, went to the financial ombudsman for a decision.

When that complaint route went against him, Job took the bank to court, and a one-day trial ensued at Nottingham County Court in late April of this year.

In his case against the bank, Job claimed that a cloned card had been used - along with his PIN - despite the fact that the card was secure in his possession and the PIN was known only by him.

Although the bank had apparently deleted two primary pieces of data - the ATM card stream data and the Authorisation Request Cryptogram (ARQC) - the judge ruled that the log files from the bank's computer system were sufficient to validate that Jobs' card had been used.

The ARQC, Infosecurity notes, represents the data held on the smart card of the chip & PIN bank card used in the UK and other countries, and is unique to the smart card concerned. In essence, the ARQC `proves' that the smart card data has been read by the ATM.

Jobs case centered on the allegation that his card had been cloned and his PIN extracted from his smart card's chipset in some way.

This then allegedly allowed the fraudsters to clone the smart card chipset on the original card, and use the card in an ATM which read the smart card data, rather than the track 2 magnetic stripe data that all cloned cards seen to date seem to use.

Unconfirmed reports have suggested that Russian criminals have successfully decoded the smart card algorithms used on UK chip & PIN cards and developed an application called Bergamot that reads the smart card data stream, and accesses a hacker database on the internet.

The hacker database then reportedly feeds the decrypted data stream back to the Bergamot client application, suitably decoded, allowing the user to clone the smart card and use the PIN as normal.

Job is reported to studying the court's judgement before deciding whether to appeal the ruling.

Alistair Kelman, a barrister and legal counsel specialising in IT cases, has been tracking the case and has uploaded a copy of the judge's decision to his website .

Kelman, who is a presenter on Infosecurity's webinar programme, says that the case is interesting as it was the first time that a case has reached the judgement stage in the court.

"The judge in the case made his decision, but has not stated that it acts as a precedent for future cases. He stated his decision has no wider significance and this could clear the way for future legal action involving allegedly cloned cards", he says.

 

This article is featured in:
Application Security Data Loss Encryption

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water