Judge rules in favour of bank in first UK phantom ATM withdrawal case

This is the first time that a case has gone completely through the courts in a phantom ATM withdrawal case - many previous cases have been dropped, allegedly because a pre-court settlement was reached.

The litigant in the case - Alain Job - claims he lost more than £2000 from his account in early 2006 and, after being rebuffed by the bank using its complaints procedure, went to the financial ombudsman for a decision.

When that complaint route went against him, Job took the bank to court, and a one-day trial ensued at Nottingham County Court in late April of this year.

In his case against the bank, Job claimed that a cloned card had been used - along with his PIN - despite the fact that the card was secure in his possession and the PIN was known only by him.

Although the bank had apparently deleted two primary pieces of data - the ATM card stream data and the Authorisation Request Cryptogram (ARQC) - the judge ruled that the log files from the bank's computer system were sufficient to validate that Jobs' card had been used.

The ARQC, Infosecurity notes, represents the data held on the smart card of the chip & PIN bank card used in the UK and other countries, and is unique to the smart card concerned. In essence, the ARQC `proves' that the smart card data has been read by the ATM.

Jobs case centered on the allegation that his card had been cloned and his PIN extracted from his smart card's chipset in some way.

This then allegedly allowed the fraudsters to clone the smart card chipset on the original card, and use the card in an ATM which read the smart card data, rather than the track 2 magnetic stripe data that all cloned cards seen to date seem to use.

Unconfirmed reports have suggested that Russian criminals have successfully decoded the smart card algorithms used on UK chip & PIN cards and developed an application called Bergamot that reads the smart card data stream, and accesses a hacker database on the internet.

The hacker database then reportedly feeds the decrypted data stream back to the Bergamot client application, suitably decoded, allowing the user to clone the smart card and use the PIN as normal.

Job is reported to studying the court's judgement before deciding whether to appeal the ruling.

Alistair Kelman, a barrister and legal counsel specialising in IT cases, has been tracking the case and has uploaded a copy of the judge's decision to his website .

Kelman, who is a presenter on Infosecurity's webinar programme, says that the case is interesting as it was the first time that a case has reached the judgement stage in the court.

"The judge in the case made his decision, but has not stated that it acts as a precedent for future cases. He stated his decision has no wider significance and this could clear the way for future legal action involving allegedly cloned cards", he says.

What’s Hot on Infosecurity Magazine?