More analyis on the ATM phantom withdrawal court case ruling

According to Kelman, the report was compiled with the assistance of Stephen Mason, the barrister acting for the Alain Job in the case, and his report contains links to Mr Mason's comments on the case as well.

Kelman suggests that the ruling in the Job vs Halifax case does not preclude further legal actions by bank customers who encounter so-called phantom withdrawal situations with their accounts.

By agreement with Mason, Kelman prepared a 17 page witness statement and a 36 page exhibit for use in the case if certain matters were not admitted by the bank.

Kelman told Infosecurity that the points he raised in his statement and exhibit were not an issue in the case and, as a result, his presentations were not laid before the court.

A material possibility, he says - and one raised by his barrister - was that Job's card had been cloned.

The bank, says Kelman, maintained that it was his exact card that was used to perform the withdrawals and consequently that "either Job is knowingly trying to defraud the banks or was grossly negligent in handling his card and PIN."

According to Kelman, back in the early 1990s, he was legal counsel in a group action against all the UK banks and building societies surrounding the use of PIN-based cards, and representing around 2000 plaintiffs - and potential plaintiffs.

The crucial aspect of the 1992/3 case was that a 'mere entry' on a bank's computer system indicating that cash had been withdrawn by use of an ATM card and a PIN does not prove that a withdrawal had been made in accordance with the customer's mandate.

There must, he says, be evidence showing that the PIN was entered by the customer in person.

"This is still the law", he says, adding that in this latest case, the inexplicable fact was that two primary pieces of evidence once held by Halifax were destroyed, including Job's ATM card and the ARQC (Authorisation Request Cryptogram), a piece of information generated from the encryption keys on the card that interacts with the bank's back-end systems.

The ARQC, says Kelman, would have shown whether the card's chip has been read by the machine.

The lack of an ARQC record, he adds, raised the possibility that it never existed in the first place and that a cloned card was used or just a cloned card with a magnetic stripe.

"None of the technical evidence presented suggested that criminals currently can clone a microchip for a chip-and-PIN card, although this has been done by security researchers," he notes.

Against this backdrop, Kelman says that it seems probable that one day soon organised criminals will be able to clone a Chip and PIN card.

"And then the banks will, once again, have a real problem with no instant technical solution short of turning off their ATM network and requiring customers to only withdraw money from bank branches."

What’s Hot on Infosecurity Magazine?