We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,821 News Articles

Halifax lawsuit challenges chip-and-pin security

Customer fights bank over 'phantom' withdrawal

A UK man will face banking giant Halifax next week in court after he sued over the loss of £2,100 from his account via a cash machine.

Alain Job, an immigrant from Cameroon, saw the money disappear from his account but maintains he always had his card in his possession and didn't make the withdrawal. He took his complaint to the Financial Ombudsman Service, which mediates disputes between banks and customers, but lost in early 2007.

Job decided to sue over the phantom withdrawal, marking the first legal case in the UK challenging what banks contend is a strong security system designed to prevent card fraud, said Ross Anderson, a security engineering professor at the University of Cambridge. Job's case will be heard in Nottingham County Court on April 30.

Job could not be immediately reached. An expert witness who is scheduled to testify next week said he and Job can't publicly comment on the lawsuit so as to not unduly influence its outcome.

Job's case brings into question the security of the chip-and-PIN card system introduced throughout Europe several years ago after widespread card fraud. Rather than using a signature to complete a transaction at a merchant, a person must enter a four-digit PIN, which is verified by a cash machine or point-of-sale terminal through the card's microchip.

But Anderson - who has been a very vocal critic of chip-and-PIN - as well as other security researchers at Cambridge have highlighted several technical flaws with the system that could explain how Job lost his money.

Anderson and Nicholas Bohm, a retired lawyer, submitted a paper earlier this year detailing how chip-and-PIN could be subverted as part of a review of the Financial Ombudsman Service.

Cash machines use verification mechanisms to ensure a particular card hasn't been cloned, but in some cases those checks can be bypassed. Some cash machines will read account data off a card's magnetic strip if the chip isn't working.

Also so-called 'yes' cards can be created that can perform a transaction with any PIN if a particular machine is allowed to authorise transactions without connecting back to the bank, according to the paper. Researchers have also proven it is possible to obtain a secret key off of a chip that computes a transaction certificate that would indicate the card is legitimate to a cash machine even though it's faked.

Halifax maintains it has evidence that Job's real card was used at a cash machine, although the bank has not yet revealed those details, Anderson said.

Technical details aside, Anderson said UK banks have put blind faith into their security technology and pushed the liability for losses back on unknowing customers.

"When the banks designed the chip-and-PIN system, they thought they would dump the risk of fraud on others," Anderson said.

In the US, the responsibility lies with the banks to prove the customer is at fault or they must refund the money, Anderson said. In the UK, the process is much more opaque, with the Financial Ombudsman Service tending to side with banks, according the paper.

"It's really important that we move away from the UK approach of letting the banks claim the system is secure," Anderson said.

Job's court date next week has the potential to change how banks must address fraud. "This case could make a difference," Anderson said. "We don't know which way it is going to go."


IDG UK Sites

5 things we want to see in Android M: New features and fixes

IDG UK Sites

iPad mini 3 release date rumours: 'iPad mini Air' will be 30 percent thinner than current model

IDG UK Sites

Introducing generation tech

IDG UK Sites

This animated film reveals the importance of designing for everyone