How ATM fraud nearly brought down British banking
R.A. Hettinga
rah at shipwright.com
Sat Oct 22 01:58:52 EDT 2005
--- begin forwarded text
Date: Sat, 22 Oct 2005 01:58:34 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: How ATM fraud nearly brought down British banking
<http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/print.html>
The Register
Biting the hand that feeds IT
The Register » Security » Identity »
Original URL: http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
How ATM fraud nearly brought down British banking
By Charles Arthur (feedback at theregister.co.uk)
Published Friday 21st October 2005 09:52 GMT
This is the story of how the UK banking system could have collapsed in the
early 1990s, but for the forbearance of a junior barrister who also
happened to be an expert in computer law - and who discovered that at that
time the computing department of one of the banks issuing ATM cards had
"gone rogue", cracking PINs and taking money from customers' accounts with
abandon.
The reason you're hearing it now is that, with Chip and PIN cards finally
in widespread use in the UK, the risk of the ATM network being abused as it
was has fallen away. And now that junior barrister, Alistair Kelman, wanted
to get paid for thousands of pounds of work that he did under legal aid,
when he was running a class action on behalf of more than 2,000 people who
had suffered "phantom withdrawals" from their bank accounts. What you're
about to read comes from the documents he submitted last week to the High
Court, pursuing his claim to payment.
"Phantom withdrawals" were a big mystery when the banks and building
societies began to join their ATM networks together in the 1980s. Kelman at
that time was a barrister (who argues cases in front of a judge, rather
than only slogging away in legal chambers) specialising in intellectual
property law. He got interested in computing in the 1980s when the National
Computing Centre asked him to advise the Midland Bank on its computer
system.
What quickly became clear was that the law needed a system to provide proof
that events had happened so that legal cases could be made. You might say
that "the computer debited the account", but to a barrister (and more
importantly, a judge) that's not enough. Did the computer do it at random?
In that case it's like a tree branch falling - an accident. Or did a person
program it to do so? In which case the person must be able to testify about
the precise circumstances when a debit could happen. Sounds daft, but the
law rests on proving each step of an argument irrefutably.
In February 1992 Kelman got a call from Sheila MacKenzie, head of the
Consumers' Association (which publishes Which? magazine), who said that
members were complaining by the dozen about phantom withdrawals, and was he
interested? Kelman was, and met MacKenzie, with two of the association's
members, Mr and Mrs McConville from Liverpool, who had had a number of
phantom withdrawals from their Barclays account. They already had a
solicitor, but needed someone with computer expertise in the law to make
their case. Kelman at this time was able to charge £1,750 per hour - each
hour being broken into six-minute chunks. Oh, and don't forget VAT too.
That's £206.62 per six minutes.
He showed his value pretty quickly, pointing out that banks must have a
legal mandate to debit someone's account. If they take it away from a
customer without a mandate, they must refund it. So the legal point of
phantom withdrawals hinged on the question: if a PIN is typed into an ATM
with a card that matches an account number, is that a mandate by the
customer for the bank to debit their account?
As long as you didn't breach the terms of the contract by leaving your card
lying around (which would give implicit authority for use), then you, as
the customer, could simply say that the withdrawal was not mandated, and
demand your cash back.
How could the banks respond? They'd have to give all the phantom withdrawal
money back where they could not show that the customer had typed in the PIN
- unless, that is, they claimed that their systems were infallible. Yes,
only by going where no computer system had ever gone before could the banks
deny that phantom withdrawals were (1) taking place and (2) their
responsibility to refund.
You'd think it would be open and shut. You haven't dealt much with banks,
have you? Kelman took the case on legal aid and decided to bundle up more
than 2,000 peoples' cases into a single class action against all the high
street banks taking part in the ATM network. He trawled newsgroups for
information on how crackers might decode ATM cards.
He also met two key people in the course of his research. The first, early
on, was Andrew Stone, an ex-con who had been done for fraud, who claimed to
had taken £750,000 from ATMs by combining techniques such as
shoulder-surfing and grabbing receipts from ATMs (which in those days often
had the full account number on them). Stone - who was soon back in prison -
was proof in himself that criminals could make "phantom" withdrawals.
Professor Ross Anderson (http://www.cl.cam.ac.uk/users/rja14/), a
cryptography and security expert who was an expert consultant to Kelman on
the case, explains: "Stone had been working with building access systems
using cards with magnetic stripes, and one day he thought he'd see what it
could read of his ATM card. Then he tried it with his wife's." Stone
figured that the stream of digits was probably an encrypted PIN.
"Then, because you can change the content of the magnetic strip, he
wondered what would happen if he changed the number on his card to match
his wife's. He found he could get money out using his old PIN." The high
street bank Stone used (The Register knows which one) had not used the
account number to encrypt the PIN on the card - meaning that any card for
that bank could be changed and used to make withdrawals on any other
account in it, providing you knew the right details (such as branch sort
code and account number. The name of the card holder of course was
unimportant, because it was not on the stripe.)
"After that," says Professor Anderson, "it was just a question for Stone of
collecting as many account numbers as he could." Until the police caught up
with him, at least.
In September 1992 Kelman met a woman he called the "Lotus Lady", because
she worked for Lotus at a time when he was considering buying some
groupware to organise the rapidly-growing class action; he had already put
the names and other details of all the litigants into a relational database
to search for patterns in victims and withdrawals. The Lotus Lady was
interesting because her ATM card didn't debit her account. It gave her
money, but heaven knew where from.
Kelman thought for a moment and realised that there must be thousands of
such cards - and after a little more thought, how it had happened.
How could there be thousands of such cards? Because the chances of any two
random people meeting in the UK population at that time were 25 million to
1. For one of them to have the only card in existence that debited other
peoples' accounts was absurd. He'd been on the case for six months, met -
say - 3,000 people through it - and one of them had such a card. The odds
only work if thousands of people are walking around with cards like that,
or potentially could be. They had the wrong magnetic stripe on the card:
the front was embossed with the holder's details, but the account and PIN
encrypted on the stripe pointed somewhere else. How wouldn't that be
spotted?
Simple: dummy accounts. To do their testing in an environment where the
bank systems had to work all the time, the computing teams set up a
parallel universe of dummy banks, dummy branches and dummy accounts. But
they generated real ATM cards for them, and could take out real money -
authorised by the banks. Some people were getting dummy cards.
But equally, Kelman saw, it would be possible for a "rogue" computing
department to start tweaking the cards to take money from innocent
customers.
By this time the legal process was underway. Kelman had issued (but not
served) a writ on the banks in July 1992. Four days later four men appeared
in court following the seizure by police of more than 200 forged ATM cards
in Sydenham, south London. Even so, the banks refused to deal.
In August 1992 the writ was served. The banks suggested that the class
action shouldn't be a class action, but should be 2,000 small claims
actions. Divide and conquer, of course.
Things ground on, until in April 1993 the banks - through the Association
of Payment Clearing Services, Apacs - changed their rules. Customers would
only be liable for the first £50 of any disputed or "phantom" withdrawals;
the sum could be waived completely if the customer had a good enough case
that they had not given away their PIN. This effectively killed the ATM
class action, because the banks had accepted liability - in a roundabout
way.
The Writ that Kelman had served on the banks was then wrapped up in a
two-day hearing in May 1993, in which the solicitors for the banks were
obliged to stand up and admit one by one that their systems were not, after
all, infallible.
On 22 June 1993, Judge Hicks gave judgement, mostly in favour of the motion
by Kelman, who expected the banks to simply settle.
But a few days later Kelman heard something that worried him deeply. The
computing staff at one bank - the Rogue bank - had discovered through the
dummy accounts how to fix the PIN generator so that it would only generate
three different PINs in all the PINs issued. By creating a number of dummy
accounts and getting new PINs issued for them, they could capture the
sequence. Then all that was needed was to recode the cards so they would
point to different account numbers, try the three PINs (ATMs gave you three
chances) and they were away.
This "gave me major concern," says Kelman. "The security of the entire ATM
network upon which the UK banking system was based was predicated on nobody
knowing your PIN." He could see that if this reached the media, people
would begin comparing PINs, and on finding identical ones would tell
others, and the security system used by the banks would collapse overnight.
Then there would be a dramatic run on the banks
(http://www.globalear.com/index.cfm?sector=news&page=read&newsid=260) as
everyone tried to take their money to a safer place, such as under the
mattress.
And there wasn't time for the banks to fix the problem if anyone went
public with it. Their MTBU was too short. MTBU? That's "Maximum Time to
Belly Up", as coined by the majestic Donn Parker of Stanford Research
Institute. He found that businesses that relied on computers for the
control of their cash flow fell into catastrophic collapse if those
computers were unavailable or unusable for a period of time. How long? By
the late 1980s it had fallen from a month to a few days. That's not a good
thing; it meant that a collapse of the computers that any UK clearing bank
relied on would destroy it in less than a week.
After dwelling on the problem for 48 hours, Kelman finally decided there
was only one way out: use the Bank of England's "show and tell" session,
held secretly every month, where banks had to own up to their
vulnerabilities, so that risks to the British economy could be identified.
Kelman suggested the creation of an "Office of ATM Security", which would
deal with any complaint of phantom withdrawal, and analyse it on a
time-and-geography database, and get the customer to give their PIN, which
would be encoded on a one-time cipher and compared with previous records.
Details of customers with identical PINs would point the police to further
lines of inquiry. Anthony Scrivener - lately appointed defence counsel to
Saddam Hussein - was strongly behind this.
But before he could do this, Kelman was dismissed from the case by the
solicitor representing the McConvilles, who had originally hired him. They
wanted to pursue the case to the bitter end, rather than get the settlement
Kelman felt was in the offing.
Kelman was stuck. He couldn't say what he had learned; it would leak. He
couldn't complain to the Law Society or Bar Council; it would leak. He
couldn't tell the banks, because he had no authority now, having been
de-instructed. So he drew up his fee note. It was a lot less than he could
have earned in the City, he says.
"Fortunately for the UK banking system and the British people, nobody else
did discover what I found about the activities of the Rogue Bank," Kelvin
notes. Two years later, though, he had corroboration of what he had learnt:
"the computing staff at the [Rogue] bank were completely out of control and
engaged in multiple frauds."
He reckons that his fees - just shy of £200,000 over 15 months - probably
"saved the UK banking system", and that by using his database suggestion,
the UK banks could have saved £200 million over the past 12 years.
And why is he telling this explosive story now? Because chip and PIN has
been deployed across the UK ATM network. "The vulnerability in the UK ATM
network was still there to be exploited - if someone had chanced upon it."
Only now, with chip and PIN widely deployed, does Kelman feel that the risk
of subversion of the PIN system, "as performed by the computing staff of
the Rogue Bank" (his capitals) "been eliminated". (Professor Anderson
agrees, but says many other loopholes remain.) Kelman thinks that during
the 1990s, "the UK banking system was gravely at risk of collapse at all
times because of this substantial security flaw."
Apacs said it was unaware of Kelman's case and so had no comment on
Kelman's allegations. Link, which operates the UK's largest ATM network,
had no comment ahead of this story.
And the price of silence? He could not take silk - that is, become a QC
(Queen's Counsel, the highest level of barrister) - because he felt he
could not talk about the risks to the UK banks.
But the real losers, he suggests, are the McConvilles, "an ordinary
working-class couple whose money was stolen from them by criminals at [a
high street] Bank." They're now dead. But any time that you, or someone you
know, has money siphoned from their account by a cloned card you have the
McConvilles to thank when it's repaid.
Other links: Phantom withdrawals page
(http://www.cl.cam.ac.uk/~mkb23/phantom/) (Prof Ross Anderson)
Related stories
£200K card skimming gang caged (12 August 2005)
http://www.theregister.co.uk/2005/08/12/atm_scam_gang_jailed/
Too many ATMs are exposed to fraudsters, warns Gartner (5 August 2005)
http://www.theregister.co.uk/2005/08/05/out-law_at_scams/
Banks warned over m-commerce security peril (22 July 2005)
http://www.theregister.co.uk/2005/07/22/m-banking_security_risks/
The chip and PIN insecurity card (20 December 2004)
http://www.theregister.co.uk/2004/12/20/pin_security_warning/
Citibank gags crypto researchers (24 February 2003)
http://www.theregister.co.uk/2003/02/24/citibank_gags_crypto_researchers/
How to get an ATM PIN in 15 guesses (21 February 2003)
http://www.theregister.co.uk/2003/02/21/how_to_get_an_atm/
French credit card hacker convicted (26 February 2000)
http://www.theregister.co.uk/2000/02/26/french_credit_card_hacker_convicted/
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list