ATMs

Links to video clips on Chip and PIN frauds from UK news programmes, academic papers, plus an article on the Job v Halifax decision by His Honour Judge Inglis - Hearing 30th April 2009 containing a copy of the official judgement and some background materials including the video of ATM Jackpotting.

And a brief note on medical security issues too

ATMs - Now and then - plus medical security issues

To put this in context please view this part of a BBC Watchdog programme broadcast from just a few years ago. Then watch this ten minute BBC Newsnight feature from February 2010 by Susan Watts which is linked to this published academic paper "Chip and PIN is broken"

Do bankers always tell the truth? Why not look at some historic video clips and make up your own mind.

ATMs prior to Chip and PIN - the legal position on PINs

In 1992/3 I was counsel in the Group Action against all the UK banks and building societies representing around 2000 plaintiffs and potential plaintiffs. At that time ATM cards had no security features such as Chip and PIN but were simply magnetic stripe cards and indeed one bank issued the same PIN to all its customers (see Page 202 of Professor Ross Anderson's Security Engineering First Edition ISBN: 978-0-470-06852-6).

This is the first part of the BBC Newsnight programme from 1992 made at the start of the case, It contains an interview with Dr Ross Anderson (as he then was) plus the transcript of an interview with Andrew Stone who was serving a prison sentence at the time for making false ATM cards. Note the interview with the now struck-off solicitor Denis Whalley (struck off for a £6.75 Million fraud) who continued working in the offices of Goldsmith Williams as a consultant after being struck off. And it appears that Mr Denis Whalley is now back offering legal services in Liverpool via his company Anderson Eden Ltd which milked the claimants in the Tainted Blood scandal a decade ago.

At the time, under the then professional rules of the Bar Council, practising barristers were not permitted to appear on television hence I was unable to say on screen what was really happening. However I spent a lot of time briefing journalists and their researchers. In May 1993 during this Group Action in a preliminary point of law I managed to get the banks to make the following formal admissions:

  1. A bank is not entitled to debit its customer's account unless it has the customer's mandate to do so;
  2. The normal rules of evidence apply and the burden of proof is on the bank to prove that all withdrawals had been made in accordance with the customer's mandate.
  3. A mere entry on a bank's computer system indicating that cash had been withdrawn by use of an ATM card and a PIN does not prove that a withdrawal had been made in accordance with the customer's mandate. There must be evidence showing that the PIN was entered by the customer in person.

This is still the law. In April 2009 in the Job case HBOS effectively admitted that the above position was still the law. However today the matter has been complicated by the technical issues which arise from Chip and PIN.

The technical issues in Job v Halifax

An interesting and significant case in respect of ATM withdrawals and the effect of Chip and PIN (personal identification number) technology was decided in Nottingham County Court by His Honour Judge Inglis. (Click here to download a PDF of the judgement of His Honour Judge Inglis. The judgement was handed down on 4th June 2009.)

Although the judge expressly stated that the case is not to be considered as a precedent, the case was carefully argued before him with respected expert witnesses and the judge gave a thorough and considered judgement. Consequently the case suggests the approach UK courts will take in similar cases - which again will be decided on the particular facts.

Alain Job sued U.K. bank Halifax Bank of Scotland (HBOS) in March 2007 over eight withdrawals made from his account in February 2006. Job maintained that he did not withdraw a cumulative £2,100 ($3,100). He also maintained he did not authorize anyone else to withdraw the money. Job decided to sue after the Financial Ombudsman Service (FOS), which mediates disputes between banks and customers, sided with HBOS.

Alain Job was an asylum seeker from Cameroon. He came to the UK in 2000 and was given rights to stay but was not permitted to work. He financially coped through the help of friends, charities and family. But owing to the UK immigration policy he led a fairly chaotic life and had to move around a lot. Following the Home Office's dispersal policy he was moved to Nottingham where he received some 350 hate mails that forced him to move back to Reading where subsequently his wife died.

Job was represented pro bono by Stephen Mason, a barrister who wrote the well regarded practitioners book on digital evidence "Electronic Evidence (2nd Edition)"

Prior to the hearing of the case I had a meeting with Stephen in which I set out some of the history of ATM litigation in the UK and thereafter with his agreement prepared a 17 page Witness Statement and 36 page Exhibit for use in the case if certain matters were not admitted by HBOS ( see below) and attended the trial in case I needed to be called in to give evidence. As matters turned out the points I addressed were not in issue in this case and consequently my witness statement and exhibit were not used by Mr Mason and did not form part of the material placed before the court. Stephen explained that had they been used, because the specific facts were finally not in issue in this case, he could have been liable for costs.

Alain Job was the first person to sue a U.K. bank over a phantom withdrawal since Chip and PIN has been deployed. One material possibility, raised by Stephen Mason, was that his card had been cloned. HBOS maintained that it was his exact card that was used to perform the withdrawals and consequently that either Job is knowingly trying to defraud the banks or was grossly negligent in handling his card and PIN .

HBOS, though their counsel, suggested that Mr Job had been careless with his cards noting the fact that he had been through nine cards in six years and, having discovered the disputed transactions on his last card, had not reported the matter by phone the same night but had waited until the following morning. Mr Job, in evidence, retorted that he thought the card fraud centre closed at 10.00pm and did not realise that it was a twenty four hour service. During the course of his evidence Mr Job admitted in respect of previous ATM cards that he had twice claimed that he had never received the card or the PIN and that consequently HBOS had paid up for withdrawals on these cards because the bank could not prove that Mr Job had received the cards and PIN. He also admitted, at one point during testimony, to putting his ATM card at night under a kettle barbecue griddle drum in his garden for some inexplicable reason. Although it was not commented on by anyone at the trial the only inference that could reasonably be drawn from this action was that Mr Job was concerned that someone in his house knew his PIN and could therefore have been making unauthorised withdrawals on his account. He also said, in evidence, that having discovered the disputed transactions on his last card (nearly £3,000) when checking his balance at a shopping centre he had not mentioned this loss to his daughters who were with him at the time - wanting allegedly instead to check the facts before raising the matter. This evidence, coupled with the kettle barbecue griddle drum evidence, gave rise to an implication that Mr Job did not trust the people around him and believed that his PIN may have been known by others.

As can be seen from the case report His Honour Judge Inglis accepted printouts from log files to show that Job's real card had been used for the transactions even though the log files are secondary evidence and do not necessarily prove that Job's card had not been cloned. The log files comprised of information that was sent by the ATM about a transaction to the bank's record system. Inexplicably two primary pieces of evidence once held by Halifax were destroyed, including Job's ATM card and the ARQC (Authorization Request Cryptogram), a piece of information generated from the encryption keys on the card that interacts with the bank's back-end systems, The ARQC would have shown whether the card's chip has been read by the machine. The lack of an ARQC record raised the possibility that it never existed in the first place and that a cloned card was used or just a cloned card with a magnetic stripe. HBOS failed to present other primary evidence namely the records from the ATM used in the transactions and by the time that Stephen Mason became involved in the case it was too late to require the production of this information by HBOS.

Of key interest was the fact that UK ATMs can be made to default to read the magnetic stripe if the chip is defective and thereby allow a transaction to go through. Because HBOS was relying upon secondary evidence it was not completely clear whether the ATM in question had defaulted in this manner - there was a clear lack of forensic computing evidence which could have established the fact conclusively. In the printout the expert from HBOS said that the highlighted '04' bytes meant that the transaction had been validated against a Chip. But this statement could not be checked by the defence experts who were not given access to the systems that generated the '04' bytes. Nor were the defence experts given anything other than a description of the validation system in the vaguest of terms.

None of the technical evidence presented suggested that criminals currently can clone a microchip for a chip-and-PIN card, although this has been done by security researchers.

What was of specific interest is that it was admitted that chip and PIN frauds are taking place because cards are being cloned without the chip and then used in countries where their ATM cards have not yet implemented the Chip and PIN technology. The judge mentioned in the course of the hearing that he too had had his ATM card cloned and used "to buy pizzas in Essex" adding that he had not been to Essex in decades.

Conclusions from 2009

This judgement by a thoughtful judge bears careful scrutiny. Some sunlight has been shone on the inner workings of banking security practices and many lawyers now know what to look for. One key difficulty for anyone wishing to litigate against a UK bank has been the risk of the bank seeking costs against them - and pursuing the matter into the ground with attachments of earnings, charges on homes etc. Mr Alain Job was therefore, in some respects, the ideal claimant, someone who had no assets, lived in rented accommodation and by law was not allowed to take paid employment. In making his order the judge ordered that Mr Job paid £15,000 towards HBOS costs but this order will never be satisfied because there are no assets which could be attached.

A prudent banker should look at this judgement and make some changes to domestic banking procedures. All primary electronic evidence such as the ARCQ needs to be systematically retained in archival form so that it could be produced if required. All ATMs should have their daily records archived for a similar reason. And there is no good reason why a pinhole digital camera should not be built into all ATMs with the photos stored with the records - storage costs today are minimal, the kit is dirt cheap and any data protection/privacy issue is false (because the archival copy would and could only be used in preventing or prosecuting crime).

There have been unsubstantiated rumours for some years about a program called Bergamot which allows a criminal to get the PIN from an ATM card - in other words extract it from the cryptographic version stored on the card for use in off-line transactions. It is well known that the PIN is stored in encrypted form on modern ATM cards - check for yourself when you use your card in any terminal, the machine validates your PIN as being OK far too quickly for it to actually be performing this task online.

There is a rumour that from 2005 onwards UK banks accidentally created the current problem with Chip and PIN cards by selling their old non-Chip and PIN machines not as scrap but as viable units for use in the banking systems of developing countries such as Sri Lanka. What followed therefore was highly predictable - the cloning of ATM cards (without their Chip) and using them to withdraw money from UK accounts over the international banking system. This was the means whereby the Tamil Tigers funded much of their terrorist organisation.

Following the case Stephen Mason has put some very relevent and useful notes on his website. setting out the issues and making practical suggestions on what to do if you believe that you have suffered an ATM fraud. They can be found here and here.

It seems probable that one day soon organised criminals will be able to clone a Chip and PIN ATM card - if they have not already done so. And then the banks will, once again, have a real problem with no instant technical solution short of turning off their ATM network and requiring customers to only withdraw money from bank branches.

The future may lie with RFID chips and mobile phones. Mobile phones can corroborate transactions through location information based on GPS and IP address. If a mobile phone replaced the ATM card and withdrawals could be performed only by placing an RFID phone near an ATM then cell site analysis (plus E911 and E112 compliance) would greatly limit the scope of fraud against banks. But such a secure deployment needs investment and good Fintech staff.

ATM Jackpotting from 2009

But in the interim "ATM Jackpotting" is becoming a reality. Take a look at this video from Blackhat USA 2010 . The researcher was going to demonstrate this vulnerability in 2009 but he was persuaded to delay it by pressure from ATM manufacturers.


Barnaby Jack, a researcher at security firm IOActive, demonstrates hacking ATMs from Triton and Tranax - both of which run on Microsoft's Windows C.

To 'jackpot' the Triton machine he used a key available for sale online to open it up and install a USB containing malware which forced it to spew out all its notes.

The Tranax ATM was hacked through a vulnerability in its remote monitoring system which enabled him to exploit software that uses the Internet or phone lines to take control of it. He then uploaded code forcing the machine to spit out all of its cash and letting him view administrative passwords and account PINs.

"I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat," says Jack.

Medical security issues

At the McAfee FOCUS 11 conference in October 2011 in Las Vegas, while working for McAfee Security, Jack first demonstrated the wireless hacking of insulin pumps, one worn by a diabetic friend and another of the same model on a bench set up for demonstration. Interfacing with the pumps with a high-gain antenna, he obtained complete control of the pumps without any prior knowledge of their serial numbers, up to being able to cause the demonstration pump to repeatedly deliver its maximum dose of 25 units until its entire reservoir of 300 units was depleted, amounting to many times a lethal dose if delivered to a typical patient.[9]

At the RSA Security Conference in San Francisco in February 2012, using a transparent mannequin he demonstrated that he could wirelessly hack the insulin pump from a distance of up to 90 metres using the high-gain antenna. In 2012 Jack demonstrated the ability to assassinate a victim by hacking his pacemaker, a scenario first explored in fiction, and meeting with some disbelief, on the TV series Homeland. In his blog post "Broken Hearts", Jack wrote that the hack was even easier than portrayed: "TV is so ridiculous! You don't need a serial number!"[11] Jack demonstrated delivering such a deadly electric shock live at the 2012 BreakPoint security conference in Melbourne. Jack died a week before he was to give a presentation on hacking heart implants at the Black Hat 2013 conference scheduled to be held in Las Vegas. In a June 2013 interview with Vice, Jack outlined his presentation:[3]

Barnaby Jack, the director of embedded device security for computer security firm IOActive, developed software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. He also came up with a system that scans for any insulin pumps that communicate wirelessly within 300 feet, allows you to hack into them without needing to know the identification numbers and then sets them to dish out more or less insulin than necessary, sending patients into hypoglycemic shock or ketoacidosis[3]

In his presentation, Jack was set to outline vulnerabilities in various medical devices, as well as give safe demonstrations of attacks with which there is "certainly a potential health risk".[3]

Unfortunately before he could give the presentation Jack died of an accidental drug overdose.