How ATM Fraud Nearly Knobbled British Banking


A Register story that would make your hair curl. It covers both the bent IT department of "a major UK High Street Bank" that was tapping into peoples bank accounts by tweaking the allocation of PIN numbers. And the lawyer who fought the banks apparently charges £1,750 per hour (plus VAT), which is more that most readers of TW (I decline from saying all). I quote below the meat of how its done, as it is a bit buried in the article. Anybody heading for a cashpoint this weekend?

They say that the introduction of the "new" chip and pin cards have solved the problem. Like the ill fated Enigma Machine, the Banks believe their system is infallable. Anyone that deals with computer systems knows that there is always a way in, if you have the time and inclination.

The Lotus Lady was interesting because her ATM card didn't debit her account. It gave her money, but heaven knew where from. Kelman thought for a moment and realised that there must be thousands of such cards - and after a little more thought, how it had happened. How could there be thousands of such cards? Because the chances of any two random people meeting in the UK population at that time were 25 million to 1. For one of them to have the only card in existence that debited other peoples' accounts was absurd. He'd been on the case for six months, met - say - 3,000 people through it - and one of them had such a card. The odds only work if thousands of people are walking around with cards like that, or potentially could be. They had the wrong magnetic stripe on the card: the front was embossed with the holder's details, but the account and PIN encrypted on the stripe pointed somewhere else. How wouldn't that be spotted?

Simple: dummy accounts. To do their testing in an environment where the bank systems had to work all the time, the computing teams set up a parallel universe of dummy banks, dummy branches and dummy accounts. But they generated real ATM cards for them, and could take out real money - authorised by the banks. Some people were getting dummy cards.

The computing staff at one bank - the Rogue bank - had discovered through the dummy accounts how to fix the PIN generator so that it would only generate three different PINs in all the PINs issued. By creating a number of dummy accounts and getting new PINs issued for them, they could capture the sequence. Then all that was needed was to recode the cards so they would point to different account numbers, try the three PINs (ATMs gave you three chances) and they were away.


Good article

Now, that means that with the Chip and Pin system (which incidentally takes about 3-5 times per transaction than the previous system) is in force in the UK. Is the US banking system still open to fraud?

The computer says No

I don't trust computers. I trust banks even less.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.