Judge sides with UK bank in 'phantom withdrawal' case

IDG News Service — Thu, 04 Jun 2009 10:17:16 -0400

A U.K. judge ruled Thursday in favor of U.K. bank Halifax after it was sued by a man who claims he did not make eight ATM withdrawals from his account.

It's the first time someone in the U.K. has sued over "phantom withdrawals," where people say money has been withdrawn from their accounts via ATMs despite believing their card and card details are secure.

Alain Job claims he lost a cumulative £2,100 (US$3,100) from his account in February 2006. He sued after his attempts to reach a settlement with Halifax failed to result in a refund. A one-day trial commenced in Nottingham County Court on April 30. Job believes his ATM card could have been cloned and used to withdraw the money.

Job will likely file an appeal. "We are going to study the decision of the judgment," Job said. "We will see what is the right strategy for us."

Europe uses chip-and-PIN (Personal Identification Number) cards, which have an embedded microchip. Users must enter a PIN during a transaction.

Job's attorney, Stephen Mason, said the judge accepted printouts from log files to show that Job's real card had been used for the transactions.

Mason, who specializes in digital evidence collection and has written about ATM fraud, said log files are secondary evidence and do not necessarily prove that Job's card hasn't been cloned. The log files comprise information that is sent by the ATM about a transaction to the bank's record system.

Two primary pieces of evidence once held by Halifax were destroyed, including Job's ATM card and the ARQC (Authorization Request Cryptogram), a piece of information generated from the encryption keys on the card that interacts with the bank's back-end systems, Mason said. The ARQC shows whether the card's chip has been read by the machine.

Since Halifax said the ARQC had been destroyed, it's possible it never existed in the first place. "Arguably, if there was no ARQC, it's possible that a cloned card was used or just a cloned card with a magnetic stripe," Mason said, adding that he accepts that there are no known cases of cloned chip-and-PIN cards.

Halifax also failed to present other primary evidence: the ATNM machine records.Mason said he became involved in Job's case as it was progressing, and it was too late to request that information from Halifax in time for the trial due to how U.K. court procedures work.

The magnetic stripe of ATM cards can be copied. Often, thieves will copy the stripe, create a cloned card and use it in ATM machines in countries that do not verify the presence of the microchip, such as in the U.S. or Eastern Europe. Even with chip-and-PIN ATMs, some of those machines will default to read the magnetic stripe if the chip is defective and allow the transaction to go through.

It's not believed that criminals have figured out yet how to clone a microchip for a chip-and-PIN card, although it has been done by security researchers. But Mason said "it's highly probable that thieves are trying." The U.K. card payments association APACS does not believe cards have been cloned yet by criminals.

Job said he was alarmed when he noticed money missing from his account. He said one of the transactions he disputed occurred around 10:50 p.m. on a night when he was sitting in his living room watching the news with his wallet and card in his pocket.

"The card could not have been stolen," he said.