PIN's and credit cards.

[Ross Anderson]

> As for the ATM cash withdrawal problem mentioned by Bettina, there has been
> a lot of progress here in the UK to improve security (for the card holder as
> well as for the banks) at ATMs.

That's not my observation. We're back to the pattern of the early 1990s
with rapidly rising ATM fraud, and banks fobbing off customers by
claiming that transactions could not possibly have been made without a
card and PIN.

I'm acting as an expert in one particularly gross case, in which a
man's card was copied (alomst certainly by a bank insider) and used
to make 199 transactions over a weekend in London, of which 194 were
successful and netted over £50K. The bank is suing him for the money
on the grounds that its systems are secure, and the judge is letting
the case go ahead. In another matter, barclays is having a man
prosecuted for attempted fraud after £12K of disputed transactions;
they say that since the card now has a chip in it, it can't be
hacked.

All over the world, it seems, the level of ATM fraud is rising fast.
I get emails from everywhere from ireland to New Zealand from folks
who find huge strings of debits on their bank statements and get
nowhere when they complain.

I agree that the intrduction of PINs at the point of sale is foolish
and that its main effect is going to be to dump the fraud risk on
the poor customer.

I expect I'll have a lot more to say about all this over the next
few months. We've discovered some interesting new vulnerabilities
in ATM systems, and they'll be disclosed at an appropriate point in
the proceedings

Ross