PIN's and credit cards.

Ross Anderson Ross.Anderson at cl.cam.ac.uk
Sat, 16 Nov 2002 17:00:06 +0000 

> In the Netherands we have had many years of experience with ATMs in shops;
> fraud has only recently become rampant

There was an earlier wave about ten years ago. Here's the summary
from my book:

 Another nice example comes from the world of cash machine fraud. In
 1993 and 1994, Holland suffered an epidemic of `phantom withdrawals';
 there was much controversy in the press, with the banks claiming that
 their systems were secure while many people wrote in to the papers
 claiming to have been cheated. Eventually the banks were shamed into
 investigating the claims properly, and noticed that many of the
 victims had used their bank cards at a certain filling station near
 Utrecht. This was staked out and one of the staff was arrested. It
 turned out that he had tapped the line from the card reader to the PC
 which controlled it; his tap recorded the magnetic stripe details from
 their cards while he used his eyeballs to capture their PINs.

The reason this guy got caught is that the student union of the
University of Twente invited me to be a guest in a debate on phantoms
with a bank spokesman in 1993, and the media took the view that the
bank came second (e.g., Elsevier, 14 Aug 1993).

> I believe that in the Netherlands banks no longer stand a chance of
> winning against customers in cases like these to the point that
> they're not even trying anymore.

Not at all. In May 2001 I was consulted by the Dutch consumer
programme Radar, which has done a series of stories about ATM fraud.
Their description of the Dutch system is just like the English one: on
paper, you have rights (banking code, ombudsman etc) but in practice
you don't:

> In the Netherlands the conditions for the consumers are essentially
> good: the bank has to proof the fact that the consumer has been
> violating his vow of security.  In actual practice the fact that the
> thief has used the right pincode is enough proof for the banks.
> Consumers who do not agree have the possibility to go to a
> consiliation board. This board shares the opinion of the banks that
> cracking or calculating the pincode is impossible, the possibility of
> fraud is indiscussible.
> 
> Consumers who want to try to bring their cases directly to court, are
> rejected and send back to the consiliation-board.  The decision of the
> board is absolute, therefore the path to the regular judge is cut
> off. We are still trying to get this matter to a independant judge,
> but it appears to be a long and difficult traject.

I was able to point out to them that after the Utrecht fraud was
reported in the press, the director of the Nederlandse Vereniging van
Banken admitted that fraud can happen, in `Banken beginnen Campagne
voor correct gebruik pincode', (R de Jong, Parool 16/2/94).

Ross