Man loses C&P Phantom Withdrawl case

Nicholas Bohm nbohm at ernest.net
Mon Jun 8 10:25:06 BST 2009 

David Biggins wrote:
>> -----Original Message-----
>> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
>> bounces at chiark.greenend.org.uk] On Behalf Of Nicholas Bohm
>> Sent: 06 June 2009 11:04
>> To: UK Cryptography Policy Discussion Group
>> Subject: Re: Man loses C&P Phantom Withdrawl case
>>
>> "20.	I do not accept the Claimant’s proposition that each step in the
>> process has to be expressly demonstrated. I do think that the absence
>> of
>> a history of successful fraudulent attacks on online chip and PIN
>> transactions, and the absence of any evidence of systems failure, as
>> showing that these were transactions that can be taken at face value,
>> (both of which are supported by the evidence of Mr Baker and Mr Brown),
>> are important pieces of evidence from which it is open to the court to
>> draw the inference that these were transactions that took place using
>> Mr
>> Job’s card and his PIN. That is a conclusion that I do reach in this
>> case."
> 
> I'd suggest that the other important bit of this ruling is 19 and 21:
> 
> "19...  I mention those matters merely to emphasise that this is certainly not a test case, and has no wider forensic importance..." 
> 
> "21.  Although I have found the evidence, including that of the surrounding circumstances, enables the bank to prove their case, I do repeat that the decision has no wider significance.  It is a decision of one Judge in the county court on the evidence that he has heard and considered.  I do add this warning, however:  In other circumstances and without surrounding evidence, the court might give weight to 2 matters in particular:  Firstly the bank had and retained more detailed information from which the course of the transaction could be traced, but destroyed it after 180 days (in this case even after a dispute had arisen).  O do not expect that the argument that the bank should develop the means to produce the card unique key, and should also produce it, will ever gain much purchase, but in other cases the failure to preserve evidence in its complete initial form may be held against a bank.  Secondly, I do accept the caution of Mr Mason, echoing Professor Tapper, against
 the assumption that a computer system is necessarily working properly.  The absence of relevant operational problems at the material time, and statistical evidence more carefully marshalled and demonstrated than by the witnesses here, could be a helpful and in some cases a necessary component of a bank's case."
> 
> The judge appears to go out of his way to avoid any expectation that his verdict in this case should set any general precedent for future cases, and indeed to create an expectation that in future cases (and in the absence of other similar "surrounding circumstances"), the banks might be expected to produce the original ARQCs, and to meet a higher standard of evidence and presentation that they were able to do in this case.
> 
> So I understand it, no precedent is established that the absence of evidence of attacks on the system actually represents an absence of attacks,  and it clearly highlights the failing of a system that destroys evidence after 180 days even if a dispute is in progress.

I agree that these paragraphs are helpful for the future; there are
certainly valuable lessons to be learned from this case.

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

More information about the ukcrypto mailing list