back to article Judge backs Halifax in Chip and PIN clone case

Halifax, the UK retail bank, has scored a victory in a closely-watched 'phantom withdrawal' case that put the security of Chip and PIN on trial. Halifax customer Alain Job sued the bank after he was held liable for making eight disputed cash machine withdrawals from his account. Job was left £2,100 out of pocket from the …


This topic is closed for new posts.
  1. Wize


    All the evidence was held by one party in the trial (as its impossible for the other party to obtain it) and was junked by said party.

    Was that before or after the case was raised?

  2. Anonymous Coward
    Thumb Down

    Shifting Responsibility...

    I used to work for the Halifax and I got the distinct impression at the time that the introduction of chip and pin was conveniently used to shift responsibility from the banks to the cardholder. Basically it seemed that if there was a fraudulent transaction involving the PIN, if it was a chip and pin card they had a 'The customer must have done it or been negligent - not our fault' policy.

    I have read reports that the PIN on a card can be intercepted on a compromised machine as it's not encrypted the entire time and I'd love to see banks get beaten down in court over that one.

  3. Ash

    He's suing a bank.

    I want some of whatever he's on...

  4. Anonymous Coward
    Thumb Down

    Won't ever win

    The banks have far too much money tied up in the currenty ATM system to allow any proof of fraud through cloned cards.

    The government, and its "justice" arm have too much money invested in the banks to upset them.

    This case will never be proved even if the person who actually did it turned up in court with witnesses, videos and DNA samples.

  5. Mike


    Banks, the origional greedy sticky fingered lying cluts.

    They will do everything to save them money, while costing you more. I for one hopes he wins this case, and wish that judges had a little more technical training to cope in this day and age.

  6. D Tonhofer Silver badge
    Black Helicopters

    Definitely relevant

  7. Mad Mike
    Thumb Down

    Chip and Pin is rubbish

    Good lunk to him I say. Anyone with any nouse will know that chip and pin can be copied just like the old cards. Yes, it's harder, but nothing for organised criminal gangs. The cards are available on the black market and so is the hardware required. No problem. The technology isn't a secret either and secrecy is never a good way to protect it anyway, as it always leaks.

    Chip and pin was simply a way of shifting the responsibility onto the cardholder and away from the trader and card company. After all, it's 'perfect', can't be cloned etc.etc. (all this was said about the original mag stripe cashpoint cards) and therefore it must be the cardholders fault. They just must have given away their PIN etc. Utter rubbish......

    He may or may not be telling the truth, but there are certainly loads of people out there footing the bill for a poorly thought out rubbish system.

  8. dreadful scathe

    Chip and Pin security

    One thing I have noticed about Chip and Pin is it makes it far easier to commit fraud where the cardholder is present. The cardholder could be anybody e.g. when i get a train ticket from rail staffs handheld machines that do not support chip and pin and you have to sign, the staff NEVER check the signature on the back. They used to prior to chip and pin, why not now? it makes no sense.

    Also, once when I paid for petrol at a BP station I got the pin wrong 3 times. The teller accepted it anyway on the grounds that her machines keypad was "playing up". Only later did I realise it was the wrong card entirely and therefore the wrong pin I persevered with. So in some cases, with a queue building up behind you, you do not need a pin at all.

    And of course if you do happen to find out the pin and get the card, you will never be questioned or suspected...even if the name on the card is clearly not yours i.e. a 6 foot bloke called Geraldine - staff do not even touch the cards anymore.

  9. Anonymous Coward
    Anonymous Coward

    Here's my conspiracy theory...

    Yet another step backwards for the wretched consumer. We are penned in by government, corporations, and criminals - all three of whom want our money in ever-growing slabs. Moreover, all three want to minimize their own outlays (as we all know, a penny saved is a penny earned).

    Credit cards and debit cards are good news for financial corporations: they increase the size and number of transactions (on which they get a cut) while also decreasing their overhead costs. So far, so good.

    Unfortunately plastic cards are prone to fraud. The banks' response, on the whole, is to lobby for the law to pin all the blame on consumers. Since governments are utterly clueless about anything remotely technical, they have recourse to getting advice from "experts" - in this case, of course, representatives of the banks. To no one's great surprise, the experts advise government and the courts that it's all the fault of the damn consumers, and they can eat the costs.

    Barter, anyone?

  10. Anonymous Coward
    Black Helicopters

    ID Cards

    People who have their UK ID card cloned will suffer the same problem. The authorities refuse to admit its possible, even though it almost certainly will be.

    Knowing you are innocent will be cold comfort when you are up before a court on a fraud charge where the primary evidence *is* your ID card.

  11. Anonymous Coward
    Anonymous Coward

    Ok, here we go...

    Phantom withdrawals are not the same thing as a cloned card being used. A phantom withdrawal is where the money 'disappears' from an account having been logged as dished out by an ATM, or transfer for which there is no evidence of a requested transaction. They are most certainly not commonplace.

    I wasn't aware that there had been any cloned c&p cards yet?

    Does seem a bit odd that Hallifax would destroy the card, particularly when such a small ammount of money is involved, I would have thought they'd just pony up the cash to shut the guy up. I wonder if there is something else going on here?

    Odd that there is no cctv evidence also.

  12. Dennis
    Black Helicopters

    Recently had my card cloned - But by who?????

    Recently had a withdrawal made on my card from LJUBLJANA.

    When I contacted the Bank they told me my card must have been cloned when I last used it. When I told them I had never used the card and I could prove this because my statements show there had never been a withdrawal/swipes on this card, they said well you obviously disposed of the card in a unsecure manner or shared the details with somebody else. No I haven't and I can prove that, can you prove your systems are that secure.

    I got an immediate refund, but I guess I was lucky that I had never used my card. If I had of used the card I'm sure they would have made it a lot more difficult.

    So you see systems are only as secure as the bank are prepared to pay to make them.

    Anon obviously, because Big Brother is watching us not the crooks

  13. David Buckley

    why not a fake?

    its not impossible to pretend to be another card

    it just involves some hardware thats not accessible to noddy crooks

    and who'd have thunk that a bank would destroy evidence.....

    or a judge wouldn't believe the plaintive in a none trivial case

  14. Andus McCoatover

    I can believe it...

    There's a pub nearby, where we used "Chip 'n' pin" on our bank cards to pay for beer. In Finland, cash use is relatively - by UK standards - unusual.

    Many of us regulars have been astounded that occasionally after a moderate session, €100-200 has vanished from our accounts. So, looking at the e-statement, I've apparently drunk 20+ beers a night, even without going there. Put €230 into my current account Monday (from my 'slush fund', where my dole goes), and it vanished in a couple of days. Nordea bank doesn't want to know. Pub sends me to Nordea, Nordea refers me to the pub. I think I'll refer myself to a lawyer, but it's hard to prove. Keep receipts? Doesn't prove anything, I could've thrown some away.

    Changed card this week, cash only from now on. Same as my friends.

  15. Adam Silver badge

    Not as bad as it first seems

    Text of judgement here:

    HBOS destroyed the evidence that would have shown if the chip or the mag stripe had been used. The judge takes pains to point out that he isn't ruling on chip and pin in general, but more on the balance of evidence in this particular case.

  16. Anonymous Coward

    Wait what?

    so to prove it's not a cloned card they produced the information that could have come from a cloned card?

    Given that there's CCTV all over nowadays isn't it possible to just look at the photo of him using it or not?

  17. pctechxp

    Time chip and pin scrapped

    As it is a ruse to make us liable for bank cock ups.

  18. Ihre Papiere Bitte!!
    Black Helicopters

    Who expected that?

    Wow. I'm blown away. Really. I never expected that the bank would produce the proof that it needed to show that chip & pin is completely utterly absolutely safe and that this whining beeatch is obviously just a paedophile terrorist out to try and destabilise the economy at the expense of those utterly-impeccably-behaved banks that never do anything even remotely suspicious, and certainly don't operate behind closed doors. And that his legal team don't sound to have been able to examine the evidence directly. Why would they need to? The Bank said it was all ok. And we trust & love The Bank. I bet this man is part of the BNP, so he obviously deserves everything he gets. Not that he got anything. Of course not. No. Did I say that it was completely safe? I'm sure I did.

    Go about your business citizen. All your cash is belong to the Lloyds/TSB/Halifax/Bank of Scotland Corporation!!

  19. Piers

    Halifax had junked evidence...

    "Halifax had junked evidence that might have ascertained if a cloned card was used. The original ATM card and the Authorisation Request Cryptogram were destroyed by Halifax."

    WTF?!? Don't bank with them then!

  20. Karim Bourouba

    Are there not other sources of evidence though?

    I am no CSI wannabe, but given the UK is the serveillance capital of the world, wouldnt one of the CCTV cameras placed everywhere have picked him up at the ATM itself?

    I know cameras tend to point at ATM's in busy places, like in train stattions and city centers etc. So would it have been a big problem for someone to have reviewed the tapes for the days the transactions were made?

    Or, could it be that even though we have all these cameras in the UK, we dont hang on to the video for very long? And, chances are that even if there were no camera looking at people at the ATM itself, surely one of these spy devices would have picked him up in the vicinity of the ATM around the times the transactions were made?

    Or am I just being too clever for my own good?

  21. David Knell
    Jobs Halo

    Looks like the right decision..

    ..the transcript of the judgment is available here: - reading through it, I'd think that M. Job would be ill advised to appeal.

  22. Jacqui

    Chip and pIn is flawed

    The only reason CnP was introduced was to allow banks to drop liability on stolen funds onto the card holder. TThis was hotly disputed by the banks at the time.

    From discussions (ok scare stories) with folks in the industry and cases like this I have no intention of upgrading to a CnP card no matter how hard they keep trying to get me to sign up.

    I know of two people locally who have closed accounts because of thier distrust of the banks and thier trying to force CnP on them.

    Thankfully Nationwide has yet to try to force me - just keeps sending me wanna free this or that - sign this CnP agreement. :-/

  23. Anonymous Coward
    Anonymous Coward

    *cough* Munden *cough*

    Anyone who banks with Halifax after the Munden case can only have themselves to blame if they suffer a phantom withdrawal. He should consider himself fortunate that he didn't face criminal charges after complaining.

  24. M A Walters
    Gates Horns

    Burden of proof

    Without knowing specifics about the case and its evidence, it's difficult to make an informed judgement. The question is, who has the burden of proof, Halifax or its customer. If it's the petitioner (ie the customer), then the question is why Halifax destroyed the evidence. If it's the respondent (ie Halifax), then the ruling makes no sense at all.

    Basically, Halifax cannot prove that the customer made the transaction, nor can they prove that he didn't. The customer cannot prove that he didn't either, though. I am wondering if anyone actually bothered checking CCTV in the store where the card (or its clone) was used, surely we have enough of those in this country...

  25. Andrew Woodvine

    The claimant doesn't have much luck

    I've just read the judgment ( for this case. I noticed that in 2005 the bank issued a replacement card which didn't arrive at the claimant's address and was fraudulently used. Then again after the claimant reported the fraudulent transactions in 2006 the bank issued another replacement card which also didn't arrive and was fraudulently used. In both instances the bank accepted the claimant didn't receive the cards and refunded the fraudulent transactions.

  26. Dick Emery
    Thumb Down

    F*cking banks!

    Lets shit on the little man shall we? Banks are the scourge of this world. I do not trust them but unfortunately we have to use them.

  27. Anonymous Coward

    I hope he does appeal

    The mythical impenetrable security of Chip and Pin has been proven wrong time and time again. All we need now is for banks to admit it's not a perfect system. But they won't. And now it seems the court won't listen.

    I really do think that court cases involving technology need someone who knows about technology being the magistrate. The number of technology myths there are just create confusion for them.

  28. Anonymous Coward
    Anonymous Coward


    18 years ago I worked for an electroinics firm that put mini cameras into Cash Machines.

    Do these no longer exist? This would be proof beyond doubt whether the defendent made the transaction or not.

  29. The BigYin


    The whole point of chip and pin was to allow banks to duck their responsibility. Now they can blame the victim for any fraud and wash their hands of it.

    Was there no video of the transaction? There should have been. That would show if the cardholder or A.N.Other made the withdrawal. If A.N.Other, the police should have been called.

    Rather than assist it's customer, the bank would rather do them over and keep their vast, unjustified profits. This is the same behaviour that caused them to screw the world economy. Utter bastards.

  30. Robin


    "Anon obviously, because Big Brother is watching us not the crooks"

    Or maybe not anon after all?

  31. Anonymous Coward

    Chip and PIn security has failed

    The security for the chips has failed. It failed within months of its launch

    Its been proved by various cambridge academics and been proved by me direct to the goverment that the security is for the bank not for the consumer.

    Shifting blame onto the consumer.

    Obviously nobody has done rsearch with this case. There are papers oncline showing serious failings of the system

  32. Joe Montana


    Someone commented earlier that staff never check signatures... Why should they bother? Signatures are a totally worthless method of identifying someone.. Whenever i had to sign something it looked different every time and was never checked. Plus it's prominently shown on the back of the card for anyone to copy.

    Some american stores would ask for photo ID that matches the details on the card, not perfect but much better than having someone make some arbitrary pen mark.

    A pin is also not perfect, but still better than a signature.

    The biggest problem is the way banks have used this as an excuse to shift the blame. They took a perfectly reasonable and useful mechanism which has been used in mainland europe for years, and used it to try and weasel out of their responsibilities to customers. £2100 may not be very much for a bank, but to many people that's a lot of money and could completely screw their life up.

  33. Anonymous Coward


    Cut up your cards.

    Make an appointment with your Bank Manager, and have him witness the card being rendered useless. Don't let him order you a replacement! Better still, close your account and force your employer to pay you in cash.

    Use cash for everything. As we all know, cash can't be copied. And its easy to trace if someone steals it from you. NOT!

    Bank cards make your life simpler and safer. Yes, banks have a responsibility to make sure it is secure, and unfortunately, if you don't trust them on that front, your option is to return to using cash, which absolves the bank of ALL responsibility.

  34. Anonymous Coward
    Anonymous Coward


    ...every criminal in the country is going to be working on chip-and-pin fraud now, because they'll never get prosecuted. After all, if even one criminal gets prosecuted for using a cloned card, the whole "it's impossible" defence will fall apart.

  35. Anonymous Coward
    Anonymous Coward

    Anyone actually read the judgement?

    This is a terrible case to use as an example, and the judge makes a point of saying that this should in no way be seen as a test case. The defendant has a poor story - the facts (only atm's near his address used; no attempts at withdrawal after his reporting of the 'fraud'; previous cards never arriving) didn't help at all.

    I would like to have seen a recommendation that the banks keep their records for MUCH longer, given that they prove chip vs magstripe use, and thought that Halifax were very lucky to get away with not being able to produce the full records, especially as they admitted having them at the time of the report and destroying them AFTERWARDS!

    Terrible case for such an important question - I hope that we get a more reasonable one in the near future.

  36. Dave Bell

    Intercepted Cards

    About a quarter century ago my brother had a new card intercepted (a house converted to flats, and no seperate mailbox). The crook could put a signature on the card. Luckily, my brother checked why the card hadn't arrived, and in those days there was a signature on the payment slip.

    That security number on the back doesn't make a difference in that case, but you have to "activate" the card. That's where personal data theft can pay off, letting you answer the security questions.

    But Chip and PIN does make stealing the card alone pretty useless. You can do "cardholder not present" without a physical card. You have to get hold of the PIN, and that doesn't get sent out every time a new piece of plastic gets sent out.

    So all this is an improvement. But new tech brings new loopholes, and a lot of different people need to understand the tech enough to be able to talk sensibly.From the decision-makers in the banks to lawyers in court. The Judge? It helps, but let the lawyers explain it.

  37. Scott Broukell

    What the future holds (aaargh)

    For many years Western banking institutions have been longing for a cashless society. Cash is very expensive to; produce, transport securely, count, sort and distribute again (goes around in a circle you see). HM Gov, banks and retailers see a future where our credits (cash equivalent) are held and transferred entirely electronically. This would save them oodles of dosh.

    There are advantages, especially in developing nations, where electronic banking on mobile devices is a replacement for a lack of banking infrastructure. This gives peeps a chance to save or even look at business start-ups, using a growing number of localized, community-based banking facilities. (Not the overweight capitalist greed-mongering institutions we are used to, not yet anyway).

    But I dread the day that UK gov and banks announce the end of 'spensiv' cash and all our credits start flying around cyber space willy-nilly with the onus on securing, tracing and recording the flow firmly lodged with the individual.

    Groats and bartering are the only way forward - you fix my cam-belt timing and I'll disinfect you computer etc. etc.

  38. This post has been deleted by its author

  39. Anonymous Coward
    Anonymous Coward

    @Conspiracy theorists

    Please change the record, Chip and Pin was brought in to protect customers from rampant fraudulant use of cards and the pathetic ease with which magstripes can be cloned. It was not to foist the bank's responsibillity to refund fraudulant use of cards onto customers. Chip and pin has worked and fraud has dropped a massive ammount.

  40. Daniel Hall

    Can I just add..Broken chips....

    I work part time in a pub to help out a friend, and one thing I have noticed is that when a customer wants to pay by card scary things happen.

    For example,

    If the chip is damaged/un-readable by our machine then it just says to use the mag stripe.

    I did an experiment with my own bank card by taking a hammer and a sharp knife to damage the chip reading surface (the simcard like bit) and was told by the card machine after 3 attempts to use the mag stripe.

    Now imagine this....

    Mr Bloggs has his card details stolen, and a duplicate is made from the info on the mag stripe. To simply get around the chip and pin bit, all he has to do is use a damaged chip and then all he has to do is wait for the check out person to use the mag stripe so he can then forge the signiature.....

    Am I being a bit naive or not?

    My experiment worked, and I know cards can be cloned.....

    Anyone else have any thoughts?


  41. Anonymous Coward
    Anonymous Coward


    Have you read the Cambridge academic's (I can't remember the guy's name off-hand) proof of faults in C&P, anyone who knows anything about how C&P works knows that they are utter rubbish and never likely to work in the real world.

  42. Graham Bartlett

    Not a test case, but still symptomatic of HBOS

    Whilst the bloke in this case does seem to be a numpty, HBOS's reaction does seem to be typical.

    About 10 years back, my sister had a student account with the Halifax Building Society (as it then was). Like all students, she got her interest-free overdraft. Great. And like a number of students, she exceeded this occasionally and was charged accordingly. Also OK.

    But then she got a job after uni, and wanted to close her account. The conversation (over several months, multiple bank managers and various departments of Halifax) went something like:-

    "I'd like to clear my student overdraft and close my student account, please."

    "That'll be (overdraft+several hundred quid) please."

    "Eh? Here's my latest statement saying how much my overdraft is, and here's the letters listing all the charges I owe you."

    "No, pay us what we're asking."

    "Where did the extra come from?"

    "We don't know, and we're not going to tell you, so just pay us all this money or we'll blacklist your credit rating."

    "OK, here's the money I know I owe you. Here's a letter saying I won't pay the rest until you tell me where those charges came from."

    "Here's a credit rating blacklist. Have a nice life."

    Had my sister been some future-free dosser, then maybe they wouldn't have wanted her as a future customer. But since she was a newly-trained corporate lawyer, and at the time was going out with a high-earning City trader, this is probably not the cleverest move for their future business. As far as our family is concerned, the Halifax can forget about ever seeing us as customers.

  43. pctechxp

    Its the same with Mastercard securecode/Verified by Visa

    They will try and make us liable for fraud on the Internet next.

  44. Matt D

    Big Brother's accounting wing.

    "For many years Western banking institutions have been longing for a cashless society. Cash is very expensive to; produce, transport securely, count, sort and distribute again (goes around in a circle you see). HM Gov, banks and retailers see a future where our credits (cash equivalent) are held and transferred entirely electronically. This would save them oodles of dosh."

    It would also allow governments to analyse every single monetary transaction made by any member of the population.

    If you stop to think about it, it is truly extraordinary the amount of information which is currently gathered about each of us as we go about our normal business. Current practice allows government to monitor, or potentially monitor, or most of our communications (Phorm, Jacqui's uber-database,) our movements, (Oyster, CCTV, ANPR,) and many of our purchases, (credit/debit card records), along with all of the many and various databases relating to benefits, health, various licenses and voting registrations.

    The excuse for this is that the records are not all held centrally by government and are not joined up, but are instead fractured and used piecemeal for various tasks.

    All of it is accessible by government in some form or another, however, and it would not be beyond the wit of man to link all these sources of information together.

    If a cashless society was also introduced, quite apart from the immense potential for fraud, it would also bring about the inevitable scenario of every single transaction we are involved in being logged and stored, from the purchasing a car to giving your grandson a tenner for his birthday. Every transaction could be automatically examined for legality and, potentially, taxed.

    There is a reason why we still have cash. We don't keep despite the fact it can't be traced. It is BECAUSE it can't be traced.

    What we spend our hard-earned on is our business.

  45. A J Stiles

    @ Dave Bell

    "But Chip and PIN does make stealing the card alone pretty useless. You can do 'cardholder not present' without a physical card. You have to get hold of the PIN, and that doesn't get sent out every time a new piece of plastic gets sent out."

    You what? Getting hold of the PIN is the easy part: just hold a knife against someone's throat and they'll soon tell you it. Keep the knife in place whilst an accomplice makes a test purchase in a nearby store, and have them call you using a mobile phone that used to belong to the victim to confirm the success or otherwise. Then rough them up a bit; no more than necessary to buy you sufficient time to max out the card before they can report it.

    (This is actually the subject of a patent application in my name. Only, I'm claiming the method for being robbed rather than the method for committing the robbery; because the perpetrator has most probably legged it, whereas the victim can easily be sued for stealing my precious intellectual property that I thought of first.)

  46. JoePritchard

    I agree with m'Lud...for once!

    Looking at the judgement, I think the judge was right.

    Whilst I think there are possible issues around C&P, they're not being shown up in this case.

  47. Peter Kay

    'chip and pin has worked'

    It may be from online sources - who knows, but since chip and PIN came in i've had my visa cloned twice and my bank card once. Before then? Never a problem..

  48. Dave

    @M A Walters

    It is pretty clear from that article that the customer raised the action against the bank, and therefore the burden of proof lies against him. This time, the bank does not have to prove anything, just show that he is talking crap, and in this case it looks like he was trying to pull a fast one, and didn't do a very good job.

  49. Anonymous Coward
    Anonymous Coward

    "But Chip and PIN does make stealing the card alone pretty useless"

    Unless you're paying for goods/services online.

  50. Nick

    Chip and Pin in ATM's - Where exactly?

    My 'horsey' bank card recently foobar'ed up and stopped me withdrawing money from cash machines - it rejected the card as unreadable.. However, it still worked perfectly in retailers Chip + Pin machines, and allowed me to get funds using the cashback mechanism. I believe this was due to the magnetic stripe being zapped rather than the chip knackering up.

    Several cash machines, both new (installed within the last 12 months) and old, and even the banks own machines didn't seem interested in reading the card, so unless I got really unlucky with dodgy machines, Id say that chip reading ATM's are few and far between.

    Good luck to 'yer man though, although I think me may have better luck participating in a quest to find some golden rocking horse poo.

  51. Anonymous Coward
    Anonymous Coward

    PIN can be got online

    I have a number of credit cards that I check online. Some of them will tell you your pin or allow you to change it online. Obviously you need to log in to an account, but that is exactly the sort of thing that key-loggers and other malware are designed to compromise. These accounts seldom have the same perceived level of login security as an online bank either, as there is no facility for transferring cash.

  52. James Brash
    Paris Hilton


    Assuming the ATM in question had a camera, why can't they check the camera pictures to verify.

  53. Anonymous Coward
    Black Helicopters

    @ Matt D

    I know that this is not directly associated with Chip and Pin, but it is a response to an earlier poster.

    It became obvious in discussions in the House of Lords during the ID card debate, that the Uber Database would become the 'glue' to cross-reference all of the fractured information sources, especially in the Government and Government Agency databases.

    There were (are still?) provisions that allow any such database to have additional information added WITHOUT FURTHER PRIMARY LEGISLATION. This would allow the incumbent government to store, in an easily accessible manner, ANY INFORMATION THEY WANTED, and there would not be any parliamentary scrutiny for such additions (it would all be agreed in committee, possibly behind closed doors).

    This would allow DWP and HMRC to automatically compare financial transactions for you. And also compare the car someone was driving with whether they were claiming benefits. And let the DHS see whether you had been out of the country from the passport records (once electronic passport records are kept) to see whether they could offload health costs to the Insurance companies.

    Now many of those things are innocent, and I am sure that it would be argued that generally these checks were generally for the public good, but if a number of false associations led to harassment of innocent individuals, with the onus on them to prove that they had done nothing wrong, then it would be a bad thing.

    Now, I'm going to obscure the ISP records so it's a little more difficult for them to find me!

  54. Anonymous Coward
    Anonymous Coward


    FFS This highlights why CCTV and DNA and fingerprints don't result in total justice.

    Imagine the scene in court, the video starts up a grainy enhanced long shot tracks a figure hooded, gloved and with a scarf over most of his face up to the ATM.

    Great, another hour on the lawyer's bills.

  55. Anonymous Coward
    Anonymous Coward


    The vast majority of UK ATMs are chip enabled (at larger banks at least) as it's a fairly simple retro-fit to the card reader, they also have to keep a magstripe reader in order to service cards from non-c&p zones. Sometimes the chip reader won't be able to read, possibly through a dodgy connection and you can hear the machine re-try to make a good connection then, when it fails wizz the card over the magstripe reader. Not all machines which can read both are allowed to, some especially in high fraud areas are configured to not read a magstripe on a c&p card, even if one is available. Some banks will refuse by default.

    The sooner the rest of the world (America, I'm looking at you!) falls into line the better as we'll be able to do away with the magstrip altogether.

  56. Anonymous Coward
    Anonymous Coward


    Having looked at the judgement I can see why the balance of probabilities went with the bank in this instance, but there are some very suspect arguments in there. Physical cloning of the card was ruled out because APACS, the industry body responsible for the cards, has no knowledge of any successful criminal cloning. By that argument there never will be, every time any case comes up (and most will never make it to court) physical cloning will be ruled impossible.

  57. WhatWasThat?

    How many in use?

    According to the court document, 300 mil chip & pin cards are in use...

    So, that would be 1/2 the population of Europe (730 mil at last census) or the entire population of the US in 2000... hmmm... I hope that the claimed number in use are world wide, but then that reduces to this being used by the population of the G20, which means 300 mil out of 4.4 bil (, or 6.8% of the G20. Not that ripe a target for fraud yet, is it?

    I didn't know there were that many out there? And the only evidence against possible fraud is the bank... that is plugging its ears and saying "can't hear you..."

    As for why this guy would be a target, he is supposed to be the brother of a (presumably) employeed footballer in England who can afford to dump 10K into his account when he needs it... Most fraud I have heard about here in MW Merika _are_ against people related to those with money; going against the moneybags themselves usually get investigated by "personal" services. Rather effectively, I should add.

    This person who, admittedly, may not be here legally (asylum still pending?!), has been the target of fraud before, and therefore a "perfect candidate" for "more secure methods" of banking, like C&P. Or, the bank feels that he is a scammer who cannot be allowed to get away with it anymore.

    Video evidence from an ATM is (here, at least) usually only held for seven days. If a dispute is raised (like it was here), relevent footage is supposed to be retained until 30 days after resolution from the bank's fraud investigation. If they viewed the video, they would have recorded in the investigation files whether it was this person or not. _Those_ investigation records are required to be retained for 5 years... But, while HSBC is required to do this at its Merikan locations doesn't mean it does so (if it's too expensive) at it's "home town" branches...

  58. Anonymous Coward
    Anonymous Coward

    It's Friday afternoon and I can't think of a title

    @ Daniel Hall, what you're describing (being able to use a card despite the chip being unreadable) refers to the fallback mechanism of not using the chip and going back to the old method of authentication. Much in the same way that ATMs, as Fraser describes, are designed to be able to still read non-chip enabled cards, EPOS terminals can do the same thing.

    However, it's important to realise that, in these cases, the ability for the retailer to recoup any losses incurred as a result of the card used to make the payment having been used fraudulently are slim to zero (actually, they're zero!). Payments processed in this way, i.e. via a signature not via chip & pin, are referred to as Cardholder Not Present (CNP) and for a few years now chargebacks (where Visa or Mastercard would reimburse the retailer) are no longer possible for CNP transactions.

    It's up to the retailer to decide whether they want to use this failback mechanism - it's available for those who accept the risk (usually retailers where typical transactions are for relatively small amounts), but the associated risk is made patently clear to such retailers. It's not a failing of the payments system... it's a feature and has been designed accordingly.

    @ Fraser, are you referring to Ross Anderson? His papers are interesting to read, but he often appears to have a real chip (no pun intended) on his shoulder about the UK banking system. I generally find the solutions he proposes to non-existant problems are either a) too technically difficult to implement; b) too expensive to implement; or 3) not worth the effort considering the low risk of his convoluted examples ever being seen in-the-wild.

    @ pctechxp, I think VBV and MastercardSecure are worse than Chip & Pin as it's too easy to reset the password if you know some personal details about the cardholder... if you steal someone's wallet then you're likely to now have their driving license which shows the date of birth, plus the card itself shows the number and name.

  59. Bo Pedersen

    Evidence Destruction

    Well this is interesting, I am sure I would be prosecuted if I didn't hold details of my business' financial transactions for at least 7 years.....This is a legal requirement

    so how does a bank get away with destroying records within 7 years?

    the FSA should at least look into their practices irrespective of this case!

  60. spam


    Klutz - Customers did not need any protection from fraudulent use of cards the banks are liable for fraudulent use.

    A chip is harder to clone (but no harder to steal) and so is more secure if it is actually used. A pin is not secure just more secure than a signature which no one looks at.

    So fraud has been reduced the problem is the customer is much more likely to be held liable for the fraud that remains. C&P reduced fraud for the benefit of the banks at the expense of the customer.

    I had a Halifax credit card. I would never make an ATM cash withdrawal with it so when they introduced C&P to protect myself from fraudulent use I asked them to set the daily cash withdrawal limit to zero. They refused, said it was impossible - that shows how much the Halifax care about fraud they can pass on to their customers. I got a (now sadly defunct) GE Money card, when I asked them to set the limit to zero they said sure no problem.

  61. Adrian
    Thumb Down

    Serial stupidity

    There was a case a few years ago where the Halifax argued the toss against a disputed withdrawal. This was before C&P but they refused to believe their equipment was infallible. Ross Anderson was a witness for the defence (of the account holder).

    I closed my account : they're clearly stupid.

  62. Peter Gathercole Silver badge


    OK, I'm now worried. I think I always knew that some ATM's would use the magnetic stripe, but reading what you wrote makes me nervous.

    Specifically, the same PIN is used for the Chip as would be required by a mag-stripe ATM.

    OK, the PIN for the C&P is safe, as it is effectively used as one of the input keys to the challenge-response that the on-card chip uses, and is thus is not stored on the card.

    So how does (and always has) the PIN for the mag-stripe worked? If this can be brute-forced in some way, does this not also compromise the C&P PIN?

    Maybe I just have not understood how the mag-stripe authentication works, but it has to be checked by the ATM, and not every ATM in the world has my PIN stored in it. Is it one-way hashed in some way, or is it stored centrally and queried from the central repository each time the card is used. In the latter case, I sincerely hope that the telecoms traffic between the ATM and central repository is encrypted, and that every partner bank has the same high degree of security to ensure that it cannot be fraudulently queried or possibly snooped.

  63. Michael Chester

    @Andus McCoatover

    Simple(ish) solution:

    1. Go to bank (management if possible), or, if they don't co-operate, lawyer (who will be able to sort it in such a way that it's admissible evidence).

    2. Put money on card,

    3. give card to bank/lawyer, ensure that no replacement is issued.

    4.a) If money disappears, then you can show that its not you doing it (unless you clone cards yourself...)

    4.b) If the money is only going just after you visit the pub, take banker/lawyer out drinking, using your card but with them taking it before and after

    5. ????

    6. PROFIT

  64. Henry Wertz Gold badge

    paying for fraud

    "The sooner the rest of the world (America, I'm looking at you!) falls into line the better as we'll be able to do away with the magstrip altogether."

    I for one am not interested. Our banks take responsibility for bank fraud (we don't end up out of pocket), if C&P meant they would not take responsibility (as UK banks are doing), believe me you'll have NOONE want to get one here. The one thing you don't want in the US is a debit card... ATM cards, the bank's responsible for fraud by law; credit cards, the credit card company (or vendor that allowed fraudulent transactions, ultimately), because they know people would quit using credit cards otherwise; debit card? US banks tend to be nice enough to refund fraudulent transactions (they aren't trying to maintain the illusion of 0 fraud), but are under no obligations to do so, and a few banks try to make it difficult.

    "Does seem a bit odd that Hallifax would destroy the card, particularly when such a small ammount of money is involved, I would have thought they'd just pony up the cash to shut the guy up. I wonder if there is something else going on here?"

    Sure there's something else going on -- the banks want to maintain the illusion that C&P is infallible, if they paid him back they'd be admitting a fault in the system.

  65. Anonymous Coward
    Anonymous Coward


    @AC - Yep, it was Ross Anderson, interesting bloke, but like to you say theoretical hacks at best.

    @spam - Customers do need protection from fraud, who do you think ultimately pays for re-imbursement of fraudulently used cards? It aint the banks or their shareholders now is it? Although like you say Halifax should have zeroed your CC's abillity to withdraw cash.

    @Peter - The pin is actually stored in the chip - you'll notice when you use a dialup terminal that it says 'pin ok' or something like that before it dials up. The pin is heavily encrypted. (!) I am not sure about the location of the PIN for the magstripe, but I think that it lives off-card in the bank's systems, I'm open to correction if anyone known better? But there would be no need for any ATM to store information about you as it has to connect back to your bank anyway. Your bank is presented with a transaction request and just says yes or no to a different bank.

  66. RW

    The Cashless Society

    Urban legend has it that Richard Nixon's government once posed this question: what's the simplest way to _really_ keep tabs on everyone in the country.

    The answer? Require the use of a credit card to buy food.

    Thus your Cousin Jimmy who's on the run can't stay with you because your food purchases will suddenly increase. You can't hide that new-born with six eyes you are planning to sell to a Chinese circus for the same reason.

    Legend or truth? I really don't know, but it sounds fairly typical of Nixon.

  67. James Pickett


    "fraud has dropped a massive ammount"

    So there is still some going on, then..?

  68. David

    Non-techie judge?

    Perhaps yet another example of non-technicial judiciary? Did both sides have expert witnesses? Is the Halifax now inferring that Mr. Job made the withdrawals himself?

  69. David Wilkinson

    Given the cost of technology

    How about a camera on the card reader that uploads a pic that is kept for 30 days.

    I mean in the UK you are pretty much on video everywhere and don't seem to mind.

  70. Anonymous Coward
    Gates Halo

    Destroy Mag Stripe?

    I was a 2984 cashpoint engineer from 1973, &, even then, successfully experimented with reading & writing my (unrobust) single stripe cashpoint card, using an IBM 3604 with card read/write.

    For added security, should I wipe/destroy the mag stripe. Will I get undue hassle anywhere? No foreign travel planned.

  71. Andus McCoatover

    Sadly, been done.

    <<Getting hold of the PIN is the easy part: just hold a knife against someone's throat and they'll soon tell you it. Keep the knife in place whilst an accomplice makes a test purchase in a nearby store, and have them call you using a mobile phone that used to belong to the victim to confirm the success or otherwise.>>

    Not for the squeamish. Made me vomit.

  72. dedmonst

    having glanced through the judgement...

    I'm left wondering a couple of things...

    i) what relevance to the case is it that Mr Job is an asylum seeker from Cameroon - one wonders why thats even mentioned...

    ii) how might things have gone if this case were being brought by a white middle class professional from Berkshire...

    of course the "circumstantial" evidence against him is pretty strong, but still...

  73. Anonymous Coward
    Anonymous Coward


    Yes there is still fraud, C&P is only designed to prevent cardholder present so the following still work fine:

    Steal wallet, use card that has a PIN written down (people actually do this, it's incredible, I know)

    Observe card being used (ie: obtain pin) steal card

    Clone magstripe, use cloned card in non-c&p country or dumbass retailer who accept magstripe transactions

    Make internet payments using stolen card's details (starting to be attacked by online auth systems)

  74. Martin Silver badge


    Ros Anderson's proof of how to do a man-in-the-middle attack on the super secure chip is a little artificial.

    The real fraud that occured at Tescos and Esso stations just after the cards were launched was much simpler. The pin for the chip is the same as the pin for your magstipe+ATM. Just put a little recorder on the handset and you have the pin and a swipe of the magstipe and you have all you need to make an ATM card.

    Having the same pin for both is simply to avoid the cost of upgrading all ATMs and tills to the chip - but it makes the card much less secure than it used to be.

  75. Tom

    Hole in the walls only

    I don't worry too much about the ATM's in the side of the legitimate banks, though as with anything that is computerised, they are a going concern.

    My biggest worry and severest concern, are those ATM's that are forever popping up in corner shops and other outlets, where the shopkeepers etc, will tell you they don't have access to the machine, yet I have witnessed shopkeepers and their assistants accessing the machines, because of what I have witnessed, I have repeatedly informed family and friends to never use an ATM unless it's attached to a bank, building society or a recognised business, and it is imperative to stay away from the fly by night pop up ATM's in corner shops and other lesser known outlets.

  76. Andy Moreton

    Simple theory

    Conspiracy theories are always good fun, but I think there is a much simpler explanation in this case. From the judgment:

    "Before he went to bed he took the card from his wallet and hid it under a griddle drum in the garden, retrieving it the next morning" - Sounds like he was hiding the card from someone in the house.

    "In the succeeding days he was sent another card. As the bank were prepared to accept, he did not receive it, and withdrawals made with it were refunded" - So bank sent card & pin to his house, he didn't get them, but someone else made some withdrawals.

    I don't think you need to be Sherlock Holmes to figure out what happened.

  77. Anonymous Coward
    Gates Halo

    His barrister is talking.....

    bollocks when he says, quote, ".....Mason said he became involved in Job's case as it was progressing, and it was too late to request that information from Halifax in time for the trial due to how U.K. court procedures work........" End quote

    What he should have said perhaps is "I should really have asked the Court for an Order that Halifax disclose the relevant material, even if late in the day, as it would have filled a massive void, but I couldnt give a shit because it my client loses I dont care because I make even more costs.

    His barrister is an AMATEUR. If he knew of the existence of such material he 100% should have had the trial delayed to get it !!

  78. Chris Silver badge


    "According to the court document, 300 mil chip & pin cards are in use..."

    No, according to the court document, 300 million cards have been issued since Chip & Pin was introduced, which was 5 years ago (6 if you include the pilot scheme). If the cards my bank (the one with an equine flavour) issues are typical of cards from other banks, then they get replaced due to expiry every 2-3 years, so most if not all of the original cards have been replaced at least once. On top of that you'd get issued with a new card if you change banks, or change branches or accounts within the same bank. Credit cards are reissued if the issuing bank/company decides to switch from Visa to Mastercard or vice versa. On top of all of that, people may well have multiple cards at any one time.

    So given all of that, 300 million cards issued over 5 years just within the UK doesn't sound quite so unreasonable.

  79. Kevin Reader

    3 cards attacked in 18 months

    The current scheme is pretty weak.

    Late 07 - debit card - spurious virgin mobile welcome pack, check next statement - no charge for that but debits for 2 different other brand mobile phone topups. Inform virgin & bank. virgin confirm that their associated sim had £100+ of PAYG topup from other sources, get thanked a lot. Bank begrudgingly accepts problem - refund & new card.

    Early 08 - credit card - get phoned by bank's computer - worry that's a spoof and phone bank back. turns out 10 x £50 cashpoint withdrawals. Unusually in london (not eastern europe). So that had to be a clone+pin. Bank begrudgingly accepts it.

    Local petrol stations were implicated. Police blamed a certain one but locals reckoned another was dodgy (too?) as they'd only used their card there!

    Early 09 - wife's debit card - VerifiedByVisa PASSWORD change email turns up. I happen to spot the message cross my mail server. We alert bank. Slightly later someone attempts transaction they tell us (IIRC a fridge from comet, which seems weird as surely card address would be needed for delivery?).

    There is also a long running problem with bogus phone topups often discussed at moneysavingexpert. This seems to most frequently implicate o2. My suspicion is their topup website doesn't validate the card address against the phone (and no pin or chip as its online). Neat - for felons.

  80. Anonymous Coward

    Martin: no, the hack was cleverer than that.

    As I recall, the actual hack was cleverer than that. Someone figured out how to modify chip-and-pin terminals, intercepting the data transferred between the card and reader and sending it out via a hidden radio transmitter (and possibly spying on the PIN as it was typed, can't remember now). Since the communications contained enough unencryped info to reconstruct the magnetic stripe, and a lot of ATMs were magstripe-only...

    This was a real, in the wild exploit used by criminals - not a theoretical hack.

  81. Anonymous Coward
    Anonymous Coward

    There is a way to make forged cards work

    EMV cards including chip/pin that use static authentication (almost all of them do since the dynamic auth needs an expensive coprocessor in cart) can be made to accept any PIN, but also even if the issuer is doing online authentication, the CARD itself has the final say whether a transaction is approved. A faked up card could get the online verdict "deny" and just override it, allowing any transaction. So don't try to tell me chip and pin cannot be faked. Someday maybe dda will be used and it will get harder to make fake cards, but the card (chip) is treated as a trusted piece of the system, even though it is in the hands of a potential adversary. And what is the merchant or ATM to do? It gets the final verdict (transaction ok) from the card (or its chip more precisely) and has no idea that the online issuer told the card to deny the transaction. All the card has to do is say "sorry, up yours; nasty letter to follow; I will allow the transaction anyway."

  82. Anonymous Coward

    C&P in the USA...not!


    From what I understand in the US, C&P has been explicitly rejected, as it places too much risk on consumers , and they are aware of it. Much safer to have your card boosted/cloned, rather than nasty crim pointing firearm for persuassion. I have not seen a citation for this, but does not seem unreasonable...

    The most common "extra" measure I have seen in the US, is consumers write "SEE ID" in the signature strip, forcing the teller/clerk to see a driving license or something else with a personal photo+hologram+signature on it.

    I had my own card cloned in 08 , and I can tell you , my US bank were very quick to stop it (in 20 mins! and $200 ). Since I was in the UK at the time, it was a *major* problem to get a new card, especially since a notary public in the US cost $5, and >100GBP in the UK if you are not careful....

    I must say though, I do wonder what happened to the CCTV footage...?


  83. Anonymous Coward
    Thumb Down


    Maybe the judge should read TheReg more often...get himself clued up.

  84. Alistair Kelman

    Official judgement

    Is now on my website - free for anyone to download. I will shortly be posting comments there. - just follow the links

  85. Anonymous Coward


    Using a stolen chip & pin card is demonstrably not impossible. If you enter a PIN at random, you have 1 chance in 10000 that it will work. If you get the usual 3 attempts, you have 3 chances in 10000. If you have access to a card-reader (or even several), I expect you could arrange to get more than 3 attempts before all transactions on the card were blocked.

    Longish odds, maybe, but by no means impossible.

  86. Armus Squelprom

    Not a good test case

    Unfortunately I'm inclined to agree that some of the factors might be perceived as detracting from the claimant's credibility (eg only atm's near his address used; no attempts at withdrawal after his reporting of the 'fraud'; previous cards never arriving).

    As a balance of probabilities decision, it seems plausible that he and/or some relatives, acquaintances, neighbours, were making those withdrawals. Especially if he has successfully claimed refunds for similar incidents previously.

    Shame, cos I don't think C&P is anywhere near foolproof regardless of the banking industry's claims.

  87. Anonymous Coward
    Thumb Down

    Looks like a sound decision to me

    You have to read the judgement before condemning this one as a conspiracy theory.

    Though the bank's evidence is weak, the guy's credibility is seriously questionable.. immigrant reliant on income from his cousin as a professional footballer, didn't think there would be a 24/7 card fraud line, hid the card out in the garden when he found out about the withdrawals (dude...). Also managed to lose 7 cards in 3 years or something, and not receive 2 others. Further against him, the withdrawals stopped even before he'd officially reported them and were from cash machines he regularly used. The only thing he really had going for him was the fact he'd taken the dispute to the courts (presumably on someone else's money though...).

    It's easy to empathise with the situation (hiding cards in the garden aside) though, and it's a bit shocking the only evidence the bank present is some log record, not even now enough to prove it was a chip or magnetic transaction. The system would be chaos if it were too easy to dispute withdrawals, but as with credit records/ratings agencies. the system does sound like a bit of a black box, or even worse than that, and entirely out of the customer's control.

  88. Andus McCoatover

    Was this in Zimbabwe, or UK (not that it matters. Both run by twa*ts)

    QUOTE. >>I noticed that in 2005 the bank issued a replacement card which didn't arrive at the claimant's address and was fraudulently used.>>

    Did they just pop it in the post? (Larry Grayson's postman, "Pop-it-in-Pete" sprang to mind. "OOh, the things I've 'ad through my letterbox!")

    Er, in Finland when I get a bank card, either I pick it up from the bank, using passport/photo driving licence as ID, OR I get a little slip in the post, telling me to pick it up from the local 'posti'. Again, same ID required. Signature, natch.

    PLUS, all our ATM's have cameras just below the card slot. Can't see what you type, but attaches every transaction with a video. Sheesh, it ain't that difficult.

  89. Anonymous Coward
    Anonymous Coward

    HBOS losing a judgement?

    As practically the biggest banking organisation in the UK, is anyone really surprised that HBOS won this case?

    Even if they had lost, what do you think they would do? Here's a clue - how many times have the banks been told that charging £35 a letter is "unfair" and that these charges should be repaid to the account holders? And how many times have the banks appealed against the decision?

    Do any of the bank worker drones get anywhere near £35/hr, let alone £35 for the milliseconds it takes the bank's computer systems to detect a 'fail' condition (late payment, overdraft, etc) and send out one of these letters?

    If an organisation that is part of the finance industry can theoretically justify £35 for something that is part of their 'day job', how much more could someone not working in the finance industry legitimately charge for having to deal in financial matters? I figure if HBOS can justify charging me £70 to tell me I'm £10 overdrawn (one autogenerated letter costing £35 telling me I've gone overdrawn, then another autogen letter telling me I was £45 overdrawn on the following day) then I should be able to charge at least three or four hundred quid for the twenty-five minutes I had to spend sitting in a queue on their telephone service as "all our operators (are) busy"...

  90. Andus McCoatover

    JEEEEEEZUS!!! (@AC, 12:10)

    <<I figure if HBOS can justify charging me £70 to tell me I'm £10 overdrawn (one autogenerated letter costing £35 telling me I've gone overdrawn.......>>

    Shite, it reallly is NuZimbabwe over there.

    I was overdrawn (Nordea, Finland) about €50 for 3 days, realised, corrected the problem.

    No letter.

    Then, I see on my bank statement "Overdraft Fee. €0.50. Like, less than a quid!" FFS, why you folks continue to put up with this? G20 London demo's had a go with trashing a HBOS. Keep going!

    (Q. What do you call 100 bankers found chained together at the bottom of the sea?

    A. A good start....)

  91. Anonymous Coward

    @AC Saturday 6th June 2009 12:48 GMT

    The "lockout" is set by the microprocessor in the card. It has a incorrect counter. If it hits a 3rd incorrect No matter if you tried in a atm or POS terminal it locks the card. Until the ATM instructs it to unlock.

    The POS can verify the pin offline. As it send the user inputted value to the card. And the card returns Yay or Neigh

  92. Anonymous Coward
    Anonymous Coward

    @AC 8/6 @ 12:10

    They aren't allowed to charge you for a charge that they have issued taking you overdrawn, or further overdrawn. I'm pretty sure it's illigal, if it isn't it is certainly against the banking code.

    Furthermore if they are charging you £35 per letter, go to another bank. I went over my overdraft limit at the Coop recently and they sent me a "don't do it again" letter, which I think cost, but nothing like £35 quid.


    The UK is one of the few countries in Europe where you can have an unauthorised overdraft, it's actually a criminal offence in some countries, this is one of the reasons, along with free banking, that we have higher charges, but £35 seems a shitload too much.

  93. Kat Help

    Help me!!

    I checked my statements last Saturday to find 9 transactions of £300 come out of my business account that wasn't me or anyone i know. with 24hours HSBC had written to me and said they could prove the intergrated circuit chip was used and they weren't paying me any of the money i had robbed! i called them straight away and asked for the prove...after keeping me hold for 20mins they told me they would re-open the case. Clearly they hadn't been to 9 3rd party ATMs in 24hours and had this information to prove it! The case is still under investigation, but the police won't get the CCTV without the request of HSBC! Yesterday i've received another from my Natwest credit card saying someone hasd taken out £560 in 4 different tracations since the 9th May! do you think i've had my identity stolen. These cards by the way have never been used at a ATM Cash machine. whats happening!

This topic is closed for new posts.