A LANDMARK court battle between a bank and a customer over claimed “phantom” cash withdrawals from ATMs has revealed a startling Achilles’ heel in banking security.
The weakness could make it possible for a corrupt bank employee to guess the personal identification numbers to customers’ cash cards in an average of just 15 attempts. As a result, computer security experts are calling for an overhaul of the way banks deal with customers’ claims of fraudulent withdrawals.
In February 2000, just two days after South African businessman Anil Singh was issued a new PIN, 190 separate withdrawals were made on his Diners Club card in London, totalling £50,000. Singh, who insists he was 6000 miles away in Durban at the time, says the withdrawals had nothing to do with him and has refused to pay. Citibank, which owns Diners Club, is now suing him for the money.
Advertisement
Banks often hold customers responsible for all such cash withdrawals because they are convinced that their systems are secure, says security expert Ross Anderson at the University of Cambridge. But Anderson and his student Mike Bond have found this is far from the case. If presented as evidence in Singh’s defence it could establish how the computers responsible for safeguarding PINs are not nearly as secure as the banks claim.
“The whole system relies on no one other than the customer knowing the PIN,” says Bond. It is often up to customers to prove that they have not given the PIN to someone else. The burden of proof should be on the banks, he says.
Anderson and Bond’s research shows how corrupt employees could obtain as many as 7000 PINs during a 30-minute lunch break. This information could then be sold or exploited to “clone” fake cards that could then be used to withdraw money.
This is possible, says Bond, because of a weakness in the computer system used to verify PINs. Although anyone trying to use an ATM to guess a PIN is “locked out” on the third failed attempt, people inside the bank can keep trying indefinitely. They could keep guessing until they get it right, says Bond.
Normally it would take an average of 5000 attempts to guess which of the 10,000 possible permutations a four-digit PIN could be. But Anderson and Bond have shown that weaknesses in the system used by most British banks make it possible to guess a PIN in a mere 15 attempts.
Sandra Quinn of the Association for Payment Clearing Services in London says it is one thing to do this in a lab and quite another in a live bank system. “Nobody would ever say never, but it is highly unlikely that UK banks would be compromised,” she says.
Others disagree. “This is indeed a weakness,” says Adam Hawley, of Caplin Systems, which used to design software for these systems. “But you would still need to have relatively high level of access.”