Today I was in Nottingham County Court watching the civil case of Job vs Halifax plc. Alain Job is an asylum seeker from Cameroon who reported some disputed transactions on his Chip and PIN card in February 2005. He has had the courage to sue the Halifax for the money he alleges was taken from his account that they have refused to refund. This is the first time the veracity of Chip and PIN has been disputed in court.
Job complained to the Halifax, and they insisted his card had been used. He took his case to the Ombudsman, and the Ombudsman ruled in favour of the Halifax:
"I consider that the audit trail provided is in a format utilised by several major banks and therefore can be relied upon"..
In other words the Ombudsman checked the file format, not the contents of the file detailing the transactions.
Today Job had his day in court. Several weaknesses were found in his evidence: he admitted not telling the bank of a change of address for several months after the alleged fraud (he has a complex address history due to his asylum situation). He had a total of 15 cards on two accounts over 6 years, losing several cards per year. He maintains he was 'exteremly careful' with his card.
On 22nd February 2006 when he discovered that £2100 was missing from his account, he inexplicably placed his card in the garden for the night before reporting the fraud to the bank the next day. At 22:50, while he claims he was watching Newsnight, another withdrawal was performed. All the withdrawals were from two machines near to his home in Reading. These withdrawals for £200-£300 continued until 1st March (his card had not been cancelled, he simply reported the questioned transactions).
Evidence from the Halifax was similarly weak. The card was a Visa Electron card which performs all transactions online. After September 2006, Electron would not fallback to magstripe and it would decline transactions - before this date fallback was enabled. The bank's log says that a chip transaction was performed.
The ARQC is not provided in the logs. The ARQC is retained for 180 days according to Visa's accreditation programme, but Halifax claim it has been deleted. Halifax did not provide to the court the card unique key, which will enable the ARQC to be easily verified. The transaction went through the Link network: Link logs the transaction and Halifax did not provide the Link logs. The ATM will have logged the Transaction Cryptogram (TC), but the TC was not provided either from the bank log, nor from the ATM roll. This means nobody is able to verify the cryptogram on which the bank relies. The card has been destroyed so we're unable to verify the Application Transaction Counter.
Halifax's witness claimed to be unaware of the Citibank/TJMax (Judd vs Citibank) in the US, despite this being a well publicised case of significant interest to someone in the industry. In that case magstripe data was skimmed from millions of cards, and then an insider attack on the bank authentication server performed to extract the cleartext PINs in bulk. There were many other areas the witness claimed to be unaware of.
Steven Murdoch giving evidence as expert witness for the Plaintiff (Job) indicated several ways in which the bank's system may be fallible. There may be a failure in the random number generator in the ATM. There may be malware in the authentication server. There may be an error or an insider in the personalisation process where the key can be found 'in the clear' - Murdoch cited an example where a friend of his was sent two identical cards with identical secret keys. There may be an error in the reporting of the data, so that a chip transaction was reported where it was not present.
A 'yes card' is straightforward to construct with freely available hardware and software - but if the logs are correct would have required a further glitch in the bank's system.
There then followed a long period in which the plaintiff's counsel tried to get across the idea of a priori probabilities, and subsequent crossexamination of the witness directly by the judge. Halifax's counsel contented that a malfunction in the system was highly unlikely, given that it runs millions of transactions. Murdoch eventually succeeded in conveying the point that we have no statistics on the prevalence of this fraud in the population - this is the only case to reach court; there could be thousands of other cases out there which do not reach court and are not flagged up.
A second witness for Halifax was called (I believe from APACS, but I'm not sure). He agreed that cardholder present fraud reduced 2004-6 but is now on the rise again. He claimed that any security breaches would already be public - they'd have no opportunity to hide them. (This is clearly not the case - whenever a vulnerability is detected the banks always claim they knew about it all along, so why was it not public?)
In summing up, counsel for Halifax sought to emphasise the extreme unlikelihood that these transactions were caused by a glitch in the system. The tenacity that Job has applied to get this far means nothing - the bank also have tenacity in defending it thus far. It came out that the judge himself has been a victim of phantom withdrawals (in Essex, where he has never been). During summing up counsel was heavily crossexamined by the judge - the bank were taken to task for the lack of card evidence they provided.
The counsel for Job aimed to point out that the possible failures in computer systems, and the unlikelihood that Job would have got this far if he were lying. The judge sought to point out this was a Fast Track case and not an important case, while a lot of importance is put upon it by the industry.
There was no judgement today, a written verdict will be released in about a month.
(Report from a barrister sitting next to us)