This is the story of how the UK banking system could have collapsed in the early 1990s, but for the forbearance of a junior barrister who also happened to be an expert in computer law – and who discovered that at that time the computing department of one of the banks issuing ATM cards had “gone rogue”, cracking PINs and taking money from customers’ accounts with abandon.This problem had been going on since the 1980s, and there has been a class action lawsuit in process since 1992 trying to force the affected banks to replace the money stolen from their customers. Why have we only heard about it now?
— How ATM fraud nearly brought down British banking Phantoms and rogue banks, By Charles Arthur, The Register, Published Friday 21st October 2005 09:52 GMT
The story clarifies this:
The reason you’re hearing it now is that, with Chip and PIN cards finally in widespread use in the UK, the risk of the ATM network being abused as it was has fallen away.Hm, that’s good for the U.K. Maybe not so good for the U.S., where such cards are not in widespread use. Maybe four digit PINs that are easy to steal or guess weren’t such a good idea after all. Maybe it’s time for something to change in the U.S.
Well-known security researcher Ross Anderson is cited in the story as agreeing that the current U.K. chip and PIN system does away with the loophole the rogue bank was using. However, Prof. Anderson had already published a white paper in which he and others spell out why chip and PIN is not a panacea. The paper notes that this new scheme was first introduced, fraud actually increased.
There are technical problems with chip and PIN, but the primary difficulty is economic and legal: banks have succeeded in shifting liability off of themselves, even though they implement the security systems involved, to their customers.
It is well-known to students of security economics that when one party is responsible for protecting a system, while another party suffers when it fails, then security failure can be expected.Nothing’s perfect, but something like chip and PIN might be a good idea in the U.S.; it would make phishing harder, at least.
— Chip and Spin, Ross Anderson, Mike Bond, and Steven J. Murdoch Computer Laboratory, University of Cambridge