|
Claims Involving Electronic Payment Systems Ross J. Anderson Computer Laboratory, Pembroke Street, Cambridge CB2 3QG Abstract -------- Many existing and proposed electronic payment systems are quite insecure and the number of claims involving fraudulent or disputed transactions is rising steeply. The banks' recent action in limiting customers' liability for such transactions through automatic teller machine (ATM) systems to 50 Pounds may in practice limit ATM claims to those cases where consequential losses are involved, but growing fraud against signature-based card systems such as Switch will continue to be an issue, as will disputes involving other electronic payment and trading systems. In particular, Electronic Document Interchange (EDI) systems are proliferating with very little thought being given to protecting transactions against fraudulent manipulation. For these reasons, it is quite likely that practising lawyers will have to deal with electronic payment disputes at some time in their careers. The technical details can be extremely complex, as the proper cryptographic protection of transactions involves a range of mathematical and engineering disciplines. However the basic principles are relatively straightforward. In this article we outline a number of possible attacks against electronic trading and payment systems, and discuss the issue of liability for disputed transactions. Introduction ------------ An unpublished survey carried out recently by a leading consumer organisation indicates that about a third of account holders at UK banks have had some dispute with their bank over an electronic banking transaction. These often concern `phantom withdrawals', debits posted for ATM transactions of which the account holder has no knowledge. Although US banks are required to make good any such losses unless they can prove that the customer was at fault, British banks have traditionally claimed that their systems are infallible, and that no withdrawals can be made without both the customer's card and PIN (personal identification number). The implication is usually that the customer must have been defrauded by a member of his own family, and this can cause considerable anger and distress to the victims. The situation has been ackowledged by the report of the Commission on Banking Services Law (the `Jack Report' -reference [8]) as unsatisfactory, with one-sided contracts and no effective competition (section 9.21); the banks try to discourage any public discussion of system security (10.03), although the PIN concept has never been tested in the UK courts (10.04) and a majority of expert evidence sees the PIN system as vulnerable from a security standpoint (10.06). It appears that the banks see anti fraud investment as not being cost effective (10.11), and this can be expected to continue for so long as customers whose accounts have been raided can be made to carry the loss. The UK clearers' response to these criticisms has been to agree to limit customer liability to 50 Pounds in the case of some of the more common types of disputed transaction. The expectation is probably that this will reduce the risk of a case ever getting to court amd setting a precedent which could put the onus clearly on the bank, as is the case in the USA. This may not succeed, as consequential losses can often flow from phantom withdrawals. In one current case, which has been widely reported in the press, the plaintiff is an elderly account holder who claims that her bank so harrassed her about an overdraft arising from a series of phantom withdrawals, that she suffered health problems as a result. What can a lawyer realistically hope to achieve for an aggrieved client? How can one establish that the client has been defrauded, or at least that the bank has failed to carry out its general duty to observe the customer's mandate? In order to answer this question, we will have to understand the various ways in which an ATM system can be defrauded. The Evolution of ATM Systems ---------------------------- Automatic Teller Machines, or ATMs, were like most computer systems in that they were originally developed without much concern for security other than the obvious protection against violent external assault. The first examples were introduced in the UK in 1968 and simply accepted a punched card and a PIN, checked the PIN against the card, and dispensed a fixed amount of cash (typically 10 Pounds). The card was retained by the ATM, processed as a cheque and returned to the customer with his statement at the end of the month. The PIN was introduced to add value: without it, the card could have been used by anyone to draw cash, and so would have been of no more use than cash to most customers. A fraud problem arose in some countries overseas, where criminals (and in Israel, even enterprising but misguided students) worked out the relationship between the holes punched in the card and the corresponding PIN. There was also a concern about what would happen if a customer repudiated a transaction. How could a bank satisfy a judge the their system was secure, even in the face of testimony from a plausible witness? These pressures led to a number of research programs being carried out into ATM security, and in particular PIN security, in the late 1970's and early 1980's, with the aim of tackling the problem by making forgery impossible. A number of systems were developed, of which two captured most of the market. These were the IBM system, developed by Meyer, Matyas and others; and the VISA system, developed by Carl Campbell. They share a core concept, which is to derive the PIN from the customer's account number. The business objective was to ensure that no-one at the bank could ever get to know any customer's PIN. The derived technical objectives were to avoid having a file of PINs, as this file might be stolen or copied by one of the bank's programmers; and to avoid having the PIN on the card, where it could be accessible to thieves or forgers. At the same time, most banks wanted to be able to check PINs in ATMs which were offline, that is, not connected to the bank's computer. The solution developed by IBM and VISA was to encipher the customer's account number using a secret encryption key, the PIN key, and use the first four digits of the result as the PIN. The details of the process are described in the open literature [1], [4], and so the security of the system depends entirely on each bank keeping its PIN key secret. The usual procedure was to keep this key in two or more components, each held by a different official. Although familiar from the management of safe combinations, this scheme gave rise to problems in practice: a bank may have over a thousand ATMs and thus over two thousand key custodians, each with a copy of one part or other of the key. Carl Campbell's innovation was to devise a hierarchy of cryptographic keys which enables central control to be maintained. This system is quite involved but the heart of it is a device called a security module which generates all the customer PINs and cryptographic keys used by the bank. Master keys are generated in several components for manual loading into ATMs as before, but once this initial loading is complete, all subsequent key management is done automatically by the security module, which sends each ATM working keys from time to time which are encrypted under its master keys. The two main international card organisations, VISA and Mastercard, now require all banks joining their scheme to build their ATM systems round security modules. However, only about a third of existing member banks have so far made this investment, often pleading the difficulty of system change or the pressure of other development work. As a result, the new entrants to the ATM business (such as the building societies) tend to have more secure systems than the established players, and in fact some three-quarters of disputed ATM transactions currently being reported seem to concern the cardholders of one particular clearing bank. There is no doubt that PINs have provided a useful first line of defence against fraud. Indeed, VISA reports that the incidence of fraud on systems which are PIN-based is about one hundredth of that from signature-based cards. Given that fraud on the latter varies from 0.1% and 1% depending on the country and the issuing bank, PINs must be saving billions. However, PIN-based systems have a number of weaknesses which are not always well understood, and as bankers become complacent, and technical knowledge of their systems continues to spread, both the incidence of fraud and the likelihood of a really major incident continue to grow. Attacks on Signature Based Card Systems --------------------------------------- Before considering how ATM systems can be attacked, we should first look at signature based systems such as credit cards and Switch, as frauds are both fairly easy and much more common than with PIN-based systems. In a recent case at Winchester Crown Court (R v Stone and Hider, 910321.5, 29 July 1991), the defendants were convicted of defrauding the Switch system. They obtained a magnetic reader writer with which they could easily alter the magnetic strip of bank cards, and reencoded their own Switch cards with the account numbers of various members of the public. This account information was obtained by picking up discarded ATM receipts. The case highlighted some of the banks' difficulties. Firstly, record keeping was so poor that the banks could not establish how much had been stolen, and the prosecution had to proceed on the basis of an amount admitted by the defence. Most banks appear to keep no central record of disputed transactions, and many people defrauded in this matter may have had their claims summarily dismissed by branch staff. Secondly, these reader writers are easy to obtain, and despite such frauds being widespread overseas and well reported in the security press, the UK banks had not bothered to implement the best overseas practice, which is to print only the last six digits of the account number on ATM and other receipts. US banks are also starting to equip cards with card verification values (CVVs), which are three digit codes written to the magnetic strip but not on the receipt or the card face. Like the PIN, the CVV is derived cryptographically from the account number, and can be checked by payment terminals. However, organised criminals in the US now copy the entire magnetic strip by installing card readers in shops or restaurants belonging to accomplices [6]. Potentially, any purchase you make in the USA other than at a major chain may be put through a bogus terminal and could result in a spate of fraudulent debits appearing on your next statement. There is evidence of increasing international cooperation between credit card fraudsters. We can recall only one isolated case in the mid 80's of stolen card numbers being used systematically on the other side of the Atlantic, but in the last year or two this appears to have become a standard operating procedure as criminals have realised that most `hot card lists' are only distributed locally. In fact we learned recently from a senior US bank official that their fraud loss tripled last year from about 0.3% to almost 1% of turnover. Disputed transactions will be an increasing part of our future, and it is highly likely that credit card operators will initially resist most claims, for fear of suffering an avalanche of fraudulent claims of fraud. Attacks on ATM Systems ---------------------- Banks have traditionally maintained a defence of infallibility in ATM disputes. They claim that no transaction can possibly be made without the card and the PIN, and so the client must have been negligent. Indeed, it is not unknown for ATM cards to be `borrowed' by family members. However, the blanket defence of infallibility is quite erroneous, as admitted in the Jack Report [8], and has never been tested in a UK court; it would appear that in practice the banks always settle. In what follows, we list a number of ways in which an ATM system can be subverted. The list is not exhaustive, but should give some idea of what may have gone wrong, and help with the construction of arguments and interrogatories in particular cases. (1) The system can be compromised easily by poor administration. For example, in February this year the author asked for an increased card limit: the bank sent not one, but two, cards and PINs through the post. This was a near miss: the cards arrived only a few days after intruders had got hold of our apartment block's mail and gone through it looking for valuables. There appear to be no statistics available for losses arising from this kind of incident, but we expect that they account for thousands of cases a year. (2) In our experience, banks in the English speaking world dismiss, or ask for the resignation of, about one percent of their staff every year for disciplinary reasons. A nontrivial proportion of these are for petty fraud or embezzlement, in which ATMs are often involved. A clearing bank with 50,000 staff, which issued PINs predominantly through the branches rather than by post, could expect about two incidents per business day of staff stealing cards and PINs. These could be test cards, or cards otherwise used to milk the bank's internal accounts; but it is simpler, and so much more common, for dishonest staff to issue duplicate cards on ordinary accounts, or help themselves to cards which have not yet been issued to customers. (3) It may in some banks be possible for a dishonest teller to pass to a customer's account a debit which masquerades as an ATM withdrawal, without going near the ATM system. Such facilities may be provided in banking computer systems in order to allow branch staff to rectify mistakes, and may be abused from time to time. A policy of denying the existence of `phantom withdrawals', and telling customers that they must have been defrauded by their own relatives, may be expected to encourage this kind of embezzlement. (4) Another source of trouble has been the existence of test transactions. There was a test facility on one of the Olivetti 2000 series ATMs which would output ten banknotes when a fourteen digit sequence was entered at the keyboard. One bank published this sequence in its branch manual, and there was a spate of fraud until all the banks using this type of machine had put through a software change. (5) Various program bugs and operational errors will also cause a certain number of mistakes, such as duplicate transactions and debits posted to the wrong account. These are familiar enough to heavy users of any bank's cheque processing facilities, who correct them by reconciling their accounts and demanding to see vouchers for stray debits. However, with ATM systems, the customer cannot usually demand to inspect tally rolls, transaction logs and balancing records; and any attempt at checking a disputed transaction is generally frustrated in various ways by the bank. In view of the established procedures for dispute resolution on cheque transactions, this may be a very weak point in the banks' case. From our own banking systems experience, we would expect an error rate from various causes of between 0.1% and 0.01% of transactions; this is in order-of-magnitude agreement with surveys which show that some 35% of UK cardholders have had an ATM dispute at some time in their lives, but slightly higher than the Jack report's figure of one disputed ATM transaction per hour in the UK. One can reconcile these differing error estimates by the reasonable assumption that most victims of ATM errors realise after contacting their branch that pursuing the matter will be futile. (6) In addition to the above general problems, there are a number of technical ways in which ATM systems can be attacked. One of the most famous, at least within the computer security community, occurred at the Chemical Bank in New York in about 1985. An ATM technician, who had been dismissed, stood in ATM queues and observed customers' PINs as they were entered. He would then pick up the discarded receipt, which contained the account number, and write this number to the magnetic strip of a blank card, just as with the R v Stone and Hider case. He managed to steal over $80,000 before the bank saturated the area with security men and caught him in the act. Needless to say, the emergence of worldwide ATM networks during the past few years makes such attacks much more easy to mount, and much more difficult to stop. In fact, it was this attack which motivated many overseas banks to print only the last six digits of the account number on the receipt. (7) An even more sophisticated attack was reported from the USA in 1988. In this case, the fraudsters had constructed a vending machine which would accept any card and PIN, and dispense a packet of cigarettes. They placed this in a shopping mall, and used the PINs and magnetic strip information it recorded to forge cards for use in ATMs. (8) Another technical attack relies on the fact that most ATM networks do not encrypt the authorisation response to the ATM. This means that an attacker can record a `pay' response from the bank to the machine, and continually replay it until the machine is empty. This technique, known as `jackpotting', is not limited to `hackers' - it appears to have been used in South Africa in 1987 by a bank's operations staff, who used network control devices to jackpot ATMs where accomplices were waiting. (9) Some banks decided to hold the encrypted PINs on a database. This meant that a programmer, who knew that his own PIN was 1537, would observe that his encrypted PIN was (say) 32AD6409BCA4331, and then search the database for all other account numbers with the same PIN. If the bank has five million cards outstanding, there should be at least five hundred of these. (10) Banks which do not use security modules are open to much more direct attacks. A system programmer can simply observe clear PINs passing through the mainframe computer, compile a list of corresponding account numbers and PINs, and make up forged cards. (11) The worst case of all for the bank is when the PIN key itself becomes known. We know of two cases of this, both of which were `inside jobs' involving technical personnel. It is also just within the bounds of possibility for a bank's PIN key to be determined by outsiders using cryptanalysis - although this would be a major undertaking, and has been estimated to need about 30,000 pounds worth of computer time [2]. However, computing resources are rapidly becoming cheaper, and one could even envisage a situation in which the codebreaking resources of the former USSR were misused for private gain. Electronic Document Interchange ------------------------------- A number of vendors are selling systems for Electronic Document Interchange (EDI). The idea is to save time and money by replacing paper documents such as invoices, statements and so on with messages which are passed electronically from one company to another. Of course, there exist quite substantial opportunities for fraud in this area, as these electronic documents can quite easily be altered by employees at either party to the transaction or even by outsiders. It is a matter of some concern to us that, although vendors make occasional noises about security, few of the systems we have seen make any provision for authenticating these electronic transactions. Tampering could be undertaken to cover up theft of stock, support VAT frauds or to introduce bogus invoices into a company's accounting system. As EDI systems will also generate documents for official bodies such as HM Customs, it is quite likely that they will become targets for drug smugglers wishing to hide their shipments among those of a respectable importer. We feel that vendors of EDI systems which do not offer facilities for the authentication of all electronic documents according to best international practice may be making themselves liable for large damages in the event of these systems having to be substantially modified in the light of frauds which are highly predictable today. It is concluded in the Jack report that even following best practice is not a comprehensive defence against a claim that a supplier has not discharged a duty of care, and that such a practice may need to be reinforced by contract or by statute. Suppliers who do not even bother to follow best practice may find themselves very vulnerable indeed when the first big losses arrive. This raises two related questions, namely what constitutes best practice; and how can one prove, whether to a counterparty or an arbitrator, that a transaction was in fact originated by a particular party. Practice, Proof and Liability ----------------------------- Most large banks worldwide now offer their corporate clients some kind of cash management system, whereby the company treasurer can dial the bank's mainframe computer from his PC and perform online account enquiries and transactions. These transactions may be limited to moving money between the company's various trading and deposit accounts so as to minimise overdraft charges or maximise interest payments, or they may extend to making payments to suppliers as well. Needless to say, such systems need good security, for, if they are penetrated, enormous sums could be siphoned off by the attackers. As a result, a lot of work has been done on authenticating and encrypting electronic banking transactions, and these developments now provide an example of good practice to which EDI suppliers should adhere and which EDI customers should demand. There are EEC standards on secure systems [3] but they are still at an early stage of evolution and phrased in such general terms that, in our view, anyone engaged in certifying an EDI system would have to look at its near analogues, such as electronic funds transfer systems, for guidance. Now a corporate banking system will typically provide three layers of security: firstly, it will identify each user of the system positively, whether by means of a password or by using a token such as a smartcard; secondly, it will compute one or more digital signatures to authenticate each transaction; and thirdly, it will encrypt the message traffic, in order to protect client confidentiality. The hard issue is: how can one verify the correctness of any given scheme for authentication and encryption? What solutions are available to the practical problem of arbitrating between two parties, one of whom claims his system is secure, while the other claims that a transaction has been forged? Such solutions will inevitably be technical in nature, and there are currently two streams of research on the problem. The first, originating at MIT in America, uses a technique known as public key cryptography to generate digital signatures on transactions which can then be checked by anybody. While mathematically elegant, this technique is rather slow and (in the US at least) the subject of patents whose holders charge a significant royalty. The second, which originated and continues here at Cambridge, uses the techniques of formal logic to investigate the security claims made for particular cryptographic systems, and to assist in the design of systems on which great reliance must be placed. Given that we can now produce designs whose correctness can be formally verified, that such systems are in regular use overseas [7], and that any desired arbitration function can be built in, it is hard to see how purveyors of insecure systems can escape liability. This is the standard view overseas. As already noted, the US government imposes full liability on payment system operators such as banks, on the grounds that they are the main beneficiaries when these systems are installed. US Federal Reserve regulations ensure that it is the bank, rather than the customer, who pays for disputed ATM and other EFT transactions, unless of course the bank can prove fraud or negligence by the customer. With the exception of Germany, countries which have investigated the liability issues of electronic banking and transaction processing tend towards the American view. Conclusions ----------- ATMs have been described as one of the top 100 ideas of the 20th century. However, the current security technology of magnetic cards and PINs may be due for review and upgrade. Recently reported figures [5] show that plastic card fraud in the UK was 166,000,000 pounds in 1991, up 35% from 1990. There will be a further sharp increase next year, as the banks' agreement to carry all but the first 50 pounds of loss will cause many losses previously borne by customers to be recorded in the official figures. A number of prospective successor technologies have been available for several years now. These include watermark cards, smart cards, and biometrics. The first two are, for our present purposes, just cards whih are designed to be difficult to forge. Watermark cards achieve this by embedding a serial number in the magnetic strip which cannot be altered after manufacture, while smart cards dispense with the magnetic strip altogether and store the customer information in an embedded integrated circuit. Biometrics refers to the automatic measurement of personal characteristics, such as voiceprints, fingerprints or signatures; pilot projects have been reported using fingerprints to identify bank customers in India and using voiceprints to control the payment of pensions in South Africa, while the industry giant IBM has launched devices for automatic signature recognition. The problem therefore is not so much a shortage of technological options as the banks' nervousness in committing to a new technology, out of fear that a different technology might eventually become standard. Where this nervousness has been overcome, for example in France, we have seen the introduction of advanced payment systems based on smartcards [7]. However, mounting losses make clear that it is time for credit and debit card operators to take the plunge and start building the next generation of payment systems. These, together with the emerging EDI networks, should be designed to be secure, and this will be more likely to happen once it is accepted in the UK, as it already is overseas, that system operators should be liable for all frauds and errors. After all, these are now largely avoidable and will only be significant if the system suppliers take a more or less conscious decision to economise on security. Up till now, as the Jack report observed, UK banks tended not to see electronic security as being a cost-effective investment, especially as existing systems were cheap, alternatives less so, and the poor customer could almost always be made to foot the bill for fraud. This will all change. In the meantime, we have noted a strong tendency for claims involving ATM and EFT disputes to be settled. An initial offer of 50% of the claim seems to be about normal, but settlement in full is usually a reasonable goal where the plaintiff is a clearly credible witness. The banks appear to perceive that the cost to them of an unfavourable precedent could be very high indeed, and to be quite apprehensive about the possibility of an avalanche of fraudulent claims of fraud. Even if this turns out to be unfounded, they are not keen to expose their system security to critical examination and are well aware that having to pay the full amount of all disputed transactions, as in the USA, would be a significant exra expense. In conclusion, practising lawyers should be aware that electronic transaction systems are not infallible and that claims can very often be pursued with a high expectation of settlement. Bibliography ------------ [1] D. W. Davies and W. L. Price, 'Security for Computer Networks', John Wiley and Sons 1984. [2] G. Garon and R. Outerbridge, "DES Watch: An examination of the Sufficiency of the Data Encryption Standard for Financial Institution Information Security in the 1990's", In Cryptologia, XV, no. 3 (July 1991) pp 177 - 193 [3] Information Technology Security Evaluation Criteria, Provisional Harmonised Criteria, June 1991, EC document COM(90) 314 [4] C. H. Meyer and S. M. Matyas, 'Cryptography: A New Dimension in Computer Data Security', John Wiley and Sons 1982. [5] Sunday Telegraph, 8 March 1992 [6] Times, 23 March 1992 [7] R. J. Anderson, "UEPS - A Second Generation Electronic Wallet", to appear in ESORICS 92 [8] Report of the Review Committee on Banking Services Law, HMSO, 1989