ATM

This is the story of how the UK banking system could have collapsed in the early
1990s, but for the forbearance of a junior barrister who also happened to be an
expert in computer law - and who discovered that at that time the computing dep
artment of one of the banks issuing ATM cards had "gone rogue", cracking PINs an
d taking money from customers' accounts with abandon.
The reason you're hearing it now is that, with Chip and PIN cards finally in wid
espread use in the UK, the risk of the ATM network being abused as it was has fa
llen away. And now that junior barrister, Alistair Kelman, wanted to get paid fo
r thousands of pounds of work that he did under legal aid, when he was running a
class action on behalf of more than 2,000 people who had suffered "phantom with
drawals" from their bank accounts. What you're about to read comes from the docu
ments he submitted last week to the High Court, pursuing his claim to payment.
"Phantom withdrawals" were a big mystery when the banks and building societies b
egan to join their ATM networks together in the 1980s. Kelman at that time was a
barrister (who argues cases in front of a judge, rather than only slogging away
in legal chambers) specialising in intellectual property law. He got interested
in computing in the 1980s when the National Computing Centre asked him to advis
e the Midland Bank on its computer system.
What quickly became clear was that the law needed a system to provide proof that
events had happened so that legal cases could be made. You might say that "the
computer debited the account", but to a barrister (and more importantly, a judge
) that's not enough. Did the computer do it at random? In that case it's like a
tree branch falling - an accident. Or did a person program it to do so? In which
case the person must be able to testify about the precise circumstances when a
debit could happen. Sounds daft, but the law rests on proving each step of an ar
gument irrefutably.
In February 1992 Kelman got a call from Sheila MacKenzie, head of the Consumers'
Association (which publishes Which? magazine), who said that members were compl
aining by the dozen about phantom withdrawals, and was he interested? Kelman was
, and met MacKenzie, with two of the association's members, Mr and Mrs McConvill
e from Liverpool, who had had a number of phantom withdrawals from their Barclay
s account. They already had a solicitor, but needed someone with computer expert
ise in the law to make their case. Kelman at this time was able to charge 1,750 p
er hour - each hour being broken into six-minute chunks. Oh, and don't forget VA
T too. That's 206.62 per six minutes.
He showed his value pretty quickly, pointing out that banks must have a legal ma
ndate to debit someone's account. If they take it away from a customer without a
mandate, they must refund it. So the legal point of phantom withdrawals hinged
on the question: if a PIN is typed into an ATM with a card that matches an accou
nt number, is that a mandate by the customer for the bank to debit their account
?
As long as you didn't breach the terms of the contract by leaving your card lyin
g around (which would give implicit authority for use), then you, as the custome
r, could simply say that the withdrawal was not mandated, and demand your cash b
ack.
How could the banks respond? They'd have to give all the phantom withdrawal mone
y back where they could not show that the customer had typed in the PIN - unless
, that is, they claimed that their systems were infallible. Yes, only by going w
here no computer system had ever gone before could the banks deny that phantom w
ithdrawals were (1) taking place and (2) their responsibility to refund.

You'd think it would be open and shut. You haven't dealt much with banks, have y
ou? Kelman took the case on legal aid and decided to bundle up more than 2,000 p
eoples' cases into a single class action against all the high street banks takin
g part in the ATM network. He trawled newsgroups for information on how crackers
might decode ATM cards.
He also met two key people in the course of his research. The first, early on, w
as Andrew Stone, an ex-con who had been done for fraud, who claimed to had taken
750,000 from ATMs by combining techniques such as shoulder-surfing and grabbing
receipts from ATMs (which in those days often had the full account number on the
m). Stone - who was soon back in prison - was proof in himself that criminals co
uld make "phantom" withdrawals.
Professor Ross Anderson, a cryptography and security expert who was an expert co
nsultant to Kelman on the case, explains: "Stone had been working with building
access systems using cards with magnetic stripes, and one day he thought he'd se
e what it could read of his ATM card. Then he tried it with his wife's." Stone f
igured that the stream of digits was probably an encrypted PIN.
"Then, because you can change the content of the magnetic strip, he wondered wha
t would happen if he changed the number on his card to match his wife's. He foun
d he could get money out using his old PIN." The high street bank Stone used (Th
e Register knows which one) had not used the account number to encrypt the PIN o
n the card - meaning that any card for that bank could be changed and used to ma
ke withdrawals on any other account in it, providing you knew the right details
(such as branch sort code and account number. The name of the card holder of cou
rse was unimportant, because it was not on the stripe.)
"After that," says Professor Anderson, "it was just a question for Stone of coll
ecting as many account numbers as he could." Until the police caught up with him
, at least.
In September 1992 Kelman met a woman he called the "Lotus Lady", because she wor
ked for Lotus at a time when he was considering buying some groupware to organis
e the rapidly-growing class action; he had already put the names and other detai
ls of all the litigants into a relational database to search for patterns in vic
tims and withdrawals. The Lotus Lady was interesting because her ATM card didn't
debit her account. It gave her money, but heaven knew where from.
Kelman thought for a moment and realised that there must be thousands of such ca
rds - and after a little more thought, how it had happened.
How could there be thousands of such cards? Because the chances of any two rando
m people meeting in the UK population at that time were 25 million to 1. For one
of them to have the only card in existence that debited other peoples' accounts
was absurd. He'd been on the case for six months, met - say - 3,000 people thro
ugh it - and one of them had such a card. The odds only work if thousands of peo
ple are walking around with cards like that, or potentially could be. They had t
he wrong magnetic stripe on the card: the front was embossed with the holder's d
etails, but the account and PIN encrypted on the stripe pointed somewhere else.
How wouldn't that be spotted?
Simple: dummy accounts. To do their testing in an environment where the bank sys
tems had to work all the time, the computing teams set up a parallel universe of
dummy banks, dummy branches and dummy accounts. But they generated real ATM car
ds for them, and could take out real money - authorised by the banks. Some peopl
e were getting dummy cards.
But equally, Kelman saw, it would be possible for a "rogue" computing department
to start tweaking the cards to take money from innocent customers.