A LANDMARK court battle between a bank and a customer over claimed 鈥減hantom鈥 cash withdrawals from ATMs has revealed a startling Achilles鈥 heel in banking security.
The weakness could make it possible for a corrupt bank employee to guess the personal identification numbers to customers鈥 cash cards in an average of just 15 attempts. As a result, computer security experts are calling for an overhaul of the way banks deal with customers鈥 claims of fraudulent withdrawals.
In February 2000, just two days after South African businessman Anil Singh was issued a new PIN, 190 separate withdrawals were made on his Diners Club card in London, totalling 拢50,000. Singh, who insists he was 6000 miles away in Durban at the time, says the withdrawals had nothing to do with him and has refused to pay. Citibank, which owns Diners Club, is now suing him for the money.
Advertisement
Banks often hold customers responsible for all such cash withdrawals because they are convinced that their systems are secure, says security expert Ross Anderson at the University of Cambridge. But Anderson and his student Mike Bond have found this is far from the case. If presented as evidence in Singh鈥檚 defence it could establish how the computers responsible for safeguarding PINs are not nearly as secure as the banks claim.
鈥淭he whole system relies on no one other than the customer knowing the PIN,鈥 says Bond. It is often up to customers to prove that they have not given the PIN to someone else. The burden of proof should be on the banks, he says.
Anderson and Bond鈥檚 research shows how corrupt employees could obtain as many as 7000 PINs during a 30-minute lunch break. This information could then be sold or exploited to 鈥渃lone鈥 fake cards that could then be used to withdraw money.
This is possible, says Bond, because of a weakness in the computer system used to verify PINs. Although anyone trying to use an ATM to guess a PIN is 鈥渓ocked out鈥 on the third failed attempt, people inside the bank can keep trying indefinitely. They could keep guessing until they get it right, says Bond.
Normally it would take an average of 5000 attempts to guess which of the 10,000 possible permutations a four-digit PIN could be. But Anderson and Bond have shown that weaknesses in the system used by most British banks make it possible to guess a PIN in a mere 15 attempts.
Sandra Quinn of the Association for Payment Clearing Services in London says it is one thing to do this in a lab and quite another in a live bank system. 鈥淣obody would ever say never, but it is highly unlikely that UK banks would be compromised,鈥 she says.
Others disagree. 鈥淭his is indeed a weakness,鈥 says Adam Hawley, of Caplin Systems, which used to design software for these systems. 鈥淏ut you would still need to have relatively high level of access.鈥