How ATM fraud nearly brought down British banking

Phantoms and rogue banks

Secure remote control for conventional and virtual desktops

By this time the legal process was underway. Kelman had issued (but not served) a writ on the banks in July 1992. Four days later four men appeared in court following the seizure by police of more than 200 forged ATM cards in Sydenham, south London. Even so, the banks refused to deal.

In August 1992 the writ was served. The banks suggested that the class action shouldn't be a class action, but should be 2,000 small claims actions. Divide and conquer, of course.

Things ground on, until in April 1993 the banks - through the Association of Payment Clearing Services, Apacs - changed their rules. Customers would only be liable for the first £50 of any disputed or "phantom" withdrawals; the sum could be waived completely if the customer had a good enough case that they had not given away their PIN. This effectively killed the ATM class action, because the banks had accepted liability - in a roundabout way.

The Writ that Kelman had served on the banks was then wrapped up in a two-day hearing in May 1993, in which the solicitors for the banks were obliged to stand up and admit one by one that their systems were not, after all, infallible.

On 22 June 1993, Judge Hicks gave judgement, mostly in favour of the motion by Kelman, who expected the banks to simply settle.

But a few days later Kelman heard something that worried him deeply. The computing staff at one bank - the Rogue bank - had discovered through the dummy accounts how to fix the PIN generator so that it would only generate three different PINs in all the PINs issued. By creating a number of dummy accounts and getting new PINs issued for them, they could capture the sequence. Then all that was needed was to recode the cards so they would point to different account numbers, try the three PINs (ATMs gave you three chances) and they were away.

This "gave me major concern," says Kelman. "The security of the entire ATM network upon which the UK banking system was based was predicated on nobody knowing your PIN." He could see that if this reached the media, people would begin comparing PINs, and on finding identical ones would tell others, and the security system used by the banks would collapse overnight. Then there would be a dramatic run on the banks as everyone tried to take their money to a safer place, such as under the mattress.

And there wasn't time for the banks to fix the problem if anyone went public with it. Their MTBU was too short. MTBU? That’s “Maximum Time to Belly Up”, as coined by the majestic Donn Parker of Stanford Research Institute. He found that businesses that relied on computers for the control of their cash flow fell into catastrophic collapse if those computers were unavailable or unusable for a period of time. How long? By the late 1980s it had fallen from a month to a few days. That’s not a good thing; it meant that a collapse of the computers that any UK clearing bank relied on would destroy it in less than a week.

After dwelling on the problem for 48 hours, Kelman finally decided there was only one way out: use the Bank of England’s "show and tell" session, held secretly every month, where banks had to own up to their vulnerabilities, so that risks to the British economy could be identified. Kelman suggested the creation of an "Office of ATM Security", which would deal with any complaint of phantom withdrawal, and analyse it on a time-and-geography database, and get the customer to give their PIN, which would be encoded on a one-time cipher and compared with previous records. Details of customers with identical PINs would point the police to further lines of inquiry. Anthony Scrivener – lately appointed defence counsel to Saddam Hussein – was strongly behind this.

But before he could do this, Kelman was dismissed from the case by the solicitor representing the McConvilles, who had originally hired him. They wanted to pursue the case to the bitter end, rather than get the settlement Kelman felt was in the offing.

Kelman was stuck. He couldn’t say what he had learned; it would leak. He couldn’t complain to the Law Society or Bar Council; it would leak. He couldn’t tell the banks, because he had no authority now, having been de-instructed. So he drew up his fee note. It was a lot less than he could have earned in the City, he says.

"Fortunately for the UK banking system and the British people, nobody else did discover what I found about the activities of the Rogue Bank," Kelvin notes. Two years later, though, he had corroboration of what he had learnt: "the computing staff at the [Rogue] bank were completely out of control and engaged in multiple frauds."

He reckons that his fees – just shy of £200,000 over 15 months – probably “saved the UK banking system”, and that by using his database suggestion, the UK banks could have saved £200 million over the past 12 years.

And why is he telling this explosive story now? Because chip and PIN has been deployed across the UK ATM network. "The vulnerability in the UK ATM network was still there to be exploited – if someone had chanced upon it."

Only now, with chip and PIN widely deployed, does Kelman feel that the risk of subversion of the PIN system, "as performed by the computing staff of the Rogue Bank" (his capitals) "been eliminated". (Professor Anderson agrees, but says many other loopholes remain.) Kelman thinks that during the 1990s, “the UK banking system was gravely at risk of collapse at all times because of this substantial security flaw."

Apacs said it was unaware of Kelman's case and so had no comment on Kelman's allegations. Link, which operates the UK's largest ATM network, had no comment ahead of this story.

And the price of silence? He could not take silk – that is, become a QC (Queen’s Counsel, the highest level of barrister) – because he felt he could not talk about the risks to the UK banks.

But the real losers, he suggests, are the McConvilles, "an ordinary working-class couple whose money was stolen from them by criminals at [a high street] Bank." They're now dead. But any time that you, or someone you know, has money siphoned from their account by a cloned card you have the McConvilles to thank when it's repaid.

Other links: Phantom withdrawals page (Prof Ross Anderson)

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story


Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.