Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Lax banks blamed for vanishing cash

Darrel Ince
Saturday 01 April 1995 17:02 EST
Comments

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

THE PAST five years has seen a rise in complaints by users of cash machines linked to computers of financial institutions.

The usual response of a bank, when faced with a complaint about so- called phantom withdrawals of which an account holder denies knowledge, is to claim that the bank's computer system is highly secure and that the customer or, more frequently, his or her spouse is at fault.

Persistent complaints by customers have been dealt with more severely, with banks taking complaining customers to court for deception.

Ross Anderson, a researcher, claims in the American journal of the Association for Computing Machinery, Communications, that phantom withdrawals are common. Moreover, they are not the result of the activities of highly skilled gangs of hi-tech criminals but of relatively simple lapses in security.

Of the hundreds of examples of known phantom withdrawals only two have, he charges, involved cracking secret codes associated with cashcards. The remainder occurred as a result of programming or system errors, the postal interception of cards by criminals, or thefts by bank staff.

Mr Anderson gives the example of a typical, heterogeneous system, such as the type used by banks and building societies, for which you can expect a system error rate of about 1 in 10,000. If this rate were replicated in banking applications, then something like 90,000 phantom transactions would be produced in an entire year.

He also points out that there is a high level of cash machine fraud committed by bank staff and gives some worrying examples of this.

A customer in Hastings had £8,600 stolen from her account by an employee of the bank, who changed her address to his, issued a new card, used it to plunder her account, and then changed the address back to the original one.

At a Scottish bank, an engineer fitted a cash machine with a hand-held computer that recorded customers' personal identification numbers. The engineer made counterfeit cards, then plundered the accounts.

Criminals have recently discovered how you can change the account number on your own cash card to someone else's account number. Consequently, they are now able to withdraw sums from other people's account using a cash machine.

Two men were recently charged at Bristol Crown Court with theft using this technique.

Mr Anderson cites one type of cash machine that had a test transaction that output 10 bank notes when a 14-digit code was entered at the keyboard. Details of this were printed in a bank's operations manual.

In the United Kingdom the law is heavily weighted against customers who complain about phantom transactions. At best, they are ignored; at worst, they can find themselves in front of a judge charged with fraud.

This has engendered a high degree of complacency in many financial institutions that have rudimentary security policies and rely too much on sophisticated tools meant to counter attacks that very rarely happen.

These banks also have little computing expertise in their security departments, and use software development methods that do not treat security requirements as an important component of the overall requirements for a system.

Mr Anderson's report is a damning critique of computer security as practised in financial institutions around the world. It is also a pretty incisive criticism of the work on security that is being carried out by many academic researchers, eager to generate results.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in