Every Christmas we give our friends in the banking industry a wee present. Sometimes it’s the responsible disclosure of a vulnerability, which we publish the following February: 2007’s was PED certification, 2008’s was CAP while in 2009 we told the banking industry of the No-PIN attack. This year too we have some goodies in the hamper: watch our papers at Financial Crypto 2012.
In other years, we’ve had arguments with the bankers’ PR wallahs. In 2010, for example, their trade association tried to censor one of our students’ thesis. That saga also continues; Britain’s bankers tried once more to threaten us so we told them once more to go away. We have other conversations in progress with bankers, most of them thankfully a bit more constructive.
This year’s Christmas present is different: it’s a tale with a happy ending. Eve Russell was a fraud victim whom Barclays initially blamed for her misfortune, as so often happens, and the Financial Ombudsman Service initially found for the bank as it routinely does. Yet this was clearly not right; after many lawyers’ letters, two hearings at the ombudsman, two articles in The Times and a TV appearance on Rip-off Britain, Eve won. This is the first complete case file since the ombudsman came under the Freedom of Information Act; by showing how the system works, it may be useful to fraud victims in the future.
(At Eve’s request, I removed the correspondence and case papers from my website on 5 Oct 2015. Eve was getting lots of calls and letters from other fraud victims and was finally getting weary. I have left just the article in the Times.)
Wow, I read the whole thing and the very end was a kick in the pants when the ombudsman refused to award the victim legal expenses. Does FOS really think that a legal process of this magnitude could successfully be completed by a layman without any assistance while still maintaining a full time job?
Barclays paid Eve’s legal bills in full. In fact, the decision was theirs; the Ombudsman found in Eve’s favour only after Barclays decided not to proceed with the case. The Ombudsman was “plus royaliste que le roi” in other ways too, saying in effect that the fraud was really her fault although the law didn’t let them find against her this time. Despite all the evidence, they couldn’t accept that it could have been an inside job or a technical attack. A proper court would have approached the case with a more open mind.
Thank you for posting this. It was powerful stuff. Powerfully reminiscent of a personal run-in with RLP.
I was particularly shocked by the casual assumption by the ombudsman that a person (assumed not to need a solicitor) and a corporation (that can be safely assumed to retain as many as it needs) can be treated as equal parties. The moment that Barclaycard made its first of many mistakes it should have been ordered to pay damages plus expenses.
Sadly the FOS comes off as soundling like a shill and the whole thing feels like it has been swept under the carpet.
Thanks again. I love your blog.
The article seems to suggest the PIN in question may have been a customer selected PIN. The newspaper says it had not been changed since November 2006.
Customer selected PINs, if this is indeed the case, are rather easy to guess. Instead of the ca. 5000 trials needed to discover a cryptographically generated PIN, half a dozen or so will do for a customer selected PIN. The fraudster would not need to target Eve, he could have picked up in this way some twenty or thirty cards and half of them would have succeeded with the standard 6 trials.
Well done Ross. As I have said before with other ombudsman cases you have blogged, we must try to dismantle the ombudsman system in this country. Ombudsmen admit they are bias, which means they totally disregard of the rules of evidence, actively prevent the complainant from having access to witness statements, make irrational statements, and, as I was informed by Sir David Yardley, have to accept the interpretation of the law as presented by the Council because they were permitted to employ lawyers and I was not! (Even if I had had a lawyer his/her interpretation would not be regarded as lex lata) The FOA has helped, but I think it will be the FOA that goes before the ombudsmen do.
Happy hogmanay
Like how you slammed the bank and court so well in your expert letter, Ross. It was nice.
Why? I appreciate that somebody with knowledge of a specific customer may be able to guess what the customer will have chosen more efficiently than brute-force but as the PIN is of the same format, I can’t see why you would reliably get such a massive improvement.
Amazing work, why can’t industry take these things seriously instead of always play the defensive card? The behaviour of people in perceived positions of power in situations such as these really make it hard for me to have faith in humanity. Luckily people like Ross are there to provide a ray of light.
To Surreptitious Evil: Several studies show that similar to what happens with passwords, customers tend to select the same common PINs, such as 1234, 5555, 3333 etc, or something related to their birthday or phone number etc. There are several ways a thief can obtain this data, for example a pickpocket.
Next time you’re in the supermarket look carefully at the PIN keypad. Notice the wear on the keys. Notice how ‘1’ has the most wear. If you’re really astute, you might even notice a pattern of wear decreasing with increasing number. Possibly Benford’s law at work?
Or as one Asda cashier mentioned to me the other day, most people’s year of birth starts with ’19’. Perhaps in another 4 years the numbers ’20’ might be increasingly common (assuming you have to be at least 16 to get a bank card these days).