This morning Jane Badger was acquitted of fraud at Birmingham Crown Court. The judge found there was no case to answer.
Her case was remarkably similar to that of John Munden, about whom I wrote here (and in my book here). Like John, she worked for the police; like John, she complained to a bank about some ATM debits on her bank statement that she did not recognise; like John, she was arrested and suspended from work; like John, she faced a bank (in her case, Egg) claiming that as its systems were secure, she must be trying to defraud them; and like John, she faced police expert evidence that was technically illiterate and just took the bank’s claims as gospel.
In her case, Egg said that the transactions must have been done with the card issued to her rather than using a card clone, and to back this up they produced a printout allocating a transaction code of 05 to each withdrawal, and a rubric stating that 05 meant “Integrated Circuit Card read – CVV data reliable” with in brackets the explanatory phrase “(chip read)”. This seemed strange. If the chip of an EMV card is read, the reader will verify the signature on the certificate; if its magnetic strip is read (perhaps because the chip is unserviceable) then the bank will check the CVV, which is there to prevent magnetic strip forgery. The question therefore was whether the dash in the above rubric meant “OR”, as the technology would suggest, or “AND” as the bank and the CPS hoped. The technology is explained in more detail in our recent submission to the Hunt Review of the Financial Services Ombudsman (see below). I therefore advised the defence to apply for the court to order Egg to produce the actual transaction logs and supporting material so that we could verify the transaction certificates, if any.
The prosecution folded and today Jane walked free. I hope she wins an absolute shipload of compensation from Egg!
An interesting resolution to the case, well done to all those who have been working hard behind the scenes!
Occam’s razor usually points to “the customer did it”, as the simplest explanation in a world of fraud and counter-fraud which is getting more and more complicated. But this ever increasing complexity might bring the razor to rest on a new truth: human error is the simplest explanation. Banks (like many other industries) just don’t properly understand their own computer systems any more.
Human error… if it hadn’t caused a world of hassle for Ms. Badger and others, it would be easy to laugh it off!
Mike.
If anyone has good ideas on how to produce cultural change in a bank toward having at least a tiny trace of security I’d be interested to see them posted here. SOX certainly hasn’t done it.
Cultural change will typically only appear if banks experience significant losses as a result of security lapses.
I work in IT security for an investment bank, and while we’re not perfect we are pushing the envelope of our own capabilities continuously. The driver for these activities is cost and risk reduction.
Regulation like SOX is only helpful in so much as we can use it as a stick to beat the unwilling from the business side, but regulatory controls in themselves would be insufficient to manage risk.
More egg in the news:
http://news.bbc.co.uk/1/hi/business/7222336.stm
J.A.B.: At least you’ve got an envelope!
I have followed the Munden case since way back and told many people about it (including EC officials when I worked there) but this case is worrying because it shows that almost nothing has happened to protect card holders from banks’ inefficiencies and plain old saving money in their security ‘system’
Although it ended well it appears it was only because Egg couldn’t or didn’t want to produce the data, not because, as in the Munden case, they were ordered to, and didn’t. The distinction is important, the precedent is still set that a bank is not required to support their contention that the client is perpetrating a fraud.
In “Integrated Circuit Card read”, the word “read” is ambiguous.
I often read the dictionary on my desk, but I have not read it. That would take far too long.
Similarly an ATM might read a chip without reading the data it contains. For example because of errors.
It seems that there may be a parallel with car theft and supposedly “theft proof” transponders. I stumbled across this story via /.
http://www.wired.com/wired/archive/14.08/carkey.html
But the transponder system was intact. The car could have been shifted and steered, the investigator concluded, but the engine couldn’t have been turned on. “Since you reportedly can account for all the vehicle keys, the forensic information suggests that the loss did not occur as reported,” the company wrote to Wassef, denying his claim. The barely hidden subtext: Wassef was lying.
EFT message protocols use the PAN Entry Mode field to distinguish between different ways of capturing the card number and other details. If the magstripe was read and all of its data is available in the transaction message, the PAN entry mode field (defining how the card was read) is set to ’90’. This means something like ‘magstripe – CVV data reliable’ and indicates that the CVV data in the magstripe can be checked by the bank. It does not indicate that the CVV has been checked – the message hasn’t reached the bank yet and the terminal can’t check the CVV.
Some transaction messages might not contain reliable CVV data, e.g. if they came via a network that did not transmit the full magstripe data, or perhaps (I’m guessing a bit here) for a recurring payment where the card was initially read manually, but the CVV part of the magstripe was not stored for security reasons. Systems like this might then ‘fake’ the CVV part of the magstripe and indicate a mode of ’02’, defined as ‘magstripe read, CVV data unreliable’. It doesn’t mean that the CVV failed validation.
By analogy with this, 05 means the chip was read, and the CVV data that the message contains was not faked by the network, i.e. it can be checked by the bank. It doesn’t mean the CVV has been checked. For a chip transaction, other transaction data in the message will indicate whether the PIN was entered correctly and so on.
By further analogy there is sometimes a PAN entry mode of ’95’ defined to mean ‘chip read, CVV data unreliable’. I don’t know if this value is ever used. Maybe on networks that only have partial support for chip and PIN.
Correction to the above, in the second paragraph, I meant to say “where the card was initially read using the magstripe”.
>> February 6th, 2008 at 20:01 UTC
Follow-up to my comment. Between 28-30 March 2008 I’ve lost about £1,100 to ATM fraud. I’m paranoid about security, only ever using two specific ATMs, only during daylight hours, so I would expect to notice any skimmer. I still have my card. My PIN has never been written down. Either someone guessed my account+pin, or the the Link database has a leak, or there’s something like an invisible “in-slot” skimmer out there. I wonder whether Nationwide will admit one of these unlikely-sounding scenarios, or just claim I’m a fraudster.
FOund this blog when looking for information on CVV Transaction Data. I am helping a friend to sort out a ATM discrepancy. The bank has produced a number of copies from their investigation, but they have little meaning to us. IF someone here is intersted in this, or think you could be of some help, please contact me (email address provided).
I would also be interested in talking with Pete Austin to posted above as this is the same bank (Nationwide), which although I find very forthcoming in its branch, has not really produced results on this particular investigation we are looking in right now.
Read more in the URL (or if that does not work, I will copy the post to here – if allowed)
This is the link to the whole story:
http://forums.moneysavingexpert.com/showthread.html?t=839107
Following on from the Natiowinde thread, we have two members of our family who have had 1800 each taken from their accounts
in the last month.
Having had numerous conversations with the branch it would appear they just pass the ball to their ‘special investigation’ units and hope that they do the necessary. It would be interesting to learn how much their exposure to this is at the moment.
She deserves a ship load of compensation from her filth colleagues, not Egg. They arrested and charged her knowing that no card is 100% reliable. They should all be sacked.
Don’t think she ever even got restitution …