Lax banks blamed for vanishing cash

THE PAST five years has seen a rise in complaints by users of cash machines linked to computers of financial institutions.

The usual response of a bank, when faced with a complaint about so- called phantom withdrawals of which an account holder denies knowledge, is to claim that the bank's computer system is highly secure and that the customer or, more frequently, his or her spouse is at fault.

Persistent complaints by customers have been dealt with more severely, with banks taking complaining customers to court for deception.

Ross Anderson, a researcher, claims in the American journal of the Association for Computing Machinery, Communications, that phantom withdrawals are common. Moreover, they are not the result of the activities of highly skilled gangs of hi-tech criminals but of relatively simple lapses in security.

Of the hundreds of examples of known phantom withdrawals only two have, he charges, involved cracking secret codes associated with cashcards. The remainder occurred as a result of programming or system errors, the postal interception of cards by criminals, or thefts by bank staff.

Mr Anderson gives the example of a typical, heterogeneous system, such as the type used by banks and building societies, for which you can expect a system error rate of about 1 in 10,000. If this rate were replicated in banking applications, then something like 90,000 phantom transactions would be produced in an entire year.

He also points out that there is a high level of cash machine fraud committed by bank staff and gives some worrying examples of this.

A customer in Hastings had £8,600 stolen from her account by an employee of the bank, who changed her address to his, issued a new card, used it to plunder her account, and then changed the address back to the original one.

At a Scottish bank, an engineer fitted a cash machine with a hand-held computer that recorded customers' personal identification numbers. The engineer made counterfeit cards, then plundered the accounts.

Criminals have recently discovered how you can change the account number on your own cash card to someone else's account number. Consequently, they are now able to withdraw sums from other people's account using a cash machine.

Two men were recently charged at Bristol Crown Court with theft using this technique.

Mr Anderson cites one type of cash machine that had a test transaction that output 10 bank notes when a 14-digit code was entered at the keyboard. Details of this were printed in a bank's operations manual.

In the United Kingdom the law is heavily weighted against customers who complain about phantom transactions. At best, they are ignored; at worst, they can find themselves in front of a judge charged with fraud.

This has engendered a high degree of complacency in many financial institutions that have rudimentary security policies and rely too much on sophisticated tools meant to counter attacks that very rarely happen.

These banks also have little computing expertise in their security departments, and use software development methods that do not treat security requirements as an important component of the overall requirements for a system.

Mr Anderson's report is a damning critique of computer security as practised in financial institutions around the world. It is also a pretty incisive criticism of the work on security that is being carried out by many academic researchers, eager to generate results.