CARD FRAUD AND COMPUTER EVIDENCE

[David Farber <farber () central cis upenn edu>]

From: rja14 () cl cam ac uk (Ross Anderson)
Subject: CARD FRAUD AND COMPUTER EVIDENCE
Organization: U of Cambridge Computer Lab, UK
Date: Mon, 14 Feb 1994 13:36:50 GMT


A case has just concluded in England which may be significant for computer and
cryptographic evidence in general, and for electronic banking in particular.
It also give some interesting insights into the quality assurance and fraud
investigation practices of one of Britain's largest financial institutions.


I will be talking about this case to the BCS Computer Law Special Interest
Group on Thursday 17th February at 6pm. The meeting will be held at the offices
of Bristows Cooke Carpmael, which can be found at 10 Lincoln's Inn Fields. To
get there, take the tube to Holborn, exit southwards and turn second left into
Remnant Street.


For the sake of those who cannot make it, there follows a report of the case
from the notes I made during the hearing.




                        *               *               *
1. Background.


On February 8th, 10th and 11th, I attended the trial at Mildenhall Magistrates'
Court, Suffolk, England, of a man who was charged with attempting to obtain
money by deception after he complained that he had not made six of the
automatic teller machine transactions which appeared on his statement.


The essence of the case was that John Munden, a police constable, had
complained to the manager of the Halifax Building Society in Newmarket about
these transactions, which appeared in September 1992. He had also stated that
his card had been in his possession at all times. Since the society was
satisifed about the security of its computer systems, it was alleged to follow
that Munden must have made these transactions, or suffered them to be made;
and thus that his complaint was dishonest.


This trial had resumed after being adjourned in late 1993. According to the
clerk, evidence was given for the Crown at the initial hearing by Mr Beresford
of the Halifax Building Society that the society was satisfied that its systems
were secure, and so the transaction must have been made with the card and PIN
issued to the customer. Beresford had no expert knowledge of computer systems,
and had not done the investigation himself, but had left it to a member of his
department. He said that fraudulent transactions were rarely if ever made from
lobby ATMs because of the visible cameras. The Newmarket branch manager, Mr
Morgan, testified that one of the transactions at issue had indeed been made
from a machine inside the branch. He also said that in his opinion the
defendant had been convinced that he had not made the transaction; and that he
would not be aware of all the possible malfunctions of the ATM.


The defence had objected that the evidence about the reliability of the
computer systems was inadmissible as Beresford was not an expert. The court
allowed the prosecution an adjournment to go and look for some evidence; and
at the last minute, on the 20th January, I was instructed by Mr Munden's
solicitor to act as an expert witness for the defence.


2. The Prosecution Case.


On 8th February, Beresford's evidence resumed. He admitted that the Halifax
had some 150-200 `unresolved' transactions over the previous 3-4 years, and
that it would be possible for a villain to observe someone's PIN at the ATM
and then make up a card to use on the account. He confirmed that the person
who investigated the incident had no technical qualifications, had acted under
his authority rather than under his direct supervision, and had involved the
police without consulting him.


Evidence was next given by Mr Dawson, the Halifax's technical support manager.
He had originally written the bank's online system in 1971, and was now
responsible for its development and maintenance. The ATM system had been
written in 1978 for IBM 3600 series machines, and altered in 1981 when the
Diebold machines currently in use were purchased. All software was written
internally, and in the case of the mainframe element, this had accreted to
the nucleus originally written in 1971. Amendments to the online system are
made at the rate of 2-3 per week.


The PIN encryption scheme used was nonstandard. The PIN was encrypted twice
at the ATM and then once more in the branch minicomputer which controls it.
At the mainframe, the outer two of these encryptions were stripped off and
the now singly encrypted PIN was encrypted once more with another key; the
16 digit result was compared with a value stored on the main file record and
on the online enquiry file.


When asked whether system programmers could get access to the mainframe
encryption software, he categorically denied that this was possible as the
software could only be called by an authorised program.


When asked whether someone with access to the branch minicomputer could view
the encrypted PIN, he denied that this was possible as there were no routines
to view this particular record (even although the mini received this field and
had PCs attached to it). When asked what operating system the mini used, he
said that it was called either TOS or TOSS and that he thought it had been
written in Sweden. He could give no more information.


He had never heard of ITSEC.


He had not investigated any of the other 150-200 `unresolved transactions'
because he had not been asked to. The last investigation he had done was of
another transaction which had led to a court case, three years previously;
he had no idea what proportion of transactions went wrong, was not privy to
out-of-balance reports from branches, and was not familiar with branch rules on
ATM operations. He never visited the branch at Newmarket, where the disputed
transactions took place, but merely looked at the mainframe records to see
whether any fault records or error codes. He found none and took this
information at face value.


The fault recording system does not show repairs. The cryptographic keys in
the ATM are not zeroed when the machine is opened for servicing. The
maintenance is done by a third party. The branch only loads initial keys into
the ATM if keys are lost.


The Halifax has no computer security function as such, just the internal
auditors and the technical staff; it does not use the term `quality assurance'.


When asked by the bench what information was required to construct a card,
Dawson initially said the institution identifier, the account number, the
expiry date, a service code, an ISO check digit, a proprietary check digit,
and a card version number. He concluded from this that a card forger would
have to have access to an original card. However it turned out that the ATM
system only checks the institution identifier, the account number and the card
version number. He maintained doggedly that a forger would still have to
guess the version number, or determine it by trial and error, and claimed
there was no record of an incorrect version number card being used.


However, Munden's card was version 2, and it transpired later that version 1,
though created, was not issued to him; and that an enquiry had been made from a
branch terminal two weeks before the disputed transactions (the person making
this enquiry could not be identified). When asked whether private investigators
could get hold of customer account details, as had been widely reported in the
press, he just shrugged.


He claimed that the system had been given a clean bill of health by the
internal and external auditors.


The branch manager was recalled and examined on balancing procedures. He
described the process, and how as a matter of policy the balancing records
were kept for two years. However the balancing records for the two machines
in question could not be produced.


There was then police evidence to the effect that Munden kept respectable
records of his domestic accounts, which included references to the undisputed
withdrawals from ATMs, and that although he had once bounced a cheque he was
no more in financial difficulty than anybody else. The investigating officer
had only had evidence from the branch manager, not from Beresford or Dawson.
The investigating officer also reported that Munden had served in the police
force for nineteen years and that he had on occasion been commended by the
Chief Constable.


3. The Defence.


That concluded the prosecution case, and the defence case opened with Munden
giving evidence. He denied making the transactions but could not produce an
alibi other than his wife for the times at which the alleged withdrawals had
taken place.


The only unusual matter to emerge from Munden's testimony was that when he went
in to the branch to complain, the manager had asked him how his holiday in
Ireland went. Munden was dumbfounded and the branch manager said that the
transaction code for one of the ATM withdrawals corresponded to their branch
in Omagh. This was not apparent from the records eventually produced in court.


The next witness was his wife, Mrs Munden. Her evidence produced a serious
upset: it turned out that she had had a county court judgment against her, in a
dispute about paying for furniture which she claimed had been defective, some
two weeks before the disputed withdrawals took place. Her husband had not
known about this judgement until it emerged in court.


I gave expert evidence to the effect that the Halifax's quality procedures,
as described by Dawson, fell far short of what might be expected; that testing
of software should be done by an independent team, rather than by the
programmers and analysts who created it; and that Dawson could not be
considered competent to pronounce on the security of the online system, and he
had designed it and was responsible for it.


At a more detailed level, I informed the court that both national and
international ATM network standards require that PIN encryption be conducted in
secure hardware, rather than software; that the reason for this was that it
was indeed possible for system programmers to extract encryption keys from
software, and that I understood this to have been the modus operandi of a
sustained fraud against the customers of a London clearing bank in 1985-6;
that I had been involved in other ATM cases, in which some two dozen
different types of attack had emerged and which involved over 2000 complaints
in the UK; and that the Halifax, uniquely among financial institutions, was a
defendant in civil test cases in both England and Scotland.


I continued that ATM cameras are used by a number of other UK institutions,
including the Alliance and Leicester Building Society, to resolve such cases;
that in other countries which I have investigated the practice would be not
to prosecute without an ATM photograph, or some other direct evidence such as a
numbered banknote being found on the accused; that card forgery techniques were
well known in the prison system, thanks to a document written by a man who had
been jailed at Winchester some two years previously for card offences; that I
had personally carried out the experiment of manufacturing a card from an
observed PIN and discarded ticket, albeit with the account holder's consent and
on an account with Barclays rather than the Halifax; that the PIN pad at the
Halifax's Diebold ATM in Cambridge was so sited as to be easily visible from
across the road; and that in any case the investigative procedures followed in
the case left very much to be desired.


In cross examination, the prosecutor tried to score the usual petty points: he
attacked my impartiality on the grounds that I am assisting the Organised Crime
Squad at Scotland Yard to investigate criminal wrongdoing in financial
institutions (the reply from our lawyer was of course that helping the
prosecution as well as the defence was hardly evidence of partiality); he
claimed that the PIN pad at the ATM in Newmarket was differently sited to
that in Cambridge, to which I had no answer as I had not had the time to go
there; and he asserted that the Alliance and Leicester did not use ATM cameras.
On this point I was able to shoot him down as I had advised that institution's
supplier. He finally tried to draw from me an alternative theory of the
disputed transactions - staff fraud, or a villain whom Munden had booked in
the past getting his own back by means of a forged card, or a pure technical
glitch? I was unable to do this as there had been neither the time nor the
opportunity to demand technical disclosure from the Halifax, as had been the
case in two previous criminal cases I had helped defend (both of which we
incidentally won).


Dawson was recalled by the prosecution. He explained that only two of the
three tests carried out on new software were done by the analysis and
programmers who had written it, and that the third or `mass test' was done by
an independent team. He said that software failures could not cause false
transactions to appear, since the online system was written in assembler, with
the result that errors caused an abend.


He claimed that they did indeed possess a hardware security module, which was
bought in 1987 when they joined VISA, and which they used for interchange
transactions with VISA and Link although not for all transactions with their
own customers; and he finally repeated his categorical denial that any system
programmer could get at the encryption software. When asked by what mechanism
this was enforced, he said that they used a program called ACF2.


In his closing speech, the defendant's lawyer pointed out the lack of any
apparent motive, and went on to point out the lack of evidence: the balancing
records were not produced; the person responsible for attending to those ATM
malfunctions which the branch could not cope with was not identified; the
Halifax employee who had carried out the investigation was not called; the
handwriting on the ATM audit rolls, which was the only way to tie them to a
particular machine, could not be identified; the cameras were not working;
statements were not taken from branch staff; the disk in the ATM had not
been produced; and the internal and external audit reports were not produced.


He mentioned my expert opinion, and reiterated my point that when a designer of
a system says that he can't find anything wrong, what has he shown? He also
recalled that in the High Court action in which the Halifax is the defendant,
they had not relied on the alleged infallibility; and pointed out that if ATM
systems worked properly, then people wouldn't need to go to keep going to law
about them.


4. The Verdict and Its Consequences.


I have been aware for years that the legal system's signal-to-noise ratio is
less than 10dB; however, in view of the above, you can understand that it was
with some considerable surprise that I learned late on Friday that the court
had convicted Munden. My own reaction to the case has been to withdraw my money
from the Halifax and close my account there. Quite apart from their ramshackle
systems, the idea that complaining about a computer error could land me in
prison is beyond my tolerance limit.


No doubt it will take some time for the broader lessons to sink in. What is the
point, for example, of buying hardware encryption devices if people can get
away with claiming that system programmers can never get at an authorised
library? Why invest in elaborate digital signature schemes if they simply
repair the banks' defence that the system cannot be wrong? Is there not a case
for giving more consideration to the legal and political consequences of
computer security designs?


5. Action.


In the meantime, the police investigations branch have to consider whether John
Munden will lose his job, and with it his house and his pension. In this
regard, it might just possibly be helpful if anyone who feels that Dawson's
evidence was untruthful on the point that software can be protected from system
programmers on an IBM compatible mainframe, or that his evidence was otherwise
unsatisfactory, could write expressing their opinion to the Chief Constable,
Cambridgeshire Constabulary, Hinchingbrooke Park, Huntingdon, England PE18 8NP.






Ross Anderson