                   Claims Involving Electronic Payment Systems
 
                                Ross J. Anderson

              Computer Laboratory, Pembroke Street, Cambridge CB2 3QG


Abstract
--------

Many existing and proposed electronic payment systems are quite insecure
and the number of claims involving fraudulent or disputed transactions is
rising steeply. The banks' recent action in limiting customers' liability
for such transactions through automatic teller machine (ATM) systems to
50 Pounds may in practice limit ATM claims to those cases where
consequential losses are involved, but growing fraud against signature-based
card systems such as Switch will continue to be an issue, as will disputes
involving other electronic payment and trading systems. In particular,
Electronic Document Interchange (EDI) systems are proliferating with very
little thought being given to protecting transactions against fraudulent
manipulation.

For these reasons, it is quite likely that practising lawyers will have to
deal with electronic payment disputes at some time in their careers. The
technical details can be extremely complex, as the proper cryptographic
protection of transactions involves a range of mathematical and engineering
disciplines. However the basic principles are relatively straightforward.
In this article we outline a number of possible attacks against electronic
trading and payment systems, and discuss the issue of liability for disputed
transactions.

Introduction
------------

An unpublished survey carried out recently by a leading consumer organisation
indicates that about a third of account holders at UK banks have had some
dispute with their bank over an electronic banking transaction. These
often concern `phantom withdrawals', debits posted for ATM transactions of
which the account holder has no knowledge.

Although US banks are required to make good any such losses unless they
can prove that the customer was at fault, British banks have traditionally
claimed that their systems are infallible, and that no withdrawals can be
made without both the customer's card and PIN (personal identification
number). The implication is usually that the customer must have been
defrauded by a member of his own family, and this can cause considerable
anger and distress to the victims.

The situation has been ackowledged by the report of the Commission on Banking
Services Law (the `Jack Report' -reference [8]) as unsatisfactory, with
one-sided contracts and no effective competition (section 9.21); the banks
try to discourage any public discussion of system security (10.03), although
the PIN concept has never been tested in the UK courts (10.04) and a majority
of expert evidence sees the PIN system as vulnerable from a security
standpoint (10.06). It appears that the banks see anti fraud investment as
not being cost effective (10.11), and this can be expected to continue for so
long as customers whose accounts have been raided can be made to carry the
loss.

The UK clearers' response to these criticisms has been to agree to limit
customer liability to 50 Pounds in the case of some of the more common types
of disputed transaction. The expectation is probably that this will reduce the
risk of a case ever getting to court amd setting a precedent which could put
the onus clearly on the bank, as is the case in the USA.

This may not succeed, as consequential losses can often flow from phantom
withdrawals. In one current case, which has been widely reported in the press,
the plaintiff is an elderly account holder who claims that her bank so
harrassed her about an overdraft arising from a series of phantom withdrawals,
that she suffered health problems as a result.

What can a lawyer realistically hope to achieve for an aggrieved client? How
can one establish that the client has been defrauded, or at least that the bank
has failed to carry out its general duty to observe the customer's mandate?
In order to answer this question, we will have to understand the various ways
in which an ATM system can be defrauded.

The Evolution of ATM Systems
----------------------------

Automatic Teller Machines, or ATMs, were like most computer systems in that
they were originally developed without much concern for security other than
the obvious protection against violent external assault. The first examples
were introduced in the UK in 1968 and simply accepted a punched card and a PIN,
checked the PIN against the card, and dispensed a fixed amount of cash
(typically 10 Pounds). The card was retained by the ATM, processed as a cheque
and returned to the customer with his statement at the end of the month. The
PIN was introduced to add value: without it, the card could have been used by
anyone to draw cash, and so would have been of no more use than cash to most
customers.

A fraud problem arose in some countries overseas, where criminals (and in
Israel, even enterprising but misguided students) worked out the relationship
between the holes punched in the card and the corresponding PIN. There was
also a concern about what would happen if a customer repudiated a transaction.
How could a bank satisfy a judge the their system was secure, even in the face
of testimony from a plausible witness?

These pressures led to a number of research programs being carried out into
ATM security, and in particular PIN security, in the late 1970's and early
1980's, with the aim of tackling the problem by making forgery impossible.
A number of systems were developed, of which two captured most of the market.
These were the IBM system, developed by Meyer, Matyas and others; and the
VISA system, developed by Carl Campbell. They share a core concept, which is
to derive the PIN from the customer's account number.

The business objective was to ensure that no-one at the bank could ever get
to know any customer's PIN. The derived technical objectives were to avoid
having a file of PINs, as this file might be stolen or copied by one of the
bank's programmers; and to avoid having the PIN on the card, where it could
be accessible to thieves or forgers. At the same time, most banks wanted to
be able to check PINs in ATMs which were offline, that is, not connected to
the bank's computer.

The solution developed by IBM and VISA was to encipher the customer's account
number using a secret encryption key, the PIN key, and use the first four
digits of the result as the PIN. The details of the process are described in
the open literature [1], [4], and so the security of the system depends
entirely on each bank keeping its PIN key secret.

The usual procedure was to keep this key in two or more components, each
held by a different official. Although familiar from the management of safe
combinations, this scheme gave rise to problems in practice: a bank may
have over a thousand ATMs and thus over two thousand key custodians, each
with a copy of one part or other of the key.

Carl Campbell's innovation was to devise a hierarchy of cryptographic keys
which enables central control to be maintained. This system is quite involved
but the heart of it is a device called a security module which generates all
the customer PINs and cryptographic keys used by the bank. Master keys are
generated in several components for manual loading into ATMs as before, but
once this initial loading is complete, all subsequent key management is done
automatically by the security module, which sends each ATM working keys from
time to time which are encrypted under its master keys.

The two main international card organisations, VISA and Mastercard, now
require all banks joining their scheme to build their ATM systems round
security modules. However, only about a third of existing member banks
have so far made this investment, often pleading the difficulty of system
change or the pressure of other development work. As a result, the new
entrants to the ATM business (such as the building societies) tend to
have more secure systems than the established players, and in fact some
three-quarters of disputed ATM transactions currently being reported seem
to concern the cardholders of one particular clearing bank.

There is no doubt that PINs have provided a useful first line of defence
against fraud. Indeed, VISA reports that the incidence of fraud on systems
which are PIN-based is about one hundredth of that from signature-based cards.
Given that fraud on the latter varies from 0.1% and 1% depending on the
country and the issuing bank, PINs must be saving billions. However, PIN-based
systems have a number of weaknesses which are not always well understood, and
as bankers become complacent, and technical knowledge of their systems
continues to spread, both the incidence of fraud and the likelihood of a really
major incident continue to grow.

Attacks on Signature Based Card Systems
---------------------------------------

Before considering how ATM systems can be attacked, we should first look at
signature based systems such as credit cards and Switch, as frauds are both
fairly easy and much more common than with PIN-based systems.

In a recent case at Winchester Crown Court (R v Stone and Hider, 910321.5,
29 July 1991), the defendants were convicted of defrauding the Switch system.
They obtained a magnetic reader writer with which they could easily alter
the magnetic strip of bank cards, and reencoded their own Switch cards with
the account numbers of various members of the public. This account information
was obtained by picking up discarded ATM receipts.

The case highlighted some of the banks' difficulties. Firstly, record keeping
was so poor that the banks could not establish how much had been stolen, and
the prosecution had to proceed on the basis of an amount admitted by the
defence. Most banks appear to keep no central record of disputed transactions,
and many people defrauded in this matter may have had their claims summarily
dismissed by branch staff.

Secondly, these reader writers are easy to obtain, and despite such frauds
being widespread overseas and well reported in the security press, the UK
banks had not bothered to implement the best overseas practice, which is to
print only the last six digits of the account number on ATM and other receipts.

US banks are also starting to equip cards with card verification values (CVVs),
which are three digit codes written to the magnetic strip but not on the
receipt or the card face. Like the PIN, the CVV is derived cryptographically
from the account number, and can be checked by payment terminals. However,
organised criminals in the US now copy the entire magnetic strip by
installing card readers in shops or restaurants belonging to accomplices
[6]. Potentially, any purchase you make in the USA other than at a major chain
may be put through a bogus terminal and could result in a spate of fraudulent
debits appearing on your next statement.

There is evidence of increasing international cooperation between credit card
fraudsters. We can recall only one isolated case in the mid 80's of stolen card
numbers being used systematically on the other side of the Atlantic, but in the
last year or two this appears to have become a standard operating procedure as
criminals have realised that most `hot card lists' are only distributed
locally. In fact we learned recently from a senior US bank official that their
fraud loss tripled last year from about 0.3% to almost 1% of turnover.
Disputed transactions will be an increasing part of our future, and it is
highly likely that credit card operators will initially resist most claims,
for fear of suffering an avalanche of fraudulent claims of fraud.

Attacks on ATM Systems
----------------------

Banks have traditionally maintained a defence of infallibility in ATM
disputes. They claim that no transaction can possibly be made without the
card and the PIN, and so the client must have been negligent. Indeed, it is
not unknown for ATM cards to be `borrowed' by family members. However, the
blanket defence of infallibility is quite erroneous, as admitted in the Jack
Report [8], and has never been tested in a UK court; it would appear that in
practice the banks always settle.

In what follows, we list a number of ways in which an ATM system can be
subverted. The list is not exhaustive, but should give some idea of what may
have gone wrong, and help with the construction of arguments and
interrogatories in particular cases.

(1) The system can be compromised easily by poor administration. For example,
in February this year the author asked for an increased card limit: the bank
sent not one, but two, cards and PINs through the post. This was a near miss:
the cards arrived only a few days after intruders had got hold of our apartment
block's mail and gone through it looking for valuables. There appear to be no
statistics available for losses arising from this kind of incident, but we
expect that they account for thousands of cases a year.

(2) In our experience, banks in the English speaking world dismiss, or ask for
the resignation of, about one percent of their staff every year for
disciplinary reasons. A nontrivial proportion of these are for petty fraud or
embezzlement, in which ATMs are often involved. A clearing bank with 50,000
staff, which issued PINs predominantly through the branches rather than by
post, could expect about two incidents per business day of staff stealing cards
and PINs. These could be test cards, or cards otherwise used to milk the bank's
internal accounts; but it is simpler, and so much more common, for dishonest
staff to issue duplicate cards on ordinary accounts, or help themselves to
cards which have not yet been issued to customers.

(3) It may in some banks be possible for a dishonest teller to pass to a
customer's account a debit which masquerades as an ATM withdrawal, without
going near the ATM system. Such facilities may be provided in banking computer
systems in order to allow branch staff to rectify mistakes, and may be abused
from time to time. A policy of denying the existence of `phantom withdrawals',
and telling customers that they must have been defrauded by their own
relatives, may be expected to encourage this kind of embezzlement.

(4) Another source of trouble has been the existence of test transactions.
There was a test facility on one of the Olivetti 2000 series ATMs which would
output ten banknotes when a fourteen digit sequence was entered at the
keyboard. One bank published this sequence in its branch manual, and there
was a spate of fraud until all the banks using this type of machine had put
through a software change.

(5) Various program bugs and operational errors will also cause a certain
number of mistakes, such as duplicate transactions and debits posted to the
wrong account. These are familiar enough to heavy users of any bank's cheque
processing facilities, who correct them by reconciling their accounts and
demanding to see vouchers for stray debits. However, with ATM systems, the
customer cannot usually demand to inspect tally rolls, transaction logs and
balancing records; and any attempt at checking a disputed transaction is
generally frustrated in various ways by the bank. In view of the established
procedures for dispute resolution on cheque transactions, this may be a very
weak point in the banks' case. From our own banking systems experience, we
would expect an error rate from various causes of between 0.1% and 0.01% of
transactions; this is in order-of-magnitude agreement with surveys which show
that some 35% of UK cardholders have had an ATM dispute at some time in their
lives, but slightly higher than the Jack report's figure of one disputed ATM
transaction per hour in the UK. One can reconcile these differing error
estimates by the reasonable assumption that most victims of ATM errors
realise after contacting their branch that pursuing the matter will be futile.

(6) In addition to the above general problems, there are a number of
technical ways in which ATM systems can be attacked. One of the most
famous, at least within the computer security community, occurred at the
Chemical Bank in New York in about 1985. An ATM technician, who had been
dismissed, stood in ATM queues and observed customers' PINs as they were
entered. He would then pick up the discarded receipt, which contained the
account number, and write this number to the magnetic strip of a blank
card, just as with the R v Stone and Hider case. He managed to steal over
$80,000 before the bank saturated the area with security men and caught
him in the act. Needless to say, the emergence of worldwide ATM networks
during the past few years makes such attacks much more easy to mount, and
much more difficult to stop. In fact, it was this attack which motivated many
overseas banks to print only the last six digits of the account number on the
receipt.

(7) An even more sophisticated attack was reported from the USA in 1988. In
this case, the fraudsters had constructed a vending machine which would
accept any card and PIN, and dispense a packet of cigarettes. They placed this
in a shopping mall, and used the PINs and magnetic strip information it
recorded to forge cards for use in ATMs.

(8) Another technical attack relies on the fact that most ATM networks do not
encrypt the authorisation response to the ATM. This means that an attacker can
record a `pay' response from the bank to the machine, and continually replay it
until the machine is empty. This technique, known as `jackpotting', is not
limited to `hackers' - it appears to have been used in South Africa in
1987 by a bank's operations staff, who used network control devices to jackpot
ATMs where accomplices were waiting.

(9) Some banks decided to hold the encrypted PINs on a database. This meant
that a programmer, who knew that his own PIN was 1537, would observe that his
encrypted PIN was (say) 32AD6409BCA4331, and then search the database
for all other account numbers with the same PIN. If the bank has five
million cards outstanding, there should be at least five hundred of these.

(10) Banks which do not use security modules are open to much more direct
attacks. A system programmer can simply observe clear PINs passing through
the mainframe computer, compile a list of corresponding account numbers and
PINs, and make up forged cards.

(11) The worst case of all for the bank is when the PIN key itself becomes
known. We know of two cases of this, both of which were `inside jobs'
involving technical personnel. It is also just within the bounds of
possibility for a bank's PIN key to be determined by outsiders using
cryptanalysis - although this would be a major undertaking, and has been
estimated to need about 30,000 pounds worth of computer time [2]. However,
computing resources are rapidly becoming cheaper, and one could even envisage
a situation in which the codebreaking resources of the former USSR were
misused for private gain.

Electronic Document Interchange
-------------------------------

A number of vendors are selling systems for Electronic Document Interchange
(EDI). The idea is to save time and money by replacing paper documents such as
invoices, statements and so on with messages which are passed electronically
from one company to another. Of course, there exist quite substantial
opportunities for fraud in this area, as these electronic documents can
quite easily be altered by employees at either party to the transaction or even
by outsiders.

It is a matter of some concern to us that, although vendors make occasional
noises about security, few of the systems we have seen make any provision for
authenticating these electronic transactions.

Tampering could be undertaken to cover up theft of stock, support VAT frauds
or to introduce bogus invoices into a company's accounting system. As EDI
systems will also generate documents for official bodies such as HM Customs,
it is quite likely that they will become targets for drug smugglers wishing
to hide their shipments among those of a respectable importer.

We feel that vendors of EDI systems which do not offer facilities for
the authentication of all electronic documents according to best international
practice may be making themselves liable for large damages in the event of
these systems having to be substantially modified in the light of frauds
which are highly predictable today. It is concluded in the Jack report that
even following best practice is not a comprehensive defence against a claim
that a supplier has not discharged a duty of care, and that such a practice
may need to be reinforced by contract or by statute. Suppliers who do not even
bother to follow best practice may find themselves very vulnerable indeed
when the first big losses arrive.

This raises two related questions, namely what constitutes best practice; and
how can one prove, whether to a counterparty or an arbitrator, that a
transaction was in fact originated by a particular party.

Practice, Proof and Liability
-----------------------------

Most large banks worldwide now offer their corporate clients some kind of
cash management system, whereby the company treasurer can dial the bank's
mainframe computer from his PC and perform online account enquiries and
transactions. These transactions may be limited to moving money between the
company's various trading and deposit accounts so as to minimise overdraft
charges or maximise interest payments, or they may extend to making payments
to suppliers as well.

Needless to say, such systems need good security, for, if they are penetrated,
enormous sums could be siphoned off by the attackers. As a result, a lot of
work has been done on authenticating and encrypting electronic banking
transactions, and these developments now provide an example of good practice
to which EDI suppliers should adhere and which EDI customers should demand.
There are EEC standards on secure systems [3] but they are still at an early
stage of evolution and phrased in such general terms that, in our view, anyone
engaged in certifying an EDI system would have to look at its near analogues,
such as electronic funds transfer systems, for guidance.

Now a corporate banking system will typically provide three layers of security:
firstly, it will identify each user of the system positively, whether by means
of a password or by using a token such as a smartcard; secondly, it will
compute one or more digital signatures to authenticate each transaction;
and thirdly, it will encrypt the message traffic, in order to protect client
confidentiality.

The hard issue is: how can one verify the correctness of any given scheme
for authentication and encryption? What solutions are available to the
practical problem of arbitrating between two parties, one of whom claims his
system is secure, while the other claims that a transaction has been forged?

Such solutions will inevitably be technical in nature, and there are currently
two streams of research on the problem. The first, originating at MIT in
America, uses a technique known as public key cryptography to generate
digital signatures on transactions which can then be checked by anybody.
While mathematically elegant, this technique is rather slow and (in the US at
least) the subject of patents whose holders charge a significant royalty.

The second, which originated and continues here at Cambridge, uses the
techniques of formal logic to investigate the security claims made for
particular cryptographic systems, and to assist in the design of systems on
which great reliance must be placed.

Given that we can now produce designs whose correctness can be formally
verified, that such systems are in regular use overseas [7], and that any
desired arbitration function can be built in, it is hard to see how
purveyors of insecure systems can escape liability.

This is the standard view overseas. As already noted, the US government
imposes full liability on payment system operators such as banks, on the
grounds that they are the main beneficiaries when these systems are installed.
US Federal Reserve regulations ensure that it is the bank, rather than the
customer, who pays for disputed ATM and other EFT transactions, unless of
course the bank can prove fraud or negligence by the customer. With the
exception of Germany, countries which have investigated the liability issues
of electronic banking and transaction processing tend towards the American
view.

Conclusions
-----------

ATMs have been described as one of the top 100 ideas of the 20th century.
However, the current security technology of magnetic cards and PINs may be
due for review and upgrade. Recently reported figures [5] show that plastic
card fraud in the UK was 166,000,000 pounds in 1991, up 35% from 1990.
There will be a further sharp increase next year, as the banks' agreement to
carry all but the first 50 pounds of loss will cause many losses previously
borne by customers to be recorded in the official figures.

A number of prospective successor technologies have been available for several
years now. These include watermark cards, smart cards, and biometrics.

The first two are, for our present purposes, just cards whih are designed to be
difficult to forge. Watermark cards achieve this by embedding a serial number
in the magnetic strip which cannot be altered after manufacture, while smart
cards dispense with the magnetic strip altogether and store the customer
information in an embedded integrated circuit.

Biometrics refers to the automatic measurement of personal characteristics,
such as voiceprints, fingerprints or signatures; pilot projects have been
reported using fingerprints to identify bank customers in India and using
voiceprints to control the payment of pensions in South Africa, while the
industry giant IBM has launched devices for automatic signature recognition.

The problem therefore is not so much a shortage of technological options
as the banks' nervousness in committing to a new technology, out of fear that
a different technology might eventually become standard. Where this
nervousness has been overcome, for example in France, we have seen the
introduction of advanced payment systems based on smartcards [7].

However, mounting losses make clear that it is time for credit and debit card
operators to take the plunge and start building the next generation of
payment systems. These, together with the emerging EDI networks, should be
designed to be secure, and this will be more likely to happen once it is
accepted in the UK, as it already is overseas, that system operators should
be liable for all frauds and errors. After all, these are now largely
avoidable and will only be significant if the system suppliers take a more or
less conscious decision to economise on security.

Up till now, as the Jack report observed, UK banks tended not to see
electronic security as being a cost-effective investment, especially
as existing systems were cheap, alternatives less so, and the poor
customer could almost always be made to foot the bill for fraud.

This will all change. In the meantime, we have noted a strong tendency for
claims involving ATM and EFT disputes to be settled. An initial offer of
50% of the claim seems to be about normal, but settlement in full is usually
a reasonable goal where the plaintiff is a clearly credible witness.
The banks appear to perceive that the cost to them of an unfavourable
precedent could be very high indeed, and to be quite apprehensive about the
possibility of an avalanche of fraudulent claims of fraud. Even if this turns
out to be unfounded, they are not keen to expose their system security to
critical examination and are well aware that having to pay the full amount of
all disputed transactions, as in the USA, would be a significant exra expense.

In conclusion, practising lawyers should be aware that electronic transaction
systems are not infallible and that claims can very often be pursued with a
high expectation of settlement.

Bibliography
------------

[1]
D. W. Davies and W. L. Price,
'Security for Computer Networks', John Wiley and Sons 1984.

[2]
G. Garon and R. Outerbridge,
"DES Watch: An examination of the Sufficiency of the Data
Encryption Standard for Financial Institution Information Security in the
1990's", In Cryptologia, XV, no. 3 (July 1991) pp 177 - 193

[3]
Information Technology Security Evaluation Criteria, Provisional
Harmonised Criteria, June 1991, EC document COM(90) 314

[4]
C. H. Meyer and S. M. Matyas, 'Cryptography: A New Dimension in Computer Data Security', John Wiley and Sons 1982.

[5]
Sunday Telegraph, 8 March 1992

[6]
Times, 23 March 1992

[7]
R. J. Anderson, "UEPS - A Second Generation Electronic Wallet", to appear in
ESORICS 92

[8]
Report of the Review Committee on Banking Services Law, HMSO, 1989