Security

UK Couple Chases Bank Over 'phantom' Withdrawals

When Emma Woolf of London logged into her online account with Abbey National bank in early March, she expected to see a balance of £10,000 (US$16,300).

Instead, she had just £23.

Woolf's account had been drained by a series of withdrawals and debit-card purchases that she said she didn't authorize, a type of fraud that has become all too common as cybercriminals have refined methods to steal money electronically.

Since then, Woolf and her fiancé Jonathan Groman have been trying to get the money refunded by Abbey National, but to no avail. They maintain that their debit card was in a locked safe at Woolf's home when the transactions took place and that no one else knew the PIN (Personal Identification Number).

"The card was never out of the safe," Groman said.

Between December and February, the withdrawals were made close to Woolf's residence. Abbey National said in a letter to Woolf that the person who initiated one of the withdrawals had two failed attempts to enter the PIN but got it right the third time.

After Woolf noticed the fraud in March, she was initially told that her card had been cloned. Abbey National then changed its story, telling Woolf her own card was used in ATM machines.

Woolf's ordeal is not unlike other so-called "phantom withdrawal" cases, where bank customers notice mysterious withdrawals from their accounts despite having possession of their cards.

Abbey National's stance on the disagreement with Woolf is based on the chip-and-PIN technology used in debit and credit cards throughout Europe. The chip in each card contains a cryptographic key unique to that card, which is used to authenticate a transaction when a four-digit PIN is entered.

"I can tell your genuine card was used because the unique chip in the card was read by the machines," wrote Karen Cross, operations manager for Abbey National, in a letter seen by IDG News Service. "The chip cannot be copied so we know it was the genuine card used and not a cloned card."

A debit card exchanges information with an ATM machine during a transaction. ATM machines in the U.K. should check to see if there is a microchip in the card, which would prevent cloned cards from being used.

However, as recently as 2007, some ATMs were still allowing transactions to be conducted just by reading the information off a chip-and-PIN card's magnetic stripe, said Steven Murdoch, a security researcher at the University of Cambridge.

Analyzing the log files recorded by the ATM as well as on the card itself can reveal more details about transactions.

But Abbey National instructed Woolf to destroy the card and give it back to the bank. That advice -- which other banks have given as well in similar cases -- is the equivalent of immediately cremating a murder victim, said Murdoch.

"The banks shouldn't be destroying cards," he said.

Groman said he still has the card but it's in small pieces. But Murdoch said it is possible the microchip, which is much smaller than the silver or gold contact point on the card, could be intact. That chip has information on the number of transactions conducted with the card.

Comparing the number of fraudulent withdrawals versus the number of transactions counted by the card could reveal a discrepancy that would point to a different explanation for the fraud, Murdoch said. The microchip would have to be analyzed by an expert.

Under U.K. banking rules, customers are supposed to be refunded money for fraudulent withdrawals except if the bank decides someone was careless with their PIN.

"In this case the thief has used your card in the ATM machine and entered your PIN correctly," wrote Julia Church, a fraud investigator with Abbey National's Financial Crime Operations unit, in a March 13 letter to Woolf. "In these circumstances, Abbey are not able to take responsibility for the loss."

The £10,000 in Woolf's account was intended to be used for further development of the Web site Sociallyjewish.com, which the couple runs, Groman said. Since the money disappeared, the development plans have been put on hold.

Groman said they have hired an attorney and have outstanding requests with Abbey National for more information. The Metropolitan Police are also working the case.

Subscribe to the Security Watch Newsletter

Comments