A U.K. man will face banking giant Halifax next week in court after he sued over the loss of
Alain Job, an immigrant from Cameroon, saw the money disappear from his account but maintains he always had his card in his possession and didn't do the withdrawal. He took his complaint to the U.K.'s Financial Ombudsman Service, which mediates disputes between banks and customers, but lost in early 2007.
Job decided to sue over the phantom withdrawal, marking the first legal case in the U.K. challenging what banks contend is a strong security system designed to prevent card fraud, said Ross Anderson, a security engineering professor at the University of Cambridge. Job's case will be heard in Nottingham County Court on April 30.
Job could not be immediately reached. An expert witness who is scheduled to testify next week said he and Job can't publicly comment on the lawsuit so as to not unduly influence its outcome.
Job's case brings into question the security of the chip-and-PIN (personal identification number) card system introduced throughout Europe several years ago after widespread card fraud. Rather than using a signature to complete a transaction at a merchant, a person must enter a four-digit PIN, which is verified by a cash machine or point-of-sale terminal through the card's microchip.
But Anderson -- who has been a very vocal critic of chip-and-PIN -- as well as other security researchers at Cambridge have highlighted several technical flaws with the system that could explain how Job lost his money.
Anderson and Nicholas Bohm, a retired lawyer, submitted a paper earlier this year detailing how chip-and-PIN could be subverted as part of a review of the Financial Ombudsman Service.
Cash machines use verification mechanisms to ensure a particular card hasn't been cloned, but in some cases those checks can be bypassed. Some cash machines will read account data off a card's magnetic strip if the chip isn't working.
Also so-called "yes" cards can be created that can perform a transaction with any PIN if a particular machine is allowed to authorize transactions without connecting back to the bank, according to the paper. Researchers have also proven it is possible to obtain a secret key off of a chip that computes a transaction certificate that would indicate the card is legitimate to a cash machine even though it's faked.
Halifax maintains it has evidence that Job's real card was used at a cash machine, although the bank has not yet revealed those details, Anderson said.
Technical details aside, Anderson said U.K. banks have put blind faith into their security technology and pushed the liability for losses back on unknowing customers.
"When the banks designed the chip-and-PIN system, they thought they would dump the risk of fraud on others," Anderson said.
In the U.S., the responsibility lies with the banks to prove the customer is at fault or they must refund the money, Anderson said. In the U.K., the process is much more opaque, with the Financial Ombudsman Service tending to side with banks, according the paper.
"It's really important that we move away from the U.K. approach of letting the banks claim the system is secure," Anderson said.
Job's court date next week has the potential to change how banks must address fraud. "This case could make a difference," Anderson said. "We don't know which way it is going to go."