Fraudulent ATM Withdrawals

If your bank statement shows you have withdrawn cash from at ATM which you know you did not make, you will have a very hard time proving that. Prior to the introduction of ‘Chip and PIN’ aka EMV cards in 2003-2005 in the UK, if criminals managed to acquire your card details they could relatively easily clone the card and draw cash from an ATM. After EMV was deployed, the banks started to be more aggressive towards customers who complained of fraud. EMV was supposed to make the use of cloned cards to withdraw cash at an ATM impossible. It did make it more difficult but not impossible. The following information should be of interest anyone who faces a fraudulent withdrawal from their account.

A couple of months ago my wife and I belatedly spotted a number of very small withdrawals we could not account for. We phoned our bank, discovered that it was my wife’s debit card was alleged to have been used and asked for it to be cancelled. As the total amount stolen was very minor we did not ask for the matter to be investigated further. However the person we spoke to insisted putting us through to the fraud department. We then explained we saw no point in pursuing the matter. We should have spotted the first unexplained withdrawal and we assumed a cloned card must have been used. We were told that this was impossible; either my wife had forgotten the four withdrawals or someone else must have used her card. In fact my wife never draws cash from that account and there was no opportunity we could identify for anyone to steal and then replace the card on four occasions. We acknowledged that we could not prove this and that’s why we did not wish to pursue the matter. The lady in the fraud department was extremely aggressive and hinted strongly that my wife was senile or a liar. After an hour’s conversation she had to accept we did not want to pursue it.

After ending the call we decided to search the internet for information on whether cloned cards had ever been used for ATM withdrawals and quickly found a paper from the Cambridge University Computing Lab entitled, ‘Chip and Skim: cloning EMV cards with the pre-play attack’ see https://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf. The paper described how they had verified through experiments in the field one way in which cloned cards could be used.

In their introduction the authors noted, ‘After [EMV] was deployed, the banks started to be more aggressive towards customers who complained of fraud, and a cycle established itself. Victims would be denied compensation; they would Google for technical information on card fraud, and find one or other of the academic groups with research papers on the subject; the researchers would look into their case history; and quite often a new vulnerability would be discovered.” The authors took all reasonable steps to inform banks of their findings but received no constructive response.

Having read all this we complained to the bank that they had probably been inaccurate in their assertion that cloned cards could not be used, quoting the Cambridge paper. They ‘rejected’ our complaint without saying why and not acknowledging we had called attention to the paper. I complained about this. They acknowledged receipt of the letter but still did not refer to the paper but said they would look at the file again. They have not done so after a month. Now the paper was published in late 2012 and theoretically the vulnerability the authors had exposed could have been fixed, but if this is the case why could they not say so? If a flaw in the authors’ findings had been discovered, why had this not been publicised? Everything suggests there has been deliberate suppression of information about known vulnerabilities. I did manage to get an employee of the bank to admit verbally that they had a copy of the paper. His comment was, “Huh, interfering boffins”.

I strongly recommend that your readers download the paper and read the introduction and sections 5.4 and 6. Don’t bother with the technical detail unless interested.

Weymouth resident – name and address supplied.