textfiles/anarchy/CARDING/cfrd.txt

CARD FRAUD AND COMPUTER EVIDENCE
14 Feb 1994

A case has just concluded in England which may be significant for computer and 
cryptographic evidence in general, and for electronic banking in particular. 
It also give some interesting insights into the quality assurance and fraud 
investigation practices of one of Britain's largest financial institutions.

I will be talking about this case to the BCS Computer Law Special Interest
Group on Thursday 17th February at 6pm. The meeting will be held at the offices
of Bristows Cooke Carpmael, which can be found at 10 Lincoln's Inn Fields. To
get there, take the tube to Holborn, exit southwards and turn second left into 
Remnant Street.

For the sake of those who cannot make it, there follows a report of the case 
from the notes I made during the hearing.


			*		*		*
1. Background.

On February 8th, 10th and 11th, I attended the trial at Mildenhall Magistrates'
Court, Suffolk, England, of a man who was charged with attempting to obtain
money by deception after he complained that he had not made six of the
automatic teller machine transactions which appeared on his statement.

The essence of the case was that John Munden, a police constable, had
complained to the manager of the Halifax Building Society in Newmarket about 
these transactions, which appeared in September 1992. He had also stated that 
his card had been in his possession at all times. Since the society was
satisifed about the security of its computer systems, it was alleged to follow
that Munden must have made these transactions, or suffered them to be made;
and thus that his complaint was dishonest.

This trial had resumed after being adjourned in late 1993. According to the
clerk, evidence was given for the Crown at the initial hearing by Mr Beresford 
of the Halifax Building Society that the society was satisfied that its systems
were secure, and so the transaction must have been made with the card and PIN 
issued to the customer. Beresford had no expert knowledge of computer systems, 
and had not done the investigation himself, but had left it to a member of his 
department. He said that fraudulent transactions were rarely if ever made from 
lobby ATMs because of the visible cameras. The Newmarket branch manager, Mr 
Morgan, testified that one of the transactions at issue had indeed been made 
from a machine inside the branch. He also said that in his opinion the 
defendant had been convinced that he had not made the transaction; and that he 
would not be aware of all the possible malfunctions of the ATM.

The defence had objected that the evidence about the reliability of the
computer systems was inadmissible as Beresford was not an expert. The court 
allowed the prosecution an adjournment to go and look for some evidence; and 
at the last minute, on the 20th January, I was instructed by Mr Munden's 
solicitor to act as an expert witness for the defence.

2. The Prosecution Case.

On 8th February, Beresford's evidence resumed. He admitted that the Halifax
had some 150-200 `unresolved' transactions over the previous 3-4 years, and
that it would be possible for a villain to observe someone's PIN at the ATM
and then make up a card to use on the account. He confirmed that the person
who investigated the incident had no technical qualifications, had acted under
his authority rather than under his direct supervision, and had involved the
police without consulting him.

Evidence was next given by Mr Dawson, the Halifax's technical support manager.
He had originally written the bank's online system in 1971, and was now
responsible for its development and maintenance. The ATM system had been
written in 1978 for IBM 3600 series machines, and altered in 1981 when the
Diebold machines currently in use were purchased. All software was written
internally, and in the case of the mainframe element, this had accreted to
the nucleus originally written in 1971. Amendments to the online system are 
made at the rate of 2-3 per week.

The PIN encryption scheme used was nonstandard. The PIN was encrypted twice
at the ATM and then once more in the branch minicomputer which controls it.
At the mainframe, the outer two of these encryptions were stripped off and
the now singly encrypted PIN was encrypted once more with another key; the
16 digit result was compared with a value stored on the main file record and
on the online enquiry file.

When asked whether system programmers could get access to the mainframe
encryption software, he categorically denied that this was possible as the
software could only be called by an authorised program.

When asked whether someone with access to the branch minicomputer could view 
the encrypted PIN, he denied that this was possible as there were no routines 
to view this particular record (even although the mini received this field and
had PCs attached to it). When asked what operating system the mini used, he
said that it was called either TOS or TOSS and that he thought it had been
written in Sweden. He could give no more information.

He had never heard of ITSEC.

He had not investigated any of the other 150-200 `unresolved transactions'
because he had not been asked to. The last investigation he had done was of
another transaction which had led to a court case, three years previously;
he had no idea what proportion of transactions went wrong, was not privy to
out-of-balance reports from branches, and was not familiar with branch rules on
ATM operations. He never visited the branch at Newmarket, where the disputed
transactions took place, but merely looked at the mainframe records to see
whether any fault records or error codes. He found none and took this
information at face value.

The fault recording system does not show repairs. The cryptographic keys in
the ATM are not zeroed when the machine is opened for servicing. The
maintenance is done by a third party. The branch only loads initial keys into
the ATM if keys are lost.

The Halifax has no computer security function as such, just the internal
auditors and the technical staff; it does not use the term `quality assurance'.

When asked by the bench what information was required to construct a card, 
Dawson initially said the institution identifier, the account number, the 
expiry date, a service code, an ISO check digit, a proprietary check digit, 
and a card version number. He concluded from this that a card forger would 
have to have access to an original card. However it turned out that the ATM 
system only checks the institution identifier, the account number and the card 
version number. He maintained doggedly that a forger would still have to 
guess the version number, or determine it by trial and error, and claimed 
there was no record of an incorrect version number card being used. 

However, Munden's card was version 2, and it transpired later that version 1, 
though created, was not issued to him; and that an enquiry had been made from a
branch terminal two weeks before the disputed transactions (the person making 
this enquiry could not be identified). When asked whether private investigators
could get hold of customer account details, as had been widely reported in the
press, he just shrugged.

He claimed that the system had been given a clean bill of health by the
internal and external auditors.

The branch manager was recalled and examined on balancing procedures. He
described the process, and how as a matter of policy the balancing records 
were kept for two years. However the balancing records for the two machines
in question could not be produced.

There was then police evidence to the effect that Munden kept respectable 
records of his domestic accounts, which included references to the undisputed 
withdrawals from ATMs, and that although he had once bounced a cheque he was 
no more in financial difficulty than anybody else. The investigating officer 
had only had evidence from the branch manager, not from Beresford or Dawson. 
The investigating officer also reported that Munden had served in the police 
force for nineteen years and that he had on occasion been commended by the 
Chief Constable.

3. The Defence.

That concluded the prosecution case, and the defence case opened with Munden
giving evidence. He denied making the transactions but could not produce an 
alibi other than his wife for the times at which the alleged withdrawals had 
taken place.

The only unusual matter to emerge from Munden's testimony was that when he went
in to the branch to complain, the manager had asked him how his holiday in
Ireland went. Munden was dumbfounded and the branch manager said that the
transaction code for one of the ATM withdrawals corresponded to their branch 
in Omagh. This was not apparent from the records eventually produced in court.

The next witness was his wife, Mrs Munden. Her evidence produced a serious 
upset: it turned out that she had had a county court judgment against her, in a
dispute about paying for furniture which she claimed had been defective, some
two weeks before the disputed withdrawals took place. Her husband had not
known about this judgement until it emerged in court.

I gave expert evidence to the effect that the Halifax's quality procedures,
as described by Dawson, fell far short of what might be expected; that testing
of software should be done by an independent team, rather than by the 
programmers and analysts who created it; and that Dawson could not be 
considered competent to pronounce on the security of the online system, and he 
had designed it and was responsible for it.

At a more detailed level, I informed the court that both national and 
international ATM network standards require that PIN encryption be conducted in
secure hardware, rather than software; that the reason for this was that it 
was indeed possible for system programmers to extract encryption keys from
software, and that I understood this to have been the modus operandi of a
sustained fraud against the customers of a London clearing bank in 1985-6;
that I had been involved in other ATM cases, in which some two dozen
different types of attack had emerged and which involved over 2000 complaints
in the UK; and that the Halifax, uniquely among financial institutions, was a
defendant in civil test cases in both England and Scotland.

I continued that ATM cameras are used by a number of other UK institutions, 
including the Alliance and Leicester Building Society, to resolve such cases; 
that in other countries which I have investigated the practice would be not
to prosecute without an ATM photograph, or some other direct evidence such as a
numbered banknote being found on the accused; that card forgery techniques were
well known in the prison system, thanks to a document written by a man who had 
been jailed at Winchester some two years previously for card offences; that I 
had personally carried out the experiment of manufacturing a card from an 
observed PIN and discarded ticket, albeit with the account holder's consent and
on an account with Barclays rather than the Halifax; that the PIN pad at the 
Halifax's Diebold ATM in Cambridge was so sited as to be easily visible from 
across the road; and that in any case the investigative procedures followed in 
the case left very much to be desired.

In cross examination, the prosecutor tried to score the usual petty points: he 
attacked my impartiality on the grounds that I am assisting the Organised Crime
Squad at Scotland Yard to investigate criminal wrongdoing in financial
institutions (the reply from our lawyer was of course that helping the
prosecution as well as the defence was hardly evidence of partiality); he
claimed that the PIN pad at the ATM in Newmarket was differently sited to
that in Cambridge, to which I had no answer as I had not had the time to go
there; and he asserted that the Alliance and Leicester did not use ATM cameras.
On this point I was able to shoot him down as I had advised that institution's
supplier. He finally tried to draw from me an alternative theory of the
disputed transactions - staff fraud, or a villain whom Munden had booked in
the past getting his own back by means of a forged card, or a pure technical
glitch? I was unable to do this as there had been neither the time nor the
opportunity to demand technical disclosure from the Halifax, as had been the 
case in two previous criminal cases I had helped defend (both of which we
incidentally won).

Dawson was recalled by the prosecution. He explained that only two of the
three tests carried out on new software were done by the analysis and 
programmers who had written it, and that the third or `mass test' was done by
an independent team. He said that software failures could not cause false
transactions to appear, since the online system was written in assembler, with
the result that errors caused an abend.

He claimed that they did indeed possess a hardware security module, which was 
bought in 1987 when they joined VISA, and which they used for interchange 
transactions with VISA and Link although not for all transactions with their 
own customers; and he finally repeated his categorical denial that any system 
programmer could get at the encryption software. When asked by what mechanism
this was enforced, he said that they used a program called ACF2.

In his closing speech, the defendant's lawyer pointed out the lack of any
apparent motive, and went on to point out the lack of evidence: the balancing
records were not produced; the person responsible for attending to those ATM
malfunctions which the branch could not cope with was not identified; the
Halifax employee who had carried out the investigation was not called; the
handwriting on the ATM audit rolls, which was the only way to tie them to a
particular machine, could not be identified; the cameras were not working;
statements were not taken from branch staff; the disk in the ATM had not
been produced; and the internal and external audit reports were not produced.

He mentioned my expert opinion, and reiterated my point that when a designer of
a system says that he can't find anything wrong, what has he shown? He also
recalled that in the High Court action in which the Halifax is the defendant,
they had not relied on the alleged infallibility; and pointed out that if ATM 
systems worked properly, then people wouldn't need to go to keep going to law 
about them.

4. The Verdict and Its Consequences.

I have been aware for years that the legal system's signal-to-noise ratio is
less than 10dB; however, in view of the above, you can understand that it was 
with some considerable surprise that I learned late on Friday that the court 
had convicted Munden. My own reaction to the case has been to withdraw my money
from the Halifax and close my account there. Quite apart from their ramshackle 
systems, the idea that complaining about a computer error could land me in 
prison is beyond my tolerance limit.

No doubt it will take some time for the broader lessons to sink in. What is the
point, for example, of buying hardware encryption devices if people can get 
away with claiming that system programmers can never get at an authorised 
library? Why invest in elaborate digital signature schemes if they simply 
repair the banks' defence that the system cannot be wrong? Is there not a case
for giving more consideration to the legal and political consequences of
computer security designs?

5. Action.

In the meantime, the police investigations branch have to consider whether John
Munden will lose his job, and with it his house and his pension. In this
regard, it might just possibly be helpful if anyone who feels that Dawson's
evidence was untruthful on the point that software can be protected from system
programmers on an IBM compatible mainframe, or that his evidence was otherwise
unsatisfactory, could write expressing their opinion to the Chief Constable, 
Cambridgeshire Constabulary, Hinchingbrooke Park, Huntingdon, England PE18 8NP.



Ross Anderson