CARD FRAUD AND COMPUTER EVIDENCE 14 Feb 1994 A case has just concluded in England which may be significant for computer and cryptographic evidence in general, and for electronic banking in particular. It also give some interesting insights into the quality assurance and fraud investigation practices of one of Britain's largest financial institutions. I will be talking about this case to the BCS Computer Law Special Interest Group on Thursday 17th February at 6pm. The meeting will be held at the offices of Bristows Cooke Carpmael, which can be found at 10 Lincoln's Inn Fields. To get there, take the tube to Holborn, exit southwards and turn second left into Remnant Street. For the sake of those who cannot make it, there follows a report of the case from the notes I made during the hearing. * * * 1. Background. On February 8th, 10th and 11th, I attended the trial at Mildenhall Magistrates' Court, Suffolk, England, of a man who was charged with attempting to obtain money by deception after he complained that he had not made six of the automatic teller machine transactions which appeared on his statement. The essence of the case was that John Munden, a police constable, had complained to the manager of the Halifax Building Society in Newmarket about these transactions, which appeared in September 1992. He had also stated that his card had been in his possession at all times. Since the society was satisifed about the security of its computer systems, it was alleged to follow that Munden must have made these transactions, or suffered them to be made; and thus that his complaint was dishonest. This trial had resumed after being adjourned in late 1993. According to the clerk, evidence was given for the Crown at the initial hearing by Mr Beresford of the Halifax Building Society that the society was satisfied that its systems were secure, and so the transaction must have been made with the card and PIN issued to the customer. Beresford had no expert knowledge of computer systems, and had not done the investigation himself, but had left it to a member of his department. He said that fraudulent transactions were rarely if ever made from lobby ATMs because of the visible cameras. The Newmarket branch manager, Mr Morgan, testified that one of the transactions at issue had indeed been made from a machine inside the branch. He also said that in his opinion the defendant had been convinced that he had not made the transaction; and that he would not be aware of all the possible malfunctions of the ATM. The defence had objected that the evidence about the reliability of the computer systems was inadmissible as Beresford was not an expert. The court allowed the prosecution an adjournment to go and look for some evidence; and at the last minute, on the 20th January, I was instructed by Mr Munden's solicitor to act as an expert witness for the defence. 2. The Prosecution Case. On 8th February, Beresford's evidence resumed. He admitted that the Halifax had some 150-200 `unresolved' transactions over the previous 3-4 years, and that it would be possible for a villain to observe someone's PIN at the ATM and then make up a card to use on the account. He confirmed that the person who investigated the incident had no technical qualifications, had acted under his authority rather than under his direct supervision, and had involved the police without consulting him. Evidence was next given by Mr Dawson, the Halifax's technical support manager. He had originally written the bank's online system in 1971, and was now responsible for its development and maintenance. The ATM system had been written in 1978 for IBM 3600 series machines, and altered in 1981 when the Diebold machines currently in use were purchased. All software was written internally, and in the case of the mainframe element, this had accreted to the nucleus originally written in 1971. Amendments to the online system are made at the rate of 2-3 per week. The PIN encryption scheme used was nonstandard. The PIN was encrypted twice at the ATM and then once more in the branch minicomputer which controls it. At the mainframe, the outer two of these encryptions were stripped off and the now singly encrypted PIN was encrypted once more with another key; the 16 digit result was compared with a value stored on the main file record and on the online enquiry file. When asked whether system programmers could get access to the mainframe encryption software, he categorically denied that this was possible as the software could only be called by an authorised program. When asked whether someone with access to the branch minicomputer could view the encrypted PIN, he denied that this was possible as there were no routines to view this particular record (even although the mini received this field and had PCs attached to it). When asked what operating system the mini used, he said that it was called either TOS or TOSS and that he thought it had been written in Sweden. He could give no more information. He had never heard of ITSEC. He had not investigated any of the other 150-200 `unresolved transactions' because he had not been asked to. The last investigation he had done was of another transaction which had led to a court case, three years previously; he had no idea what proportion of transactions went wrong, was not privy to out-of-balance reports from branches, and was not familiar with branch rules on ATM operations. He never visited the branch at Newmarket, where the disputed transactions took place, but merely looked at the mainframe records to see whether any fault records or error codes. He found none and took this information at face value. The fault recording system does not show repairs. The cryptographic keys in the ATM are not zeroed when the machine is opened for servicing. The maintenance is done by a third party. The branch only loads initial keys into the ATM if keys are lost. The Halifax has no computer security function as such, just the internal auditors and the technical staff; it does not use the term `quality assurance'. When asked by the bench what information was required to construct a card, Dawson initially said the institution identifier, the account number, the expiry date, a service code, an ISO check digit, a proprietary check digit, and a card version number. He concluded from this that a card forger would have to have access to an original card. However it turned out that the ATM system only checks the institution identifier, the account number and the card version number. He maintained doggedly that a forger would still have to guess the version number, or determine it by trial and error, and claimed there was no record of an incorrect version number card being used. However, Munden's card was version 2, and it transpired later that version 1, though created, was not issued to him; and that an enquiry had been made from a branch terminal two weeks before the disputed transactions (the person making this enquiry could not be identified). When asked whether private investigators could get hold of customer account details, as had been widely reported in the press, he just shrugged. He claimed that the system had been given a clean bill of health by the internal and external auditors. The branch manager was recalled and examined on balancing procedures. He described the process, and how as a matter of policy the balancing records were kept for two years. However the balancing records for the two machines in question could not be produced. There was then police evidence to the effect that Munden kept respectable records of his domestic accounts, which included references to the undisputed withdrawals from ATMs, and that although he had once bounced a cheque he was no more in financial difficulty than anybody else. The investigating officer had only had evidence from the branch manager, not from Beresford or Dawson. The investigating officer also reported that Munden had served in the police force for nineteen years and that he had on occasion been commended by the Chief Constable. 3. The Defence. That concluded the prosecution case, and the defence case opened with Munden giving evidence. He denied making the transactions but could not produce an alibi other than his wife for the times at which the alleged withdrawals had taken place. The only unusual matter to emerge from Munden's testimony was that when he went in to the branch to complain, the manager had asked him how his holiday in Ireland went. Munden was dumbfounded and the branch manager said that the transaction code for one of the ATM withdrawals corresponded to their branch in Omagh. This was not apparent from the records eventually produced in court. The next witness was his wife, Mrs Munden. Her evidence produced a serious upset: it turned out that she had had a county court judgment against her, in a dispute about paying for furniture which she claimed had been defective, some two weeks before the disputed withdrawals took place. Her husband had not known about this judgement until it emerged in court. I gave expert evidence to the effect that the Halifax's quality procedures, as described by Dawson, fell far short of what might be expected; that testing of software should be done by an independent team, rather than by the programmers and analysts who created it; and that Dawson could not be considered competent to pronounce on the security of the online system, and he had designed it and was responsible for it. At a more detailed level, I informed the court that both national and international ATM network standards require that PIN encryption be conducted in secure hardware, rather than software; that the reason for this was that it was indeed possible for system programmers to extract encryption keys from software, and that I understood this to have been the modus operandi of a sustained fraud against the customers of a London clearing bank in 1985-6; that I had been involved in other ATM cases, in which some two dozen different types of attack had emerged and which involved over 2000 complaints in the UK; and that the Halifax, uniquely among financial institutions, was a defendant in civil test cases in both England and Scotland. I continued that ATM cameras are used by a number of other UK institutions, including the Alliance and Leicester Building Society, to resolve such cases; that in other countries which I have investigated the practice would be not to prosecute without an ATM photograph, or some other direct evidence such as a numbered banknote being found on the accused; that card forgery techniques were well known in the prison system, thanks to a document written by a man who had been jailed at Winchester some two years previously for card offences; that I had personally carried out the experiment of manufacturing a card from an observed PIN and discarded ticket, albeit with the account holder's consent and on an account with Barclays rather than the Halifax; that the PIN pad at the Halifax's Diebold ATM in Cambridge was so sited as to be easily visible from across the road; and that in any case the investigative procedures followed in the case left very much to be desired. In cross examination, the prosecutor tried to score the usual petty points: he attacked my impartiality on the grounds that I am assisting the Organised Crime Squad at Scotland Yard to investigate criminal wrongdoing in financial institutions (the reply from our lawyer was of course that helping the prosecution as well as the defence was hardly evidence of partiality); he claimed that the PIN pad at the ATM in Newmarket was differently sited to that in Cambridge, to which I had no answer as I had not had the time to go there; and he asserted that the Alliance and Leicester did not use ATM cameras. On this point I was able to shoot him down as I had advised that institution's supplier. He finally tried to draw from me an alternative theory of the disputed transactions - staff fraud, or a villain whom Munden had booked in the past getting his own back by means of a forged card, or a pure technical glitch? I was unable to do this as there had been neither the time nor the opportunity to demand technical disclosure from the Halifax, as had been the case in two previous criminal cases I had helped defend (both of which we incidentally won). Dawson was recalled by the prosecution. He explained that only two of the three tests carried out on new software were done by the analysis and programmers who had written it, and that the third or `mass test' was done by an independent team. He said that software failures could not cause false transactions to appear, since the online system was written in assembler, with the result that errors caused an abend. He claimed that they did indeed possess a hardware security module, which was bought in 1987 when they joined VISA, and which they used for interchange transactions with VISA and Link although not for all transactions with their own customers; and he finally repeated his categorical denial that any system programmer could get at the encryption software. When asked by what mechanism this was enforced, he said that they used a program called ACF2. In his closing speech, the defendant's lawyer pointed out the lack of any apparent motive, and went on to point out the lack of evidence: the balancing records were not produced; the person responsible for attending to those ATM malfunctions which the branch could not cope with was not identified; the Halifax employee who had carried out the investigation was not called; the handwriting on the ATM audit rolls, which was the only way to tie them to a particular machine, could not be identified; the cameras were not working; statements were not taken from branch staff; the disk in the ATM had not been produced; and the internal and external audit reports were not produced. He mentioned my expert opinion, and reiterated my point that when a designer of a system says that he can't find anything wrong, what has he shown? He also recalled that in the High Court action in which the Halifax is the defendant, they had not relied on the alleged infallibility; and pointed out that if ATM systems worked properly, then people wouldn't need to go to keep going to law about them. 4. The Verdict and Its Consequences. I have been aware for years that the legal system's signal-to-noise ratio is less than 10dB; however, in view of the above, you can understand that it was with some considerable surprise that I learned late on Friday that the court had convicted Munden. My own reaction to the case has been to withdraw my money from the Halifax and close my account there. Quite apart from their ramshackle systems, the idea that complaining about a computer error could land me in prison is beyond my tolerance limit. No doubt it will take some time for the broader lessons to sink in. What is the point, for example, of buying hardware encryption devices if people can get away with claiming that system programmers can never get at an authorised library? Why invest in elaborate digital signature schemes if they simply repair the banks' defence that the system cannot be wrong? Is there not a case for giving more consideration to the legal and political consequences of computer security designs? 5. Action. In the meantime, the police investigations branch have to consider whether John Munden will lose his job, and with it his house and his pension. In this regard, it might just possibly be helpful if anyone who feels that Dawson's evidence was untruthful on the point that software can be protected from system programmers on an IBM compatible mainframe, or that his evidence was otherwise unsatisfactory, could write expressing their opinion to the Chief Constable, Cambridgeshire Constabulary, Hinchingbrooke Park, Huntingdon, England PE18 8NP. Ross Anderson