Banks to wash their hands of customer card fraud

Major high street banks are planning to impose new terms and conditions on customers that would make them squarely responsible for credit and debit card fraud.

The charge is being led by Santander, which has separately been accused of deploying lax security measures covering its own online banking system by saving key customer details in cookies stored on users' PCs – an issue that, it says, has now been fixed following complaints.

The changes are intended to widen the scope for banks to reject repaying customers who fall victim to fraud. From January 2013, compensation will be blocked by major banks to customers who suggest that they have allowed a fraudster to see their number at a cash machine or payment terminal – even this would suggest that the cards and the information they contain are wide open to cloning.

They will also refuse to reimburse customers if they decide that a customer has an easily guessed PIN – either in terms of sequence or the memorability of the number, such as a birthday. Changes lurking within Santander's re-written terms and conditions will also demand that customers use a four-digit PIN unique only to one credit or debt card.

Banks' more aggressive approach towards customers reporting fraudulent activity on their account follows on from the rollout of the EMV [Europay, Mastercard and Visa] chip-and-pin payment systems between 2003 and 2005. That had been intended to overcome the ease of fraud facilitated by the signature-based system – although it has been undermined by the continuation of the magnetic strip that contains sensitive information in unencoded form.

"Existing bank-card payment systems, such as EMV, have two serious vulnerabilities: the user does not have a trustworthy interface, and the protocols are vulnerable in a number of ways to man-in-the-middle attacks," wrote University of Cambridge computer expert, Dr Ross Anderson, in a report examining NFC payment systems.

Together with a number of top security researchers, Anderson uncovered and demonstrated a series of security flaws in chip and pin payment systems. In September 2012, a group including Anderson authored a paper entitled, "Chip and skim: cloning EMV [chip and pin] cards with the pre-play attack".

"After it [chip and pin] was deployed, the banks started to be more aggressive towards customers who complained of fraud, and a cycle established itself. Victims would be denied compensation; they would Google for technical information on card fraud, and one or other of the academic groups with research papers on the subject; the researchers would look into their case history; and quite often a new vulnerability would be discovered," wrote the researchers.

Banks have proven so obstructive that in some cases transaction logs demanded by defrauded customers have been deleted. These, according to researchers, demonstrate that many cash machines are poor at generating the random number codes that authenticate the transaction. 

[Please turn to page 2]