Banks to wash their hands of customer card fraud
Banks rewrite their terms and conditions to make customers pay for card fraud
Major high street banks are planning to impose new terms and conditions on customers that would make them squarely responsible for credit and debit card fraud.
The charge is being led by Santander, which has separately been accused of deploying lax security measures covering its own online banking system by saving key customer details in cookies stored on users' PCs – an issue that, it says, has now been fixed following complaints.
The changes are intended to widen the scope for banks to reject repaying customers who fall victim to fraud. From January 2013, compensation will be blocked by major banks to customers who suggest that they have allowed a fraudster to see their number at a cash machine or payment terminal – even this would suggest that the cards and the information they contain are wide open to cloning.
They will also refuse to reimburse customers if they decide that a customer has an easily guessed PIN – either in terms of sequence or the memorability of the number, such as a birthday. Changes lurking within Santander's re-written terms and conditions will also demand that customers use a four-digit PIN unique only to one credit or debt card.
Banks' more aggressive approach towards customers reporting fraudulent activity on their account follows on from the rollout of the EMV [Europay, Mastercard and Visa] chip-and-pin payment systems between 2003 and 2005. That had been intended to overcome the ease of fraud facilitated by the signature-based system – although it has been undermined by the continuation of the magnetic strip that contains sensitive information in unencoded form.
"Existing bank-card payment systems, such as EMV, have two serious vulnerabilities: the user does not have a trustworthy interface, and the protocols are vulnerable in a number of ways to man-in-the-middle attacks," wrote University of Cambridge computer expert, Dr Ross Anderson, in a report examining NFC payment systems.
Together with a number of top security researchers, Anderson uncovered and demonstrated a series of security flaws in chip and pin payment systems. In September 2012, a group including Anderson authored a paper entitled, "Chip and skim: cloning EMV [chip and pin] cards with the pre-play attack".
"After it [chip and pin] was deployed, the banks started to be more aggressive towards customers who complained of fraud, and a cycle established itself. Victims would be denied compensation; they would Google for technical information on card fraud, and one or other of the academic groups with research papers on the subject; the researchers would look into their case history; and quite often a new vulnerability would be discovered," wrote the researchers.
Banks have proven so obstructive that in some cases transaction logs demanded by defrauded customers have been deleted. These, according to researchers, demonstrate that many cash machines are poor at generating the random number codes that authenticate the transaction.
[Please turn to page 2]
Banks to wash their hands of customer card fraud
Banks rewrite their terms and conditions to make customers pay for card fraud
"If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip... Just like most vulnerabilities we find these days, some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us, for which we had until recently no explanation," wrote University of Cambridge security researcher Mike Bond in a recent blog posting.
Indeed, despite the introduction of chip and pin – which was supposed to make card payments more secure – fraud has continued rising, increasing by nine per cent to £185m in the first half of the year.
The banking industry, though, has defended itself, claiming that the changes are justified due to the increasingly pervasive nature of mobile banking.
In a statement, Santander told Computing: "In line with other providers, we believe that by having security details unique to the accounts they hold with us, customers can help protect themselves further against fraud risks. Due to the increasing use of mobile banking and password memory software we are updating our terms and conditions and suggesting a number of additional measures our customers can take to help protect themselves.
"Unless a customer is involved in fraud, any instance of fraud is against the bank, not the customer, and so innocent victims will not lose out financially. We look at every fraud case on an individual basis. If a customer has been a victim of fraud and they have taken reasonable steps to protect their personal financial security then we will refund within 24 hours."
Santander has also recently been at the centre of claims regarding the security of its personal online banking accounts, published on the Full Disclosure list.
An online security researcher in October claimed that Santander had been storing users' credit card and other personally identifiable information in cookies on users' PCs – where they are stored in plain text, easily uncoverable by an attacker. "Santander online banking unnecessarily stores sensitive information within cookies. Depending on which areas of online banking the user visits this information may include the following: Full name, credit card number, bank account number and sort code, alias and user ID."
The bank, however, claims that it has now addressed these security issues. In a statement to Computing, it said: "Santander takes the security of our customer data very seriously and we continually review our Cookie Policy and all other relevant systems to ensure we maintain the highest standards. Concerns around the three main elements relating to the storage of customer data in cookies have been addressed fully and further enhancements are planned."