How fraudsters are stealing ‘BILLIONS’ using chip and pin hack… because banks refuse to admit the scam exists
- EXCLUSIVE: Cambridge computer professor says banks deny chip & pin exploits
- Prof Ross Anderson accused banks and watchdog of enabling fraudsters
- Can you tell us about banks’ responses to card fraud claims? Email: oliver.price@mailonline.co.uk
Banks are ‘encouraging’ fraudsters to steal ‘billions’ of pounds from customers by denying that exploits in chip and pin systems are possible – and the watchdog is allowing them to do it, a leading expert has claimed.
Chip and pin was introduced in the UK in the early 2000s after banks accepted security failings which meant magnetic strips on debit and credit cards could be cloned, letting criminals rinse victims at cash points.
But scientists, such as security engineering professor Ross Anderson, of Cambridge and Edinburgh Universities, have been able to show for more than a decade that the new technology is vulnerable from attacks, including hacked card machines.
Banks repeatedly tell fraud victims that chip and pin transactions cannot be compromised in an apparent bid to deny refunds they are legally required to make, he says.
The Financial Services Ombudsman (FOS) doubles down on these misleading claims when victims challenge their banks’ decisions – and almost always rules in favour the banks, according to the first ever analysis of its kind by Prof Anderson.
Payment service providers are legally required to refund unauthorised transactions under the Payment Services Regulations 2017, unless they can prove they were authorised by the customer, the result of their gross negligence or user fraud.
If a bank denies a refund and a customer disagrees, they can complain to the FOS who will then decide whether or not to uphold the complaint.
The watchdog sided with customers just four times – two full and two partial refunds – out of a sample of two dozen cases studied by Prof Anderson in which he said chip and pin security failures likely allowed a fraud to occur.
Banks initially refused refunds in all these cases because transactions were ‘carried out using the genuine card and PIN’. They said that since only the customer knew the PIN and they had their card on them at all times, they must have authorised the payment.
FOS investigators almost always accepted banks’ chip and PIN data at face value and agreed with the banks’ assertions that the system’s security is virtually unbeatable.
But just because banking data shows the card and pin was used, does not mean it actually was or that a customer authorised the amount paid – because fraudsters have created techniques to cheat security measures, according to Prof Anderson.
‘By denying the existence of robbery and blaming the victims the banks are encouraging even more of it,’ the card fraud expert told MailOnline.
‘The ombudsman was set up a generation ago to minimise litigation costs for the industry.’
He accused the FOS of being ‘in a state of self-deception’ over chip and pin security vulnerabilities, adding that the body ‘operates in a bubble’ with big banks.
‘My estimate is that banks have been dumping over a hundred million a year on customers in misattributed fraud losses for at least a decade’, Prof Anderson said.
‘This is based on surveys on changing cybercrime we’ve done at various times – a big one in 2010 and another in 2017.’
And now the chairwoman of the House of Commons Treasury Select Committee, Harriett Baldwin, has urged banks and regulators to act, saying: ‘Economic crimes like this are a concern for our committee and banks and the payment systems regulator must work tirelessly to stay ahead of these criminal scams.’
Prof Anderson explained fraudsters can deploy hacked card terminals meaning there is ‘no trustworthy user interface’. These machines can display different amounts to the real charge, so a victim spends more than they agreed to.
More sophisticated ‘pre-play’ attacks queue up a series of fraudulent transactions after a customer enters their PIN on a bogus terminal. This method has been used in venues such as bars and strip clubs – who often spike patrons – across Europe, South America and the UK for more than a decade.
Another method which bypasses the need to enter a PIN entirely involves a phone SIM-sized device the size of a stuck onto a bank card.
But UK Finance, which represents 300 British banks and finance firms, told MailOnline: ‘There are strict industry standards for all card payment terminals to ensure they are secure and can be trusted by retailers and customers.’
The FOS has a two-stage process if customer complains. An investigator makes a decision in the first stage, but if either party disagrees it will then go to a second stage for where an ombudsman will make a final decision.
The second stage, which not all cases go to, is a final decisions from an ombudsman, which is then published by the watchdog.
Prof Anderson noted that in these decisions the banks and FOS often said that it was practically impossible for the chip in a card to be ‘cloned’ when customers suggested they had been the victim of a technical fraud.
He explained that while this is technically true, it is not relevant as a chip does not need to be ‘cloned’ – in the way a magnetic stripe might – for these hacks to work.
‘They place completely false reliance on the fact that chip and PIN cards are hard to clone,’ the Cambridge Computer Laboratory professor said.
‘Use of the word “cloning” is a soft spot for the customer who has no idea what is going on.
‘The reality is there is no trustworthy user interface, so you don’t know what transaction you are authorising. You don’t even need to put in a PIN as fraudsters can pass off chip and signature transactions as chip and PIN.
‘There are so many weak links in the chain and they divert attention by saying cards cannot be cloned – which is true but not relevant.’
One decision from 2020 said a customer forwarded the FOS research that it was ‘possible to clone a card, it was technically possible the chip and PIN system was flawed, and a PIN could look as if it was correctly entered when it hadn’t been.’
This customer said multiple unauthorised transactions had been paid from his account to clubs had had not been to whilst on holiday were timed in a way that looked as if they had been queued up on a computer.
While the ombudsman said she was ‘aware of the research’ she had ‘never seen an instance of a chip being cloned outside of laboratory conditions’. They said the data showed the transactions were authorised by the complainant and denied the claim.
Prof Anderson said: ‘In a case like that you absolutely cannot say the account was debited with customer’s mandate.
‘It’s entirely wrong to say that ‘because a customer’s card was used, and a PIN was entered that they did authorise a transaction’. It’s completely crooked.
‘They keep saying because you had a card at the end of the night that they won’t do a refund as it is unlikely it would have been returned without him noticing – but they can take the card and return it if a victim is drugged.’
He added: ‘If [sex workers] have learned that, provided you put card back in guy’s wallet the bank won’t reverse charges, then of course they’re going to put the card back.’
He said that after studies his team, ‘came to conclusion that banks’ numbers are unreliable as they say that a lot of frauds are not… so they won’t record them.
‘And they feel they have to say systems are secure because they would have an avalanche of false fraud claims. The problem of this position is that genuine fraud claims are denied and steamrolled.
‘With the ombudsman we see people have been robbed in dodgy bars in foreign countries, put at risk of life and limb as robbers know they can get away with it.
‘And the reason they know they can get away with is it is because banks have for years been refusing to charge back the proceedings of robberies to customer cards where the customer maintains possession of their card at the end of the robbery.’
Prof Anderson added: ‘The design of banking products enables fraud in all sorts of ways. In the old days [before bank cards], if I went to a seedy establishment I could get robbed for whatever cash I had in my pocket – £30 to 50 and my nice watch.
‘Not any more. Now, because of the tech banks have rolled out everyone is rolling around with the price of a nice car in their pocket. £2,000 on this card, £5,000 on that, £13k on this and £10k on a credit card – that’s the price of a Mini Clubman.
‘Would it occur to you to walk down to a club with €30,000 in a wedge in your hand?’
When asked to provide examples where the FOS ruled in favour of a customer who had been defrauded with the use a tampered card terminal, a spokesperson shared five cases. None of these say the cause of the fraud was a hacked terminal.
Several were cases where a store had been defrauded by criminals distracting a shop assistant to process a fake refund on their card. One of these cases appeared to be a pre-play attack or similar, but the customer only was handed a partial refund and the decision did not say the cause could have been a tampered terminal.
A Financial Ombudsman Service Spokesperson told MailOnline: ‘Being the victim of a fraud or scam can be a terrible experience, which is why we thoroughly investigate every case that comes to us.
‘In recent years, we have upheld thousands of consumers’ complaints, returning more than £150m to those who have been victims of fraud and scams.
‘Our investigators are always fair and impartial. When investigating a case, they not only review all the available evidence but, where necessary, consult the relevant research, industry codes and good practice.
‘We’re absolutely committed to providing a service which people can use with confidence, and which resolves their complaints efficiently and without bias.’
A UK Finance spokesperson told MailOnline: ‘Fraud has a devastating impact on victims and the money stolen funds serious organised crime, so the banking and finance industry’s primary focus is always on stopping fraud from happening in the first place.
‘There are strict industry standards for all card payment terminals to ensure they are secure and can be trusted by retailers and customers.
‘Where a customer believes they have fallen victim to fraud, they should report it to their bank immediately. Banks carefully assess cases on an individual basis and If a customer is unhappy with the decision they can speak with the independent Financial Ombudsman Service.’
Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.
Read More