Banks are ‘encouraging’ fraudsters to steal ‘billions’ of pounds from customers by denying that exploits in chip and pin systems are possible – and the watchdog is allowing them to do it, a leading expert has claimed.
Chip and pin was introduced in the UK in the early 2000s after banks accepted security failings which meant magnetic strips on debit and credit cards could be cloned, letting criminals rinse victims at cash points.
But scientists, such as security engineering professor Ross Anderson, of Cambridge and Edinburgh Universities, have been able to show for more than a decade that the new technology is vulnerable from attacks, including hacked card machines.
Digital security expert Professor Ross Anderson (pictured) has said banks and the watchdog are encouraging card fraudsters
Banks repeatedly tell fraud victims that chip and pin transactions cannot be compromised in an apparent bid to deny refunds they are legally required to make, he says.
The Financial Services Ombudsman (FOS) doubles down on these misleading claims when victims challenge their banks’ decisions – and almost always rules in favour the banks, according to the first ever analysis of its kind by Prof Anderson.
Payment service providers are legally required to refund unauthorised transactions under the Payment Services Regulations 2017, unless they can prove they were authorised by the customer, the result of their gross negligence or user fraud.
If a bank denies a refund and a customer disagrees, they can complain to the FOS who will then decide whether or not to uphold the complaint.
The watchdog sided with customers just four times – two full and two partial refunds – out of a sample of two dozen cases studied by Prof Anderson in which he said chip and pin security failures likely allowed a fraud to occur.
Banks initially refused refunds in all these cases because transactions were ‘carried out using the genuine card and PIN’. They said that since only the customer knew the PIN and they had their card on them at all times, they must have authorised the payment.
FOS investigators almost always accepted banks’ chip and PIN data at face value and agreed with the banks’ assertions that the system’s security is virtually unbeatable.
But just because banking data shows the card and pin was used, does not mean it actually was or that a customer authorised the amount paid – because fraudsters have created techniques to cheat security measures, according to Prof Anderson.
‘By denying the existence of robbery and blaming the victims the banks are encouraging even more of it,’ the card fraud expert told MailOnline.
‘The ombudsman was set up a generation ago to minimise litigation costs for the industry.’
MailOnline can exclusively reveal that banks repeatedly tell fraud victims that chip and pin transactions cannot be compromised in an apparent bid to deny refunds they are legally required to make (stock photo)
He accused the FOS of being ‘in a state of self-deception’ over chip and pin security vulnerabilities, adding that the body ‘operates in a bubble’ with big banks.
‘My estimate is that banks have been dumping over a hundred million a year on customers in misattributed fraud losses for at least a decade’, Prof Anderson said.
Chairwoman of the House of Commons Treasury Select Committee, Harriett Baldwin, has urged banks and regulators to act
‘This is based on surveys on changing cybercrime we’ve done at various times – a big one in 2010 and another in 2017.’
And now the chairwoman of the House of Commons Treasury Select Committee, Harriett Baldwin, has urged banks and regulators to act, saying: ‘Economic crimes like this are a concern for our committee and banks and the payment systems regulator must work tirelessly to stay ahead of these criminal scams.’
Prof Anderson explained fraudsters can deploy hacked card terminals meaning there is ‘no trustworthy user interface’. These machines can display different amounts to the real charge, so a victim spends more than they agreed to.
More sophisticated ‘pre-play’ attacks queue up a series of fraudulent transactions after a customer enters their PIN on a bogus terminal. This method has been used in venues such as bars and strip clubs – who often spike patrons – across Europe, South America and the UK for more than a decade.
Another method which bypasses the need to enter a PIN entirely involves a phone SIM-sized device the size of a stuck onto a bank card.
But UK Finance, which 300 British banks and finance firms, told MailOnline: ‘There are strict industry standards for all card payment terminals to ensure they are secure and can be trusted by retailers and customers.’
The FOS has a two-stage process if customer complains. An investigator makes a decision in the first stage, but if either party disagrees it will then go to a second stage for where an ombudsman will make a final decision.
The second stage, which not all cases go to, is a final decisions from an ombudsman, which is then published by the watchdog.
Prof Anderson noted that in these decisions the banks and FOS often said that it was practically impossible for the chip in a card to be ‘cloned’ when customers suggested they had been the victim of a technical fraud.
He explained that while this is technically true, it is not relevant as a chip does not need to be ‘cloned’ – in the way a magnetic stripe might – for these hacks to work.
‘They place completely false reliance on the fact that chip and PIN cards are hard to clone,’ the Cambridge Computer Laboratory professor said.
Falklands war hero Henry Williams ‘barely holding himself together’ after Barclays denied him a refund for losing £20k to ‘hacked card machine’
Falklands war hero Henry Williams (pictured), 63, fell victim to a £20,000 card scam while holidaying in Brazil
Falklands war hero Henry Williams who fell victim to a £20,000 card scam while holidaying in Brazil has said he is ‘barely holding himself together’ after being refused a refund by his bank who accused of trying to defraud them.
The former Royal Marine, 63, was forced to sell his treasured war medals after the financial hit left him ‘living hand to mouth’.
And he has now hit out against the banks after realising he is not the only victim of their claims about chip and PIN security.
A few days after visiting a bar with new friends he had met in Rio de Janeiro, Brazil in March last year, Mr Williams saw a Barclays phone notifications for transactions of around £3,000 – in the app he saw more pending payments totalling £17,000.
MailOnline reported in June that Barclays refused Mr Williams’ request for a refund, saying he must be trying to defraud the bank or told a fraudster his PIN as ‘the card has a chip capability which is used to ensure cards cannot be cloned or copied’.
But Prof Anderson said he had likely fallen victim to a pre-play scam.
Mr Williams sold his General Service Medal for Northern Ireland (left) and his South Atlantic Medal (right) for service during the Falklands War for £3,200 in March this year
Marine Williams (foreground) taking a photo break with military colleagues in between disarming Argentinian forces at the Airfield in Port Stanley, the Falkland Islands, in 1982
A few days after visiting a bar with new friends he had met in Rio de Janeiro, Brazil in March last year, Mr Williams (left with different friends at Copacabana Beach) saw Barclays phone notifications for transactions of around £3,000 – in the app he saw pending payments totalling £17,000
Mr Williams is currently in a battle with the bank and the Financial Ombudsman Service, who still have not made a decision after months of investigating.
And after learning that the tactics used by the bank against him were common, he told MailOnline: ‘Apart from just barely holding myself together for a year plus now, it fries my mind that the banks are in denial of it.
‘Yes my own pain and misery is severe, but to know there is this blanket of obsequious deception blows my mind.
‘You need faith in the great systems of our modern world, like the banks, but then it turns out they’re worse than the petty criminals on the street that they are enabling. It pulls the foundation of faith from beneath you.’
A Barclays spokesperson previously told MailOnline that they were not able to comment as Mr Williams’ case is still being investigated by the Ombudsman.
‘Use of the word “cloning” is a soft spot for the customer who has no idea what is going on.
‘The reality is there is no trustworthy user interface, so you don’t know what transaction you are authorising. You don’t even need to put in a PIN as fraudsters can pass off chip and signature transactions as chip and PIN.
‘There are so many weak links in the chain and they divert attention by saying cards cannot be cloned – which is true but not relevant.’
One decision from 2020 said a customer forwarded the FOS research that it was ‘possible to clone a card, it was technically possible the chip and PIN system was flawed, and a PIN could look as if it was correctly entered when it hadn’t been.’
This customer said multiple unauthorised transactions had been paid from his account to clubs had had not been to whilst on holiday were timed in a way that looked as if they had been queued up on a computer.
While the ombudsman said she was ‘aware of the research’ she had ‘never seen an instance of a chip being cloned outside of laboratory conditions’. They said the data showed the transactions were authorised by the complainant and denied the claim.
Prof Anderson said: ‘In a case like that you absolutely cannot say the account was debited with customer’s mandate.
‘It’s entirely wrong to say that ‘because a customer’s card was used, and a PIN was entered that they did authorise a transaction’. It’s completely crooked.
‘They keep saying because you had a card at the end of the night that they won’t do a refund as it is unlikely it would have been returned without him noticing – but they can take the card and return it if a victim is drugged.’
He added: ‘If [sex workers] have learned that, provided you put card back in guy’s wallet the bank won’t reverse charges, then of course they’re going to put the card back.’
He said that after studies his team, ‘came to conclusion that banks’ numbers are unreliable as they say that a lot of frauds are not… so they won’t record them.
‘And they feel they have to say systems are secure because they would have an avalanche of false fraud claims. The problem of this position is that genuine fraud claims are denied and steamrolled.
‘With the ombudsman we see people have been robbed in dodgy bars in foreign countries, put at risk of life and limb as robbers know they can get away with it.
‘And the reason they know they can get away with is it is because banks have for years been refusing to charge back the proceedings of robberies to customer cards where the customer maintains possession of their card at the end of the robbery.’
Prof Anderson added: ‘This is institutionalised corruption where you end up with institutions that pretend to be standing up for the customer, that are doing nothing like it. They’re supposed to be independent, but they were designed from the outset to serve the banks’ interests.
‘The ombudsman has been helping create an environment where eventually a British cardholder is going to be murdered.
‘When you get an anaesthetic in hospital, they make sure you have an empty stomach and they still monitor your blood oxygen. If you anaesthetise drunks and leave them to sleep it off on a whorehouse sofa then eventually someone will inhale vomit and die.’
Prof Anderson added: ‘The design of banking products enables fraud in all sorts of ways. In the old days [before bank cards], if I went to a seedy establishment I could get robbed for whatever cash I had in my pocket – £30 to 50 and my nice watch.
‘Not any more. Now, because of the tech banks have rolled out everyone is rolling around with the price of a nice car in their pocket. £2,000 on this card, £5,000 on that, £13k on this and £10k on a credit card – that’s the price of a Mini Clubman.
‘Would it occur to you to walk down to a club with €30,000 in a wedge in your hand?’
When asked to provide examples where the FOS ruled in favour of a customer who had been defrauded with the use a tampered card terminal, a spokesperson shared five cases. None of these say the cause of the fraud was a hacked terminal.
Several were cases where a store had been defrauded by criminals distracting a shop assistant to process a fake refund on their card. One of these cases appeared to be a pre-play attack or similar, but the customer only was handed a partial refund and the decision did not say the cause could have been a tampered terminal.
A Financial Ombudsman Service Spokesperson told MailOnline: ‘Being the victim of a fraud or scam can be a terrible experience, which is why we thoroughly investigate every case that comes to us.
‘In recent years, we have upheld thousands of consumers’ complaints, returning more than £150m to those who have been victims of fraud and scams.
‘Our investigators are always fair and impartial. When investigating a case, they not only review all the available evidence but, where necessary, consult the relevant research, industry codes and good practice.
‘We’re absolutely committed to providing a service which people can use with confidence, and which resolves their complaints efficiently and without bias.’
A UK Finance spokesperson told MailOnline: ‘Fraud has a devastating impact on victims and the money stolen funds serious organised crime, so the banking and finance industry’s primary focus is always on stopping fraud from happening in the first place.
‘There are strict industry standards for all card payment terminals to ensure they are secure and can be trusted by retailers and customers.
‘Where a customer believes they have fallen victim to fraud, they should report it to their bank immediately. Banks carefully assess cases on an individual basis and If a customer is unhappy with the decision they can speak with the independent Financial Ombudsman Service.’
How fraudsters exploit chip and pin vulnerabilities to steal YOUR cash
HACKED CARD TERMINAL DISPLAY
Fraudsters can tamper with chip and pin machines so that the display shows a different amount to what actually ends up being charged.
An unsuspecting customer could think they are paying £30 for a taxi ride, but they could end up seeing £500 taken from their account.
‘PRE-PLAY’ ATTACK
Sophisticated ‘pre-play’ attacks involve a tampered terminal which harvests authorisation codes – how banks verify transactions – after a customer uses their card and enters their pin and then use these to play out many large transactions.
This fraud method has been seen increasingly more in Europe’s strip clubs and nightclubs – and has even made its way to the UK.
Scammers will not put through one massive transaction at once – as they know banks block single large transactions to check for fraud – and may call the customer to ensure it is legitimate.
So fraudsters will ‘pre-play’ multiple smaller transactions using the harvested authorisation codes to queue up multiple cashouts.
But banks also perform ‘velocity checks’ which flag possible fraud if multiple transactions are performed in quick succession from the same card.
To counter this, scammers will queue up the transactions over the course of hours, or even days, rather than in quick succession. But this makes it easier for customers to make a successful fraud claims to the bank – as they can’t have paid a £2,000 tip to a stripper if they were tucked away in bed at the time the payment took place.
When the fraud is undertaken at a strip club, to stop patrons leaving, someone will often spike patrons with drugs like Rohypnol. ‘If you store up ten transactions and plan to replay them over the next ten hours, then you don’t want the punter to go to the bar next door and break the time series,’ Prof Anderson explained.
Drugging patrons also gives the venue the opportunity to rinse bank accounts connected to the other cards in their wallets, so victims can be taken for everything they are worth – or more if they have an overdraft facility.
READING PIN AND SPIKING THE VICTIM
A simple method of fraud used by seedy establishments requires just secretly watching a patron enter their PIN when at the bar.
The victim is then drugged and criminals use the cards to pay themselves thousands of pounds while they are passed out – all using a standard card machine.
‘NO-PIN OVERLAY SIM’ ATTACK
Fraudsters can attach a device the size of a phone SIM onto a stolen bank card to bypass the need to enter a PIN at a terminal entirely.
A ‘no-pin overlay SIM’ tells the machine that a payment is a chip and sign transaction – where a customer does not need to enter their pin but gives their signature for authorisation – but tells the card chip it was chip and pin.
