A customer is set to take on his bank over so-called phantom withdrawals, marking the first such legal case in the UK.
Alain Job saw £2,100 disappear from his account but maintains he always had his card in his possession and didn't do the withdrawal. He took his complaint to the UK's Financial Ombudsman Service, which mediates disputes between banks and customers, but lost in early 2007.
Job decided to sue over the phantom withdrawal, marking the first such case in the UK, challenging what banks contend is a strong security system designed to prevent card fraud, said Ross Anderson, a security engineering professor at the University of Cambridge. Job's case will be heard in Nottingham County Court on 30 April.
Job could not be immediately reached. An expert witness who is scheduled to testify next week said he and Job can't publicly comment on the lawsuit so as to not unduly influence its outcome.
Job's case brings into question the security of the chip-and-PIN (personal identification number) card system introduced throughout Europe several years ago after widespread card fraud. Rather than using a signature to complete a transaction at a merchant, a person must enter a four-digit PIN, which is verified by a cash machine or point-of-sale terminal through the card's microchip.
But Anderson - who has been a very vocal critic of chip-and-PIN - as well as other security researchers at Cambridge have highlighted several technical flaws with the system that could explain how Job lost his money.
Anderson and Nicholas Bohm, a retired lawyer, submitted a paper earlier this year detailing how chip-and-PIN could be subverted as part of a review of the Financial Ombudsman Service.
Cash machines use verification mechanisms to ensure a particular card hasn't been cloned, but in some cases those checks can be bypassed. Some cash machines will read account data off a card's magnetic strip if the chip isn't working.
Also so-called "yes" cards can be created that can perform a transaction with any PIN if a particular machine is allowed to authorise transactions without connecting back to the bank, according to the paper. Researchers have also proven it is possible to obtain a secret key off of a chip that computes a transaction certificate that would indicate the card is legitimate to a cash machine even though it's faked.
Halifax maintains it has evidence that Job's real card was used at a cash machine, although the bank has not yet revealed those details, Anderson said.
Technical details aside, Anderson said British banks have put blind faith into their security technology and pushed the liability for losses back on unknowing customers.
"When the banks designed the chip-and-PIN system, they thought they would dump the risk of fraud on others," Anderson said.
In the US, the responsibility lies with the banks to prove the customer is at fault or they must refund the money, Anderson said. In the UK, the process is much more opaque, with the Financial Ombudsman Service tending to side with banks, according the paper.
"It's really important that we move away from the UK approach of letting the banks claim the system is secure," Anderson said.
Job's court date next week has the potential to change how banks must address fraud. "This case could make a difference," Anderson said. "We don't know which way it is going to go."
Find your next job with techworld jobs