This Issue's Contents

BCS Logo

Feature abstract

Seeking after the truth in computer evidence: any proof of ATM fraud? by Stephen Castell

'The revelation that Save & Prosper, the retail banking arm of Robert Fleming & Co, has been the victim of a 200,000 credit card fraud...shows how easy it can be to fool...card security systems. Details of customers' cards were stolen and encoded on to other cards, such as those for petrol points. The bank suspected internal collusion after print-outs containing card details went missing, but an enquiry proved inconclusive. All affected customers have been reimbursed.

Last month, it was revealed that 130,000 had been stolen from Abbey National cardholders during 1994 and 1995 with counterfeit cards. Andrew Stone, a bank security consultant who had been advising Which?, the magazine of the Consumers' Association, was jailed for five and a half years for the theft. This fraud involved spying on Abbey customers as they used their cards in automated teller machines (ATMs) or cash dispensers... [Stone] recorded card details and personal identification numbers (PINs) using powerful video cameras.

The details were then encoded on the magnetic strips of other cards. Although all 500 victims were reimbursed by the bank, the stolen money has not been recovered... Such cases have highlighted yet again the serious issue of plastic card security...Card-issuers have been forced to admit that their security systems are not infallible and that 'phantom' withdrawals from ATMs are not always explained by the cardholder's negligence, or fraud by friends and relatives...'
From 'Where the bucks stop', Matthew Wall, Financial Times, October 19, 1996

'Experts agree...that technological failures account for only a tiny percentage of ATM losses'
From 'Phantom withdrawals continue to haunt banks', Financial Times, Alan Cane, September 21, 1996

As an expert witness instructed in the Andrew Stone prosecution referred to in both of these recent FT articles I do not agree that it is clear that card-issuers have been 'forced to admit' anything concerning the fallibility of their security systems; nor that software, computer system or data communications network errors account for 'only a tiny percentage' of losses. Furthermore, reliability of evidence derived from computer systems and used at any criminal trial should never be a 'percentage game'.

It has been my experience that, since banks and building societies steadfastly refuse to allow independent experts direct access to their technical personnel, systems, software, audit reports, transaction logs and so on in order to carry out their own non-partisan investigations, it is impossible to come to any forensically sound conclusion on these matters in specific circumstances (which is what counts, generalisations being of little relevance in a given litigation).

The problem of proving an ATM fraud using computer evidence
Any ATM network is merely an example of computer and communications systems for which the difficulties of obtaining undoubted evidence in order to provide convincing forensic proof are well-known.These difficulties arise from, inter alia, the inherent 'untrustedness' of computer systems [1, 2] which can be readily argued on fundamental mathematical and computer design/architectural grounds; the legal consensus which there has historically been that computer evidence is hearsay, not direct, evidence (giving rise to the still current admissibility and certification provisions in criminal trials); and the somewhat arcane nature of computer technology and software systems engineering which can present many pitfalls to the layperson.These difficulties were neatly summed up in Countering Computer Fraud[3]:

'A British Computer Society conference proceedings report points out that the main problems in any fraud investigation involving a computer system is identifying how the fraud occurred in the first place. Very few installations are in a position to give a guarantee that a genuine mistake has not occurred somewhere in the processing. Even where a fraud is certain, the problems of gathering the correct evidence and obtaining a conviction are likely to be too great for an investigator who does not have specialist computer knowledge.'

A more recent illustration of the problem was given in a Financial Times item of October 25, 1996:

'The National Savings Agency is in such a muddle that one account that should have been in credit appeared to be 37m in the red when checked by auditors... The National Audit Office (NAO), the public spending watchdog, said control systems were so bad it was impossible to tell whether a string of mistakes was the result of computer error, human error or fraud.'

Sir John Bourne, auditor-general of the NAO, put it succinctly:

'The absence of a clear trail from the individual customer transactions into the financial accounting systems makes it difficult for management to establish the integrity of financial accounting systems information.'

The defendant's rights and burden of proof
A defendant has the right to examine every link in the chain of evidence proffered against him. If the prosecution is properly to set about proving an allegation of ATM fraud against a defendant it must therefore be prepared to provide to defence experts:
  • documents relating to the definition, design, specification, procurement, development, testing, acceptance, implementation, performance monitoring, audit, security and integrity of the relevant banks' ATM systems (hardware, software and data communications networks);
  • a full set of the relevant banks' security and quality documentation (including security policies and standards), cryptographic key management procedures and logs, financial audit and insurance inspectors' reports, test and bug reports, ATM records and logs, details of all prior customer complaints.
'Phantom withdrawal' - terminology
The term 'phantom withdrawal' or 'phantom transaction' has been used for some time in the ATM and computer evidence fields to describe a variety of possible situations giving rise to the unexplained (or apparently unexplained) computer recording on a customer's cashcard account of a cash withdrawal from a bank's cash machine.

The phrase 'phantom withdrawal', while not being a precise term of art in these fields, is now sufficiently widely used, and well-used, to convey the essence of the matter: a lack of consensus among the interested parties as to either the fact of a cash withdrawal at all, or as to who (or what) was responsible for there being present (or absent) a particular computer or other documentary record of such a withdrawal.

The essential feature of a 'phantom withdrawal', then, is simply that there is a dispute over the details of an ATM transaction as recorded in the relevant banks' computer and/or manual records. A better term for a 'phantom withdrawal' is thus a 'disputed ATM transaction' and this is the terminology which, I suggest, should in future generally be used.

Disputed ATM transaction scenarios
A disputed ATM transaction can arise from a number and variety of situations - I have identified at least 14 distinct scenarios, and this is by no means an exhaustive list. Furthermore, the true situation could be a combination of one or more of these scenarios; and in practice it is impossible to know merely by making an inference of a withdrawal of monies from an ATM by reading a computer-produced customer's bank statement (whether or not such an inference is itself disputed) which situation (or combination) is in truth the most likely explanation.

The problem with attempting a sensible, objective, non-partisan analysis of this matter in a particular set of circumstances is that any independent computer professional investigating is necessarily wholly reliant on the banks themselves, and their cashcard customers, for (access to) the source data, the computer systems, and computer and other documentary records relevant to disputed ATM transactions.

In my experience, the banks have been reluctant to divulge to independent computer professionals the source data, design details, computer audit trails and operational circumstances of their ATM networks, and access to the relevant computer software, systems and data communications networks, which are necessary for a thorough, independent analysis of disputed ATM transactions to be carried out [4].

Use of the better terminology 'disputed ATM transactions' would, I believe, provide a more revealing context for a general acceptance that it is for the banks to prove that the computer records which they seek to adduce as evidence of such transactions do indeed 'tell the truth', beyond any reasonable doubt; and that the process of establishing such proof must always include the willingness to open-up source computer systems and records for independent expert inspection.

Undoubted evidential reliability?
In my study on computer evidence for the CCTA [5] I highlighted the need for computer systems and operational practices properly capable of forensic scrutiny, delivering undoubted evidential reliability. The refusal of ATM network operators to allow objective professional examination of the sources of computer-derived evidence proffered at 'phantom withdrawal'-related trials does nothing to build confidence that they are running systems which meet this essential requirement.

In 1995 the Law Commission issued Consultation Paper Number 138 (Computer Evidence), which deals with S69 of the Police And Criminal Evidence Act 1964 and is an extract from its wider consideration of Evidence in Criminal Proceedings: Hearsay and Related Topics. My response to the Law Commission put forward the somewhat extreme proposal that every criminal trial which seeks to rely on computer evidence should first be a trial of the computer systems from which evidence is to be derived. An edited version of this response has been submitted to appear in a forthcoming issue of the new International Journal of Evidence & Proof. Comments are invited from all concerned computer professionals.

On January 23, 1997 in London, the Law Specialist Group will hold a meeting on Computer Disasters and Software Quality: Specification of Requirements v. Fitness for Purpose? It will take the form of a hearing, with Dr Stephen Castell, Committee Member, as Chairman and a team of lawyers and computer experts appearing for Plaintiff and Defendant in the mythical 2m case The Innocent User Company v. The Powerful Software Suppliers Ltd. The real July 1996 St Albans City and District Council v. ICL Appeal Court precedent will feature; and the question of whether software should be Year 2000-compliant will be discussed.

  1. Castell, S. (1993) Computers trusted, and found wanting. The Computer Law and Security Report, 9, July-August, pp. 155-156.
  2. Castell, S. (1994) A computer of the simplest kind...The Computer Law and Security Report, 10, May-June, p. 158).
  3. Countering Computer Fraud (1987) Institute of Chartered Accountants in England and Wales, Information Technology Group , ISBN 0 85291 8534, p.60.
  4. Anderson, R. (1996) Card Fraud and Computer Evidence - A closer look at the Munden case. Information Security Bulletin 1, 1, October. CHI Publishing Ltd, Leicestershire.
  5. The APPEAL Report (1990), May. Eclipse Publications, ISBN 1-870771-03-6.
Dr Stephen Castell MBCS formed Castell Computer and Systems Telecommunications Ltd ('CASTELL') Management and Financial Consultants in Information Technology in 1978. He was a senior applied mathematician and research manager in industry before joining Touche Ross & Co as a Management Consultant, working on a variety of commercial computer systems projects, particularly in the banking and finance sectors.

Prior to forming his own consultancy company , he was for three and a half years Group Management Services Manager for Bremar Holdings Limited, international merchant bankers, where he was also involved in corporate finance and venture capital business.

Dr Castell is well-known for developing businesses in voice telephony (National VoiceNet), data broadcasting (BBC Datacast), satellite communications (BBC Eurocast, BT Shield) and on-line information services (BBC Data, Infolex); and in driving the discussion of the 'legal reliability' of information systems and technologies. As an expert witness in computer litigations he has acted in many cases including the largest computer action to have come to trial in the English High Court. He is the founder of Channel 5 Digital Television plc.

CASTELL 20 Grange Road, Wickham Bishops, Witham, Essex CM8 3LT. Tel: 01621 891776. Fax: 01621 892553.

This Issue's Contents
Copyright British Computer Society 1996