Stephen Mason » Banking: the PIN and the ATM

Banking: the PIN and the ATM

by Stephen Mason

This article was published in the New Law Journal, Volume 159, No 7376, 10 July 2009, 976 (the article published on this web site has been slightly amended)

Copyright in this article belongs to the author, Stephen Mason, and the author has asserted his right under the Copyright, Designs and Patents Act 1988 to be identified as the author of this work.

The author grants you a licence to download and print copies of this article PROVIDED THAT you (a) retain the copyright notices contained at the beginning and end of the article in their entirety, (b) clearly identify this article as being written by the author in electronic and printed versions if you refer to it, and (c) only use it for your private purposes.

The ATM and plastic card have become central to our lives, yet the technology is not perfect. Should the bank refuse to accept withdrawals were the result of the actions of a thief, the customer’s only option may be to take legal action to recover their money. This happened to Mr Job, and although a number of commentators considered this trial to be a test case, the judge made it clear that it was not. Nevertheless it was a highly unusual case. For instance, there is extensive case law in Germany, comprising decisions by courts of first instance and appellate courts in relation to PINs and ATMs, yet the case of Job appears to be the first case of its kind in the United Kingdom that has gone to trial.

Summary of the facts

Seven cash withdrawals totalling £2,100 were made from Mr Job’s account in February 2006 by way of two ATMs in Reading. Mr Job said he did not make the withdrawals, and he claimed that he did not authorize any third party to make them. He also denied that his card had ever left his possession and that he had never allowed anyone else to know his PIN (a form of electronic signature). Mr Job subsequently complained to his bank, who rejected his claim. He took his case to the Financial Ombudsman Service, who also rejected his claim. Mr Job subsequently began legal proceedings to recover the money in February 2007 as a litigant in person. The author began to represent Mr Job in the winter of 2008 on behalf of the Bar Pro Bono Unit.

The law

This was a breach of mandate case, and s24 of the Bills of Exchange Act 1882 applied. The bank relied on the purported electronic signature of Mr Job, and it was argued by counsel for Mr Job that the burden of proof was on the bank to prove that it acted in accordance with the mandate, in that:

1. Cash in respect of each of the transactions was physically withdrawn from the ATMs.

2. Mr Job’s card was used in each transaction.

3. Mr Job or a person authorised by him concluded the transactions, or that his carelessness enabled an unauthorised person to do so. Even if the correct PIN was entered into the ATM, it does not follow that Mr Job or a person authorised by Mr Job entered the PIN. A perfect forgery is nonetheless a forgery. The bank requires a PIN to be used, even though the use of a PIN acts to prevent the bank distinguishing a forged signature from a perfect signature.

Alibi evidence corroborating Mr Job’s whereabouts covering a number of the transactions in dispute was not available. Mr Job’s daughters gave statements, but neither appeared in court to give evidence, because they informed their father the night before the trial that they had university exams on the day of the trial.

The evidence relied upon by the bank

The bank relied upon one item of evidence – a print-out of internal logging software. This is secondary evidence, that is, the evidence recorded in the log consisted of information sent to it from other sources, in turn processed by other software components, and subject to the usual problems of inaccuracy regarding any digital data that is highly processed.

There were a number of possible primary items of evidence that the bank could have put before the court:

1. The card. This was not available, because it had been destroyed at the request of the bank. The card would have been useful to test, because every card contains an Application Transaction Counter, which increases by one increment each time a transaction is initiated. Had this been available, it might have been possible to determine fairly conclusively whether Mr Job’s card was used in the transactions in dispute.

2. The ATM logs. The ATM logs might have confirmed that cash was physically dispensed, thus eliminating the possibility that an insider withdrew the money.

3. The Authorization Request Cryptogram (ARCQ) and Authorization Response Cryptogram (ARPC). Every time a chip and pin card is inserted into an ATM, an ARQC is a generated from the symmetric cryptographic keys on the card. Then the ARPC is generated by the bank in response to the ARQC. This is a cryptographic response that includes the decision by the bank whether to trust the authorization request. It is sent back to the card for validation before the transaction is completed. The cryptogram would have provided strong evidence that Mr Job’s card had been used to make the withdrawals. The bank destroyed this evidence.

The judgment

The judge concluded that Halifax had discharged its burden and proved that Mr Job’s card was used in the ATMs. He did not reach any conclusion as to how the withdrawals were made, only that they were made by Mr Job, or by someone authorised by him, or by gross negligence. In addition, the judge rejected the argument that the bank should prove each step in the process (cash withdrawn from the ATM and evidence of the ARQC).

The decision reached by the judge concluded that the absence of a history of successful fraudulent attacks on on-line chip and PIN transactions, and the absence of any evidence of systems failure, indicated that the transactions could be taken at face value, and were important pieces of evidence from which it was open to the court to draw the inference that these were transactions that took place using Mr Job’s card and his PIN.

Mr Job did not have legal help when he initiated his claim, otherwise the bank would have faced compelling arguments to produce relevant additional evidence at disclosure. Although it is for the bank to prove the card and PIN are used, a claimant must not underestimate the technical complexity that must be mastered before taking legal action.