Stephen Mason » ATM and PIN: actions to consider

ATM and PIN problems with your card issuer: Actions to consider

Please note that the suggestions noted below are not legal advice, but suggestions that you might consider if you have difficulties in having any money refunded where money was removed from your account without your authority or knowledge. It must be emphasized, that the bank has to determine whether a customer is telling the truth when they say money was withdrawn without their authority or knowledge. Chips were introduced to cards to try to eliminate or reduce fraud, and the evidence that a chip was read can go some way to proving it was the customer’s card, and not a cloned card in the ATM, for instance. The problem for the banking industry, as the fraud figures on the UK Payments Administration Limited (replaced APACS from 6 July 2009) web site illustrate, is that fraud has increased annually, despite the introduction of chip and pin. This might mean the thieves have worked out to clone chip and pin cards, and that the banks’ hardware and software systems are given false information by a cloned card that is sufficient to make the software record that it was your card in the ATM.

Another problem with the figures for fraud issued by UK Payments Administration Limited is this: they collate the figures from their membership, and there is no breakdown of the accuracy of the figures placed in the public domain. For instance, if ten people claim money has been withdrawn form ATMs, and the bank refunds one of them, which figure is going to be reported? The entire amount from all ten customers, or just the singe figure from the single customer that has been refunded?

Web sites of interest: Card Watch, with some information about card fraud figures and advice; Lightbluetouchpaper, providing an alternative view on matters relating to credit and debit cards, and the web site of Professor Ross Anderson, which has extensive papers on card security, together with the web site of Dr Steven Murdoch, that also has some helpful additional materials.

It cannot be emphasized too much, that you need to act as a matter of urgency (that is, within 24 hours) if you find unauthorized withdrawals have been made from your account.

Suggestions

1. Retain your card

You will need to have the transaction counter on your card checked by a digital evidence specialist. If the transaction counter on your card is less than the number of transactions recorded against your account, the evidence points to a cloned card being used by a thief to make withdrawals. It is wrong to follow the advice of the bank or card issuer to destroy the card if it remains in your possession: this is the deliberate destruction of evidence, which is neither desirable or appropriate.

2. Ask your card issuer for copies of the ATM receipts

3. Put your bank on notice that you wish to see the ARQC

The bank may refuse to permit you to see the ATM receipts and the ARQC, but if you put them on notice (send them a letter by recorded delivery) that you may rely upon these items of evidence to assess whether your card was used or not, and they then destroy the evidence before legal action takes place (if it does take place), then this will not be good for the bank.

4. Alibi

If you were in another location at the times the cash was withdrawn, recall who you were with and get them to make a statement for you immediately, preferably made before a solicitor. Evidence that you were somewhere else at the time the withdrawals were made will be very helpful. Do not delay in doing this. If you were not with somebody, but shopping, perhaps, retain evidence of any of the transactions you made, especially if they were with other cards in your possession.

5. Other people might have the same problem as you

Do not delay in trying to find out if other people had the same problem with the same ATM. This is also very helpful, and you must do this quickly – ask your local newspaper if they will run a story, start a web site to ask for help, put up posters for the names and address of anybody else that might have had an identical experience.

6. Check the possibility that CCTV footage might exist

It might be that CCTV footage exists of those people using the ATM or ATMs in question. You will need to identify the owner of the relevant CCTV, then request to have a copy of the footage from the owner. This might be far more difficult than it appears. Although the owners of CCTV insist they are recording to prevent crime, it has transpired that since I posted this list of suggestions, many people have found obtaining CCTV footage almost impossible. In some cases, people have been informed by the police that it is not their concern, and the police have informed the complainant that they must look to their bank to obtain such footage, and some banks will not cooperate with their customer over obtaining such footage.

There may also be technical problems with the actual CCTV footage because of poor quality, and it might be that the footage is destroyed after a set period of time. If a policy exists to destroy all footage after 30 days, then any subject access request you might consider making under the provisions of the Data Protection Act 1998 will mean the footage is destroyed before the request is dealt with. Ideally, you should find out if any CCTV footage is available, and obtain a copy immediately, if necessary, visit the shop or bank and ask to see the CCTV manager, and get them to go through the recording and copy the recording for you. If you do this, you will be wise to ask them to give you a statement - if not, you should obtain such details as the date and time you spoke to them, their name, address of the premises and any actions that were carried out. Further, if the CCTV is held by the bank, put them on formal notice (send them a letter by recorded delivery) that you wish the evidence to be retained, pending any legal action.

7. Request your bank to provide a full copy of your customer file

You should have a contractual right to see your customer file, but if this is refused, make a subject access request under the provisions of the Data Protection Act 1998 (if you make an application under the provisions of the Act, you must follow the guidance issued by the Information Commissioner).

8. Write to the shop that provided goods or services when your card was used to buy goods or services

Where your card is used to buy good or services from a shop or on-line seller of goods or services, and your bank or card issuer refuses to accept that you were not responsible for the transaction, write to the shop or provider to ask for a copy of the transaction slip. One person I am aware of did this, and the shop owner sent them a copy of the transaction slip, which proved to their bank that the transaction had not been undertaken by chip and PIN, even though the bank insisted that the transaction had been carried out by chip and PIN. In this case, the bank insisted that the customer was responsible for buying goods in Turkey, yet the customer had never visited the country, and the bank only paid the money back to the customer when the customer presented the bank with evidence to prove their computer systems were at fault.

9. Report the matter to the police

The police will probably not be interested in taking up your complaint. The official thinking on this issue is very confused - perhaps deliberately. The official line is that it is for the bank to make a complaint to the police that a crime has been committed, because the bank is the one that has lost money. This would be correct if the bank refunds your money. However, where the bank refuses to refund your money, then they are, in effect, accusing you of fraud by asking for the return of money you say that you neither withdrew yourself, nor authorized any other person to withdraw. In this respect, it will be worth considering submitting a request for information under the Freedom of Information Act 2000 to the local police. You might request information such as the number of crime reports (set out on a monthly basis over the material time withdrawals were made – perhaps three months either side) recorded in the relevant town, city or village, and relating to complaints made by individuals where withdrawals have been recorded at and where the individual claimed they were not responsible for the withdrawal.

10. Write a letter to your card issuer putting them on notice

Consider writing a letter fairly quickly putting your card issuer on notice that they must retain all the records that are relevant to the dispute. I have written one which is available as a free download.

If you have any more suggestions to make to add to this list, please feel free to get in touch with me.

Other suggestions received which I consider helpful:

1. Get an experienced solicitor, familiar with digital evidence, involved very early. Below are some suggested questions to ask (I have introduced these as the direct result of various people contacting me after they have spent considerable amounts of money with solicitors, with no result):

Questions to ask a solicitor about fees:

What is their hourly rate? Do they consider a fixed fee? Do they consider no win, no fee arrangements?

How do they charge their hourly rate (that is, by the full hour, or a proportion of an hour [at 6 minute intervals])?

What things do they charge you for?

Will they do the work or a junior solicitor? If a junior solicitor, what is their rate and experience in such matters?

When writing letters on your behalf, will they copy all of the information you have given them and put it in to any letter they send on your behalf? (That is, information from the papers and copies of letters you have given them). If they copy this information into any letter they write, they will charge you more.

Electronic evidence

What do they know about electronic evidence?

Do they know that computer systems are not reliable? [Find out if they have read Chapter 5 of Stephen Mason, general editor, Electronic Evidence (2nd edn, LexisNexis Butterworths, 2010)]

What case law is there in relation to electronic evidence and banking disputes? [There is, see Stephen Mason, general editor, Electronic Evidence: Disclosure, Discovery and Admissibility (LexisNexis Butterworths, 2007), 4.04 – 4.15; see also various issues of the Digital Evidence and Electronic Signature Law Review.

Electronic signatures

What do they know about electronic signatures? (Bear in mind that if you use an e-mail, PIN, send text messages, buy anything on-line, you use an electronic signature).

What case law is there in relation to electronic signatures? [There is plenty of case law, for which see Stephen Mason, Electronic Signatures in Law (Tottel, 2nd edn, 2007)]

Ask them what ‘non-repudiation’ means. Is it a legal term? If so, what does it mean? [It is not a legal term, and is meaningless in law. See if they have read the analysis of this term in Stephen Mason, Electronic Signatures in Law (Tottel, 2nd edn, 2007), 14.20 – 14.21]

Banking

Ask them what the burden of proof is in your case [in other words, which party has to prove what].

Ask them to outline the banking system from the moment you put your card in to an ATM to the moment a payment is debited from your account (as you can imagine, this is quite complex, and there are a number of third parties involved in the chain that the bank will sub-contract to).

Ask them how they will gather evidence of previous attacks on ATMs.

Ask them the various mechanism by which a thief can use a forged card or obtain your PIN after you have had your card stolen [the various ways are listed in Stephen Mason, general editor, Electronic Evidence: Disclosure, Discovery and Admissibility (LexisNexis Butterworths, 2007), 4.04 – 4.15].

Their experience

Ask them how many ATM or internet banking disputes they have dealt with.

If they have had experience of such disputes, who are the most knowledgeable experts to ask to offer expert advice?

Will they conduct the entire case themselves, including the hearing in the court?

If they will not appear in court, ask them for the name (and chambers) of the barrister they will brief to represent you in court. Ask the solicitor to tell you what experience the barrister has with electronic evidence and electronic signatures.

2. Consider recording every conversation you have with your bank, and ensure the person you are speaking to understands you are recording the conversation. Obtain the name of the person you are speaking to, together with the name of their department and telephone number. Conversely, ask the person you are speaking to if the telephone conversation is being recorded. The bank usually records the conversation. You have the right to obtain a copy of the conversation.

3. Take full notes of every conversation if you cannot record the conversation. Ensure the person you are speaking to is aware you are taking notes. Ensure the person you speak to is aware that you are the customer, and you should be treated with courtesy. Some employees are very aggressive towards customers claiming money has been debited from their account for which they are not responsible, and it is important to remind the employee that you are the customer.

4. Write to your Member of Parliament. This is for two reasons. First, if every MP received regular letters of complaint from their constituents on this topic, then they would exert pressure on government ministers to do something about the present system of recording and handling unauthorized withdrawals from ATMs. Second, sometimes the only way you can obtain help is by going to your MP. Sometimes an MP can resolve the issue with a single letter to the Chairman of the bank. Some MPs will react to you by not doing anything, with the lame excuse that your case might go before the courts. In the vast majority of cases, this is impractical for the person that has suffered a loss, because they cannot afford legal help, and do not want to be faced with the uncertainty of paying the costs of the bank if they do not succeed. The risks of taking legal action can be very high for a variety of reasons.

5. With or without a litigator, try to put in issue at an early stage (both in correspondence and in the pleadings) the reliability of the bank’s records and systems, so that the bank is put to proof of their reliability. This will probably first become an issue if or when the bank fails to disclose relevant system and transaction documentation, and will be tested on an application for specific disclosure. Such an application probably needs to be supported by the report of a suitably qualified specialist on what is needed to assess reliability and security, and why it ought not to be a burden for the bank to provide.

6. Judges are likely to approach the reliability of computer systems much as they might once have approached the till roll from a mechanical cash register. It is reasonable to assume that the till roll correctly reflects the transactions entered on the till. Suitably qualified expert evidence will need to include explanations of why it is not reasonable to make the corresponding assumption in the case of computer systems. This evidence needs to address the complexity and unpredictability of software in general, as well as making the point that when security is being assessed, it is necessary to consider the performance of the system not only when it is operating in the face of the usual accidents of life, but also when it is under attack by a highly skilled and highly motivated attacker. This evidence provides a strong foundation for arguing that the bank must prove all the links in the chain.

7. If the bank complains of the burden imposed of what it is required to prove because of the complexity of its systems, suitable expert evidence should be adduced about the need for systems to be simple enough to be easily checked if their reliability and security is to be maintained. This provides a foundation for alternative arguments, either that the tasks to be imposed on the bank are not unduly burdensome, or that the fact that those tasks are unduly burdensome is in itself evidence of the unreliability of those systems.

Finally, bear in mind a point that APACS itself makes (http://www.apacs.org.uk/resources_publications/documents/PIN_Administration_Policy.pdf (p11)):

‘The PIN Administration process must not only be secure, but also be demonstrably secure. If PIN Security is publicly challenged, either in the media or in a court of law, it must be possible to respond to such a challenge and for the response to be supported with evidence. Furthermore, the use of that evidence in the public domain must not in itself compromise security.’

(This point was made in my skeleton argument on behalf of Mr Job).