Personal Identification Number (PIN)
The PIN has become a very widely used form of authentication, especially to obtain access to a bank account through the use of an ATM (automated teller machine or automatic teller machine or automated banking machine or cash machine), or to confirm a transaction with a credit card or debit card. Invariably, a claim by the user that one or more transactions conducted on the account were not authorized by them will require the relying party to prove the transaction was authorized by the account holder. The fact a withdrawal or other form of transaction took place may not be in issue, and in any event, the bank can adduce the evidence under the relevant business records or the Bankers’ Books exemptions. For an in-depth discussion of the cases below from the point of view of proof, see chapter 4 of my book Electronic Evidence: Disclosure, Discovery & Admissibility.
See the the UK Payments Administration Limited (previously known as APACS) web site and the Financial Ombudsman Service web site for additional information, and to understand how to report any loss, see the reporting page and suggestions for actions to consider page.
Job v Halifax PLC (Claim number: 7BQ00307)
The trial has held on 30 April 2009 in Nottingham County Court before His Honour Judge Inglis, and judgment delivered on 4 June 2009.
Below is a brief summary by way of background to this case. The full judgment with a commentary by Alistair Kelman has been published in the 2009 issue of the Digital Evidence and Electronic Signature Law Review.
Mr Job had a total of £2,100 withdrawn from his account in February 2006 by way of two ATMs in Reading. Seven withdrawals were made in total. Mr Job said he did not make the withdrawals, and he did not authorize any third party to make the withdrawals. Mr Job complained to the bank, denying that he had made or authorized the withdrawals. He further denied that his card had ever left his possession and that he had allowed anyone else to know his PIN (a form of electronic signature). His claim was rejected. Mr Job also complained to the Financial Ombudsman Service. The Financial Ombudsman Service also rejected his claim. Mr Job began legal proceedings to recover the money in February 2007. I began to represent Mr Job in the winter of 2008
The law
Section 24 of the Bills of Exchange Act 1882 applies, and is set out below:
24 Forged or unauthorised signature
Subject to the provisions of this Act, where a signature on a bill is forged or placed thereon without the authority of the person whose signature it purports to be, the forged or unauthorised signature is wholly inoperative, and no right to retain the bill or to give a discharge therefor or to enforce payment thereof against any party thereto can be acquired through or under that signature, unless the party against whom it is sought to retain or enforce payment of the bill is precluded from setting up the forgery or want of authority.
Provided that nothing in this section shall affect the ratification of an unauthorised signature not amounting to a forgery.
The bank relied on the purported electronic signature of Mr Job, thus it was argued by counsel for Mr Job that the burden of proof was on the bank to prove that it acted in accordance with the mandate, in that:
1. Cash in respect of each of the transactions was physically withdrawn from the ATMs.
2. Mr Job’s card was used in each transaction.
3. Mr Job or a person authorised by him concluded the transactions, or that his carelessness enabled an unauthorised person to do so. Even if the correct PIN was entered into the ATM, it does not follow that Mr Job or a person authorised by Mr Job entered the PIN. A perfect forgery is nonetheless a forgery. The bank requires a PIN to be used, even though the use of a PIN acts to prevent the bank distinguishing a forged signature from a perfect signature.
The evidence relied upon by the bank
The bank relied upon one item of evidence: a print-out of internal logging software. This is secondary evidence, that is, the evidence recorded in the log consists of information sent to it from other sources, and it is also processed by other software components. There were a number of possible primary sources of evidence that could have been made available by the bank:
1. The card. This was not available, because it had been destroyed. The card would have been useful to test, because every card contains an Application Transaction Counter, which increases by one increment each time a transaction is initiated. Had this been available to test, it might have been possible to determine fairly conclusively whether Mr Job’s actual card was used in the six transactions that were in dispute.
2. The ATM receipts. The ATM receipts might have conformed that cash was physically dispensed, thus eliminating the possibility that an insider withdrew the money (although it is admitted that this was only a remote possibility).
3. The Authorization Request Cryptogram (ARCQ) and Authorization Response Cryptogram (ARPC). Every time a chip and pin card is inserted into an ATM, an ARQC is a generated from the symmetric cryptographic keys on the card. Then the ARPC is generated by the issuer in response to the ARQC. This is a cryptographic response that includes the decision by the bank on the authorization request. It is sent back to the card for validation before the transaction is completed. The bank destroyed this evidence.
Judgment
His Honour Judge Inglis concluded that Halifax had discharged its burden and proved that Mr Job’s card was used in the ATMs. He did not reach any conclusion as to how the withdrawals were made, only that:
they were made by him, or
by someone authorised by him, or
by gross negligence in that he had enabled someone else to use the card and the third party knew the PIN.
The learned judge rejected the argument that the bank should prove each step in the process (cash withdrawn from the ATM and evidence of the ARQC). The learned judge reached the judgment that the absence of:
a history of successful fraudulent attacks on on-line chip and PIN transactions, and
the absence of any evidence of systems failure
indicated that the transactions could be taken at face value, and were important pieces of evidence from which it was open to the court to draw the inference that these were transactions that took place using Mr Job’s card and his PIN.
A change in the law
The Payment Services Regulations 2009 (Statutory Instrument 2009 No 209) have implemented the provisions of Article 59 of the EU Directive in full. The provisions of this Statutory Instrument reinforce the provisions of section 24 of the Bills of Exchange Act 1882.
Here is regulation 60 from the Payment Services Regulations 2009:-
Evidence on authentication and execution of payment transactions
60.—(1) Where a payment service user—
(a) denies having authorised an executed payment transaction; or
(b) claims that a payment transaction has not been correctly executed, it is for the payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the payment service provider’s accounts and not affected by a technical breakdown or some other deficiency.
(2) In paragraph (1) “authenticated” means the use of any procedure by which a payment service provider is able to verify the use of a specific payment instrument, including its personalised security features.
(3) Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider is not in itself necessarily sufficient to prove either that—
(a) the payment transaction was authorised by the payer; or
(b) the payer acted fraudulently or failed with intent or gross negligence to comply with regulation 57.
Here is Article 59 from Directive 2007/64/EC on payment services in the internal market:-
Evidence on authentication and execution of payment transactions
1. Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for his payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency.
2. Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of his obligations under Article 56.
In essence, this means that the card issuer will now have to provide a great deal more evidence than the bank chose to in the case of Job v Halifax. Now, a bank will need to provide evidence of the following (much in line with my argument before HH Judge Inglis):
That the transaction was:
authenticated (this means the use of any procedure by which a bank is able to verify the use of the card, including its personalised security features),
accurately recorded,
entered in the banks’ accounts, and
not affected by a technical breakdown or some other deficiency.
The future and can you help?
I am currently interested in people’s experience of the use of PINs (which is one form of electronic signature) with credit cards and bank cash cards and on-line banking. I have written extensively on this topic in Chapter 4 of my book Electronic Evidence: Disclosure, Discovery & Admissibility (LexisNexis Butterworths, 2007), and have included as much case law from across the world as I have been able to find.
The discussion in Chapter 4 does not take into account the new ‘Chip & Pin’ introduced into the UK, because it was only beginning to be introduced as I wrote the text. In essence, the chip (a microprocessor) attached to the card includes technology that interacts with back-end systems to allow the bank to be fairly certain that it is the actual card that is physically present in the ATM. Clearly this is a helpful advance, but the magnetic strip remains - and ATMs can read both the chip and the magnetic strip. It is possible that the ATM might go into ‘fallback’ mode, and the chip is made redundant, allowing money to be taken from an account. Clearly the technology that has been introduced is an improvement, but it is not certain that it is free from attack by thieves.
The decisions made by judges in relation to the liability of the card issuer when a card has been used by somebody else without the permission or authority of the card holder is mixed. Various scenarios are possible (if you can think of more, please send me an e-mail and I will add it to the list):
The card is stolen and the holder of the card is aware the card was stolen
The card is stolen, but the holder of the card is not immediately aware the card was stolen
The card holder is not even aware that the card has been issued (which is why there is an ‘activation’ hotline for new cards)
The card is not stolen, but the thief has managed, in some way (for some of the methods, see Chapter 4 of my book above) to obtain all the necessary information from the card in order to obtain money or goods by using the information
Scenarios for on-line banking will be appreciated (I do not and never intend to bank on-line)
A number of cases relating to the use of PINs have been brought before various courts in different countries:
Judd v Citibank (1980) USA
R v Munden (England & Wales) 1993/4
Roni v Kagure (Papua New Guinea) 2004
The following cases have all been translated into English and published in the Digital Evidence and Electronic Signature Law Review
OGH Urteil vom 29.6.2000, 2 Ob 133/99v (Austria)
Ž.Š. v AB Lietuva taupomasis bankas (Lithuania) 2002
BGH October 5. 2004, XI ZR 210/03 (Germany)
5526/1999 (Greece)
For a useful article on the number of ATM PIN cases in Germany, see Assistant Professor DDr. Gerwin Haybäck, Civil law liability for unauthorized withdrawals at ATMs in Germany
The evidence in the case of Dorothy Judd sums up one of the past problems: where the correct PIN is used to withdraw money from an ATM machine, but the card holder is working and in a different physical location at the material time the money is withdrawn. Despite the assertions by the bank that their system was so good that only the person issued with the PIN could be the person that withdrew money from the machine, the learned judge reached the conclusion that the bank completely failed to prove that it was Dorothy Judd that used the PIN to obtain money from the machine, because Dorothy Judd provided evidence that she was at work when the PIN was used.
The case of PC Munden is an example of where money was debited from his account through an ATM machine, and he complained to the bank. The bank accused him of fraud, and he was arrested and convicted in the Magistrates’ Court. His conviction was later quashed because the bank failed to provide evidence of the security of their ATM systems.
The Greek case is an example of where a card was stolen from a vehicle and money was subsequently obtained from an ATM machine (the bank was held liable), and in the Papua New Guinea case, the card holder lost their card in the bank, alerted the bank to put a stop on the account when the loss was discovered, and after the bank placed the stop on the account, money was withdrawn from the account using ATMs. The judge decided the bank failed to prove its case when it was shown that money was taken from two ATMs in totally different geographical locations within 10 minutes or so of each other with the correct PIN. The journey time between the ATMs was far more than 10 minutes.
The three cases from Austria, Germany and Lithuania are instructive, because three courts reached two different conclusions.
In the German case, a woman had her handbag stolen. A bank card was in the handbag. Money was withdrawn from her account using an ATM some two hours later. When the claimant wanted her money back, the bank claimed she must have written her PIN down, and this information must have accompanied the card in the handbag. She was adamant that she did not write the PIN down. When the case reached the Bundesgerichtshof (the Federal Supreme Court), the judges held that the rules on prima facie evidence applied. This was because the facts proved (the withdrawal of cash in conjunction with a stolen bank card and the use of the correct PIN) typically resulted (this is a conclusion – more of an assertion - without any evidential foundation) from a different set of facts (the storage of PIN with the card). The court also held that in order to prove her case, the plaintiff must show that the same result could occur in another way, in order to rebut the assumption that the PIN must have been with the card when stolen. This requirement fails significantly to take into account how ATMs are attacked and how a thief can obtain the PIN without stealing the card.
The judges in Austria and Lithuania reached a completely different decision on similar facts. In the Austrian case, the judges decided that if the holder of the card lost the card, then the card holder would be liable (although this conclusion fails to acknowledge how thieves can obtain the correct PIN without the help of the card holder from a card that has been lost or stolen), and if money is withdrawn from the account when the card remains in the possession of the card holder, then the bank must prove that the customer used the card: the bank must take responsibility for the risks that arise out of the use of such complicated devices and techniques.
The learned judges in Lithuania went even further, by making it clear that the risks were those of the bank, and the card holder has no control over the internal security of the bank, and cannot protect themselves from the various forms of attack that thieves can make on cards to obtain the correct PIN, including using minute cameras to record a person using their PIN at an ATM. It was determined that the card holder only had a burden to prove they did not use the card and PIN after the bank has satisfied the court that the systems of the bank were such that only the card holder could have used the PIN – something which is, of course, impossible for the bank to prove.
How you can help
It is imperative that lawyers and judges more fully understand the issues relating to PINs.
If you represent a bank or card issuer I will be very grateful if you are able to help ensure my facts are correct.
If you have a sound technical knowledge and relevant experience of ATM and PIN systems, and any banking systems, I will be pleased to hear from you to ensure I more fully understand the technical issues.
If you are a lawyer I will be very grateful if you will tell me of any cases I have not mentioned above – from whatever country in the world.
If you have had money taken from your account without your permission I will be delighted if you will let me know the following:
Whether your card was lost or stolen
Whether you wrote down your PIN
Whether money was removed from your account when your card was in your possession at all times
Whether money was removed from your account after your card was stolen or lost
The reaction of the card issuer
What legal action, if any you had to begin to recover your money, and what happened
What legal action, if any, the card issuer initiated against you
Whether your card issuer was a bank or a credit card company (or any other)
Your on-line experiences
