Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK ATM System Could Have Ruined Economy

Posted by Zonk on from the in-for-a-penny-in-for-a-pound dept.

seanyboy writes "The Register is running the story of how the UK banking system could have collapsed in the early 1990s, how easy it was at the time to withdraw against other people's accounts and the worrying case of a Bank's rogue IT Department." From the article: "What quickly became clear was that the law needed a system to provide proof that events had happened so that legal cases could be made. You might say that 'the computer debited the account', but to a barrister (and more importantly, a judge) that's not enough. Did the computer do it at random? In that case it's like a tree branch falling - an accident. Or did a person program it to do so? In which case the person must be able to testify about the precise circumstances when a debit could happen. Sounds daft, but the law rests on proving each step of an argument irrefutably."

9 of 135 comments (clear)

  1. What A Mess by geomon · · Score: 4, Interesting

    The worst part of the story was that the lawyer couldn't tell anyone about the security problem because he was no longer retained by his original client. I believe that in the US attorneys are obliged to come forward with information related to a criminal nature because they are officers of the court. I don't know if that distiction would have helped in this case, but the fact that the whole system perched precariously on the fact that only a few criminals knew how to bilk the system is disturbing.

    --
    "Rocky Rococo, at your cervix!"
  2. Wasn't so hot in 1987 either by Anonymous Coward · · Score: 4, Interesting

    I had an account with National Westminster in '87 when I lived in the UK. The ATM's would always let you take cash out no matter how much in the red you already were. (It was my roommate that took advantage of it, not me, honest!)

  3. What happened to me... by Karma_fucker_sucker · · Score: 5, Interesting
    here in the US.

    I went to withdraw from an ATM. I put the card in, entered my PIN, and selected the amount I wanted - $200.
    The ATM goes nuts and procedes to give me only $160 while debiting my account two transactions: one for $200 and another for $160.
    I call my credit union and I tell them what happened. They tell me to fax a letter stating that I was diputing the $200. I did. They audited the ATM.

    Long story short, the credit union backed out the $200 debit.

    --
    Evil people don't think they're evil. - George Lucas, Making of Ep III
  4. Meanwhile, the paranoid old guy by Recovering+Hater · · Score: 5, Funny

    lifts up his mattress and whispers to his stash of crumpled bills that he knew they were safe all along and the youngsters just don't know! They JUST DON'T KNOW!

    --
    My humor is probably your flamebait
  5. Computers? by Hogwash+McFly · · Score: 4, Funny

    Computers? Pah! Everyone knows that back in those days it was a midget with a box of money, trained to make BEEP! BEEP! noises.

    --
    Mother, do you think they'll like this sig?
  6. In industrialized Britain... by cached · · Score: 4, Funny

    banks rob YOU!

    --
    +1 funny, -2 overrated. Life isn't fair.
  7. Not new actually... by Spy+der+Mann · · Score: 4, Interesting

    computers have been a synonym for organized fraud in other places.

    In Mexico, in the 1988 elections, the opposition candidate was winning by a large margin according to the official data. Then suddenly, "the system crashed", and when it came up, the official party was winning by a large margin.

    This event was called "La caida del sistema de 1988", and makes me think that there's nothing new under the sun (Diebold voting machines, anyone?).

    The lesson is clear: Regarding data and computers, if someone can do something wrong, he WILL. So auditing is a must.

  8. Re:How much should you believe this? by MyGirlFriendsBroken · · Score: 4, Informative

    First, only 3 PINs being generated by the card issuing system. I can see this is possible if you hack the application code itself but the HSMs (hardware security modules) that actually do the cryptographic operations wouldn't do this using Visa, IBM or Diebold PIN offset generation calls. It's possible, but it would be an insider job in one bank NOT the whole banking system.

    This is what the article indicates, it was the people working with the PIN production system rigged it to do this

    Second, the description of the scam is that one PIN offset on track 2 can be used with multiple account numbers. Again, all the standard PIN methods explicitly prevent this - the account number (PAN) is part of the input data to the PIN verification call.

    The account number did not feature in this case, thus simply changing the account number on the card was sufficent, the original PIN would still work

    Third, the description has the crook shoulder surfing for PINs. Why does he need to do this if any known PIN can be used with any account?

    This is what the guy used to do originally, then he discovered the account number rewriting trick

    The article is not that well writen, it took me 2 1/2 reads of the article to actually establish all of the above. what I want to know is, who is "rogue Bank" and are they the same one I bank with

    --
    If you read a speed reading book, does it take you less time to read the second half?
  9. Call that Nuts by slashnik · · Score: 4, Interesting

    In the late 80's,

    There was a known fault on some of the ATMS where the "picker" and the "presenter" units could go into a runaway condition.

    This happened on London's Edgeware Road while the shutter (remember them) was open.
    So there we were with the ATM spewing £5's and &10s all over the street as fast as it could pick them.

    A number of passers by collected up the money while another went into the bank to alert the staff.

    Amazingly when the bank balanced the ATM they found that there was no money missing.

    A retrofit was quicly engineered to prevent the presenter motors running when the picker unit was in operation.