The Bank Fraud Resource Page

Ross Anderson

Cards get cloned; online bank accounts get phished; bank staff embezzle money; banks rip off their customers. Both cardholders and merchants rip off banks. Bank fraud is a multibillion dollar industry, and getting more complex all the time. Most of the bad things that happen on the Internet end up with money vanishing from someone's account.

Colleagues and I have been researching bank fraud for a couple of decades. In this web page we've pulled together links to a lot of relevant research and other resources. If you are a banker, a policeman, or a customer, this page is for you. (If you're a fraudster, you may well know it all already.)

This page provides links to a number of key papers, home pages of active researchers, and other resources. Complementary pages include our security economics resource page and our security psychology resource page. There is also an interview I did with Marc Tobias of security.org.

Key Papers

• Be Prepared: The EMV Pre-play Attack describes attacks based on design and implementation flaws in EMV that have been exploited since 2014 to rob sex-industry customers in the UK, Spain, Poland and elsewhere. The earlier conference version is Chip and Skim: Cloning EMV Cards with the Pre-Play Attack (blog, preprint, BBC story and blog). You think you're paying £35 for a lap dance but you're actually authorising half a dozen large payments that are submitted one at a time until your account is cleaned out.
• Security protocols and evidence: where many payment systems fail analyses why dispute resolution is hard. In a nutshell, the systems needed to support it properly just don't get built (blog).
• As for contactless payments, Martin Emms and colleagues have a super paper on Risks of Offline Verify PIN on Contactless Cards which shows how you can program a Blackberry to act as a fake terminal. Each time you brush against a target's wallet you can guess one possible PIN for his Barclaycard. Once you get lucky you can clone the card.
• In 2010, we won an award for a paper describing the No-PIN attack: a man-in-the-middle attack that allows a stolen card to be used with any pin. There was a TV piece on Newsnight (see also ZDnet, the Telegraph, the Mail, the Mirror, the Register, Bruce Schneier, the press release and our FAQ)
• The banks eventually reacted with an attempt to censor our research (see the Guardian, the Mail, Radio 4 and Radio 5). There was an apt comment in 1641 by Bishop John Wilkins.
• A birthday present every eleven wallets? is the first proper study of the security of customer-selected bank PINs, and documents the fact that some banks let their customers choose really weak PINs like 1234; a thief finding a wallet full of their customers' cards has a one in eleven chance of striking it lucky, as opposed to one in eighteen for more prudent banks (blog, press, blog).
• Verified by VISA – the mechanism that asks for your card password when you shop online, is an example of how a poor design can win out if it has strong deployment incentives (see also blog post and slides).
• We have a tech report On the Security of Internet Banking in South Korea which explores the consequences of a nationally-mandated authentication system.
• We studied the (lack of) cooperation between bank phishing site takedown contractors in The Economics of Online Crime, which appeared in the Journal of Economic Perspectives. Banks should ask their contractors to share feeds and compete on takedown time.
• The Impact of Incentives on Notice and Take-down examines how take-down speed varies with the incentive of the party requesting removal. Banks are quick to remove phishing websites that mention them by name, but they ignore mule recruitment websites because it is hard to tell which bank will be affected.
• A major study of Security Economics and European Policy for the European Commission, recommended that the EC get all countries to publish statistics of bank fraud, as Britain and France already do.
• Thinking inside the box: system-level failures of tamper proofing documented serious vulnerabilities in Chip and PIN payment terminals and won the Best Practical Paper award at the 2008 Oakland conference. It was also featured on Newsnight; see the video and the viewers' comments. Here are some frequently asked questions, our press release, and coverage in the Register, the Newsnight blog and the Telegraph.
• Failures on Fraud appeared in a central bankers' magazine and argued that all this is yet another symptom of the failure of bank regulation.
• We did an analysis of the failings of the Financial Ombudsman Service (see also a video from the World Economic Forum in November 2008).
• We had a paper at Financial Crypto on possible middleperson attacks on RFID/NFC payments.
• I did a Google tech talk on searching for covert communities and villains online.
• The Fed commissioned a paper on fraud, risk and nonbank payment systems.
• In the Man-in-the-Middle Defence, we advocated that the customer be able to put a trustworthy device between his bank card and a payment terminal, and sketched how this might be done with EMV
• We wrote a big survey paper on cryptographic processors, a shortened version of which appeared in Proc IEEE
• Why Information Security is Hard – An Economic Perspective was the paper that got information security people thinking about economics. It applies microeconomic analysis to explain many phenomena that security folks had found to be pervasive but perplexing, from adverse selection in payment systems governance to the failure of cerification and evaluation schemes.
• Optimised to Fail: Card Readers for Online Banking documents the shortcomings of the CAP card readers used for online banking; see also our blog, press coverage and the later journal version.
• "Why Cryptosystems Fail" may have been cited more than anything else I've written. This version appeared at ACMCCS 93 and explains how ATM fraud was done in the early 1990s; here is the journal version which appeared the following year in Communications of the ACM.
• Liability and Computer Security – Nine Principles took this work further, and examines the problems with relying on cryptographic evidence.
• The introduction of EMV ('chip and PIN') was supposed to fix the problem, but hasn't: Phish and Chips documents protocol weaknesses in EMV.
• A Note on EMV Secure Messaging in the IBM 4758 CCA documents how hardware security module transactions introduced by VISA to support EMV broke the cryptosecurity of multiple vendors' HSMs by making the APIs dangerous.
• The Man-in-the-Middle Defence shows how to turn protocol weaknesses to advantage.
• On a New Way to Read Data from Memory describes techniques we developed that use lasers to read out memory contents directly from a chip, without using the read-out circuits provided by the vendor. The work builds on methods described in Optical Fault Induction Attacks, which showed how laser pulses could be used to induce faults in smartcards that would leak secret information. That paper appeared at CHES 2002; it made the front page of the New York Times and also got covered by slashdot.
• Our seminal paper on hardware security, Tamper Resistance – A Cautionary Note, describes how to penetrate the smartcards and secure microcontrollers of the mid-1990s. It kicked off the modern academic study of hardware security and won a Best Paper award.
• We followed up with Low Cost Attacks on Tamper Resistant Devices, which describes a number of further tricks. See also the home page of our hardware security laboratory, Markus Kuhn's page of links to hardware attack resources, and Theor Markettos' thesis.
• The Memorability and Security of Passwords – Some Empirical Results tackles an old problem - how do you train users to choose passwords that are easy to remember but hard to guess? We did a randomized controlled trial with a few hundred first year science students which confirmed some folk beliefs, but debunked some others. This became one of the classic papers on security usability.
• API Level Attacks on Embedded Systems are a powerful class of attack we discovered on cryptographic processors, and indeed any systems where more trusted systems talk to less trusted ones. The idea is that a "secure" device can often be defeated by sending it some sequence of transactions which its designer did not expect. We've defeated pretty well every security processor we've looked at, at least once.
• This line of research originated at Protocols 2000 with my paper The Correctness of Crypto Transaction Sets; more followed in the first edition of my book.
• Robbing the bank with a theorem prover shows how to apply advanced tools to the API security problem.
• Ideas for future API research can be found in Protocol Analysis, Composability and Computation, while an up-to-date survey of API attacks can be found in the second edition of my my book.
• NetCard – A Practical Electronic Cash Scheme presents research on micropayment protocols for use in electronic commerce.
• The Formal Verification of a Payment System describes the first use of formal methods to verify an actual payment protocol, which was (and still is) used in an electronic purse product (VISA's COPAC card). This is a teaching example I use to get the ideas of the BAN logic across to undergraduates. There is further detailed information in a technical report, which combines papers given at ESORICS 92 and Cardis 94.

Community - Home Pages of People with Relevant Interests

• Alessando Acquisiti
• Ben Adida
• Ross Anderson
• Bernardo Batiz-Lazo
• Matt Blaze
• Rainer Boehme
• Mike Bond
• Joe Bonneau
• Jean Camp
• Richard Clayton
• Jolyon Clulow
• Omar Choudary
• George Danezis
• Saar Drimer
• Ben Edelman
• Markus Jakobsson
• Eric Johnson
• Mich Kabay
• Theo Markettos
• Jeff MacKie-Mason
• Tyler Moore
• Steven Murdoch
• Peter Neumann
• Andrew Odlyzko
• Ron Rivest
• Angela Sasse
• Bruce Schneier
• Frank Stajano
• Doug Tygar
• Hal Varian
• Jane Winn
• Alma Whitten
• Jeff Yan

It's even worse if you are the vicitim of a fraud against an EMV (‘chip-and-PIN’) card; banks will routinely claim that as their system is secure, you must be mistaken or lying. They will suggest that you complain to the Financial Ombudsman Service; but the ombudsman routinely finds against cardholders, regardless of the law and the evidence (see here).

If you complain to the police, they will tell you to report it to the bank first. This is designed to shrink the fraud statistics. But if the bank refuses to refund your money, then you are the victim not the bank, and you're entitled to have the crime recorded under section 53C of the Home Office Counting Rules For Recorded Crime April 2008 (see also here). The police unit dealing with card fraud is funded largely by the banks, a practice frowned on elsewhere.

The history of victims who've sued banks is not good; in the Alain Job case, for example, Alain failed to recover £2000 and was ordered to pay £15,000 of the bank's costs; in another case I know a complainant retained a solicitor to recover £10,000, and the solicitor charged her another £10,000 without making any useful progress, leading her to abandon the case. On the other hand, where banks have accused customers of defrauding them, the customer often wins: see the Badger case, for example. If you get wrongfully prosecuted over a card transaction, or if you're thinking of suing to get your money back, best read this submission to the Treasury select committee. Keep any solicitor on a tight rein: ‘Your budget to get the case to stage X is £Y’. If you're well-organised and articulate, you might manage to bring a small claims case in person but for that you'd need to know your facts, research the law, and be careful not to end up liable for the bank's costs. (The bank will apply to have your case moved from the small claims track, where each side pays its own costs, to the fast track, where the loser pays the winner's costs. If the judge agrees, walk away!) You should also study the papers in the Eve Russell case to see up close how banks and the ombudsman work. There is also a very useful paper on evidence in chip and pin cases which you should read closely if you're bringing a case yourself, and get your lawyer to read if you hire one. And if you need emotional support after being scammed, you can always call a charity like Victim Support.

In short, we have a regulatory failure in Britain. Many more people suffer frauds such as card cloning, phishing and dodgy online auctions than suffer traditional acquisitive crimes such as burglary and car theft. However the police don't want to know and the banks get away with dumping most of the fraud risk on cardholders and merchants. As a victim, you'll have a hard time getting your money back unless you can get your story in the press, or you can threaten to take away enough business from your banker that he cares. Britain is not honouring its oligation under Chapter 5 of the EU Payment Services Directive. We need a change in the law.

Other Resources

• My book Security Engineering might be a good introduction. It covers not just technologies such as crypto and firewalls, but a number of specific applications from banking to burglar alarms, and relevant attacks from chip tampering to API manipulation. It also brings out the economic and psychological aspects.
• Bernardo Batiz-Lazo's Emergence and Evolution of Proprietary ATM Networks in the UK recounts the history of the ATM.
• The Banking and Payments Research group at Federal Reserve has produced a number of relevant papers including overviews of ATM systems, nonbank payment systems and mobile payments in the USA. Their Chip-and-PIN: Success and Challenges in Reducing Fraud gives a view of fraud levels in a number of different countries in 2011, and the effect of EMV introduction. The U.S. Adoption of Computer-Chip Payment Cards: Implications for Payment Fraud discusses how the USA might be affected by its forthcoming introduction there.
• David Evans and Richard Schmalensee's Paying with Plastic gives the history of credit cards and analyses the industry's economics.
• Mike Bond's Phantom Withdrawals page has some useful case histories and links but has not been maintained since 2009.
• Omar Choudary's MPhil thesis, which the British banks tried to ban. It set out to implement the man-in-the-middle defence described above, and alos provides a platform on which to implement and test for the No-PIN attack.
• I've described The Art of Deception by Kevin Mitnick as "the most disturbing security book ever". Mitnick was jailed after a hacking spree based mostly on social engineering: he became a master at telling lies on the telephone that would cause people to give him passwords or otherwise open systems to attack. This book tells how he did it.
• Understanding scam victims: seven principles for systems security by Frank Stajano and Paul Wilson examines a variety of scams and cons that were documented in the BBC TV programme "The Real Hustle", extracts the principles on which the scams were based, and applies them to system security.
• The Psychology of Scams - Provoking and Committing Errors of Judgment, by Stephen Lea and colleagues, is an encyclopaedic study of how people fall for online and other scams, conducted for the UK Office of Fair Trading. The authors give a thorough literature review, describe a large number of scams, and then present four original studies of their own. Scams involve many of the other techniques used by legitimate marketers; people who are poor at regulating their emotions, and perhaps are socially isolated, may be disproportionately vulnerable.
• Social Phishing, by Tom Jagatic and others, reports how the percentage of students who responded to a test phishing email was increased from 16% to 72% by including relevant social information about the target (for example by making the email appear to come from a friend of the target, identified via a social networking site).
• Electronic Commerce – Who Carries the Risk of Fraud? discusses how banks used the move to online banking in the late 1990s to weaken consumer protection.
• Understanding Risk Management in Emerging Retail Payments is a research paper from the US Federal Reserve on how technology is changing the risk landscape there. They give a number of examples of scams that got closed down by the FTC and other authorities; examine what can go wrong; and give an economic analysis of the nature of payment security. It is a public good in that it provides general benefits, but networks can exclude users, making it a club good instead.
• FIPR made submissions on consumer protection to the House of Lords inquiry into Personal Internet Security (with which the House of Lords basically agreed) and the consultation on the National Payments Plan.
• Using Social Psychology to Implement Security Policies, by Mich Kabay, discusses how to get people to pay attention to security policies and the importance of the social schemata by which people frame reality and judge behaviour. These are particularly important when the desired behaviour violates social norms such as holding doors open for people. A number of strategies for changing expectations and norms are discussed.
• European Cyber-Gangs Target Small U.S. Firms, Group Says is a Washington Post article that brought to attention the rising trend towards wire-transfer fraud being committed against businesses using stolen electronic banking credentials. (This increasingly involves spear-phishing, or the use of social engineering to get targets to install malware, as described here.)
• Identification of Pressed Keys from Mechanical Vibrations by Gerson Faria and Hae-Yong Kim shows hiw ATM PINs can be snarfed by measuring the keyboard vibrations as they are entered.
• Identification of Pressed Keys by Acoustic Transfer Function, by the same authors, shows that some PIN pads allow PINs to be simply listened to; the sounds of the keys are sufficiently different for one widely-used Ingenico PIN pad that remote PIN stealing is trivial, despite its being Common Criteria certified.
• Finally, here's a piece on ATM skimmers.