In the early nineties the actions of a rogue computer department within a British bank could have brought down the entire British banking system.
The story begins with the computer department of one of the banks issuing ATM cards, who'd worked out how to crack the pin system then used this information to make phantom withdrawals from any account they choose to within the British banking system.
These "phantom withdrawals" first started appearing during the 80s, when British banks began to join their ATM networks together. Although they were aware of the problem, they had no idea how it was being executed, if it was fraud or simply a problem with the computer systems and software linking everything together. In other words, which is more likely, that everyone employed at one or more of these bank's computer departments worked together to commit fraud - or that the thousands of disparate computer systems, and the software that drove those systems had bugs which occasionally made a mistake?
In 1992 a British lawyer, Alistair Kelman, was approached by a consumer association who said that members were complaining about phantom withdrawals. Kelman met with two of the association's members (Mr and Mrs McConville) who had had a number of phantom withdrawals from their account.
Anyone who's had to deal with the most simplistic problem with credit or banking will appreciate that as the proof that these transactions were fraudulent appeared to lie completely within the banking system, a long and arduous fight was about to ensue.
Sure enough, despite Kelman establishing that in order for a transaction to be valid the bank needs to prove that each transaction was mandated by the customer (authorised via pin number), they used divide and conquer tactics - demanding that a class action lawsuit representing several thousand customers be individually presented in small claims court.
Things ground on, until in April 1993 the banks changed their rules. Customers would only be liable for the first £50 of disputed withdrawals. The sum would be waived completely if the customer had a good enough case that they had not given away their PIN. This effectively killed the lawsuit because the banks had accepted liability - in a roundabout way.
During the course of his investigation, Kelman found a number of expert witnesses, including an extremely intriguing case of free money.
In order to test the credit and debit system, banking computer departments set up a complete dummy banking system - complete with cards with dummy account numbers and dummy pin numbers. Unfortunately for the banks, not only did these cards deliver real money from real ATMs, but a number of them accidentally made it into the wild. Every now and then, instead of receiving a card that withdrew money from a customer's own account, instead it withdrew money from one of these dummy accounts. Effectively the customer had a real card, a real pin, and got real money - but had no idea where the money came from, because their account was never debited for any ATM transaction. (No I don't know if any such cards are still in existence - but you'd like to think so wouldn't you?).
Shortly after the case was settled Kelman heard something that worried him deeply. The computing staff at one bank had discovered through the dummy accounts how to fix the PIN generator so that it would only generate three different PINs in all the PINs issued. By creating a number of dummy accounts and getting new PINs issued for them, they could capture the sequence. Then all that was needed was to recode the cards so they would point to different account numbers, try the three PINs (ATMs gave you three chances) and they were away.
He could see that if this reached the media, people would begin comparing PINs, and on finding identical ones would tell others, and the security system used by the banks would collapse overnight. Then there would be a dramatic run on the banks as everyone tried to take their money to a safer place, such as under the mattress.
And there wasn't time for the banks to fix the problem if anyone went public with it. Their MTBU was too short. MTBU? That's "Maximum Time to Belly Up". Basically by the end of the 80s, the time it would take the average financial institution to collapse due to the complete failure of it's computer system had fallen to under a week. That meant if anyone went public with this information, the banks had 1 week to fix it before the entire British banking system collapsed. No I'm not exaggerating - what would you do if you found out there were only 3 pin numbers issued by your bank, you knew what all 3 were and you knew that everyone had 3 attempts to get your money? What would happen to a bank if everyone tried to get their money to a safe place at the same time?
So Kelman was stuck. If he told anyone, anyone at all, the information would leak. As he was no longer representing the McConvilles, he was not legally entitled to bring this to the attention of the banks. So he kept his mouth shut.
Why did he feel it was okay to tell people about it now? Well in the last few years the introduction of the new Chip and Pin system in the UK means that a more secure, less hackable, but more importantly entirely different, system of distributing cards and pin numbers has been put into place.
So the scam of producing just 3 pin numbers for every card produced by one bank can no longer work.
The side note to this story is the introduction of that "liable for the first £50 of disputed withdrawals". This was eventually adopted by banks worldwide ($50 in the US) and was applied to all types of fraudulent transaction, particularly internet shopping transactions, and we have the McConvilles, Alistair Kelman and their lawsuit to thank for this.