Bruce Schneier picked up the ATM story today on his blog, with an interesting perspective. He says “how lucky everyone was”…I posted something in his comments section about the liability issues raised in the article, which is where I felt I would have been headed anyway.
Bruce also has added an excellent link to Ross Anderson’s page regarding phantom withdrawls.
Time to give this trackback thingy a try…
I think I recall some guy being sued in Britain years ago by a bank or vice versa over this exact issue. At the time, the bank, if I recall correctly, argued that the ATM security was so good that only the card holder could have made the withdrawal or been so sloppy as to let someone else know their PIN. In either case the bank argued that they should not be liable for the money withdrawn from the ATM.
The guy, I think, was in a different country at the time the withdrawals were made.