I’d heard vague stories about this when I was still in the UK, but the full story of the insecurities of the British bank system is pretty staggering.
Professor Ross Anderson, a cryptography and security expert who was an expert consultant to Kelman on the case, explains: “Stone had been working with building access systems using cards with magnetic stripes, and one day he thought he’d see what it could read of his ATM card. Then he tried it with his wife’s.” Stone figured that the stream of digits was probably an encrypted PIN.
“Then, because you can change the content of the magnetic strip, he wondered what would happen if he changed the number on his card to match his wife’s. He found he could get money out using his old PIN.” The high street bank Stone used (The Register knows which one) had not used the account number to encrypt the PIN on the card – meaning that any card for that bank could be changed and used to make withdrawals on any other account in it, providing you knew the right details (such as branch sort code and account number. The name of the card holder of course was unimportant, because it was not on the stripe.)