Cryptography has been a closely controlled technology. This century has seen significant advances in the level of sophistication, as well as an increased awareness of the strategic significance of cryptography. Unfortunately, governments have either classified or outlawed the use of cryptosystems.

Only recently has information about the causes of crypto failure been available. The advent of ATMs has for the first time produced empirical data, in the form of court proceedings, allowing analysis of the reliability of cryptosystems. Ross Anderson published the first such study in 1994.

Of the hundreds of cases of ATM-related fraud, only two cases involved technical attacks as envisioned by ATM risk studies. Since ATMs generally use cryptography to assure integrity, the resulting court cases (especially in the U.S., where the banks are obliged to prove fraud) provide interesting insight.

Ross cites many amusing stories. My favorites were one where the bank had issued ATM cards that all had the same PIN code. Another where a programmer had deliberately introduced an error such that there were only 3 different PINs.

The conclusion that we can draw from these cases is that computer security is an organizational problem, not a technical one. It is important that we keep this in mind when we listen to vendors. Also, we must make sure that our legal framework puts the burden of proof on the financial institution, not the customer.