(This is just a summary of the article as it appeared in comp.risks v14 n56)
An article in the UK Sunday Telegrapph on 25 Apr 1993, p. 5, by Barbara Lewis, deals with the current argument that banks in the UK deny that "phantom" withdrawals happen, and all such things from ATMs are because the cashcard owner has let the PIN be revealed. The card used was a free gift from a Total garage (Total - a French petrol company), for use in a money saving offer. The PIN belonged to someone's account. By bringing the two together, and programming the card with a genuine account number taken from a discarded till receipt, Mr Clough was able to fool the machine into paying out.
The requirements included specialised computer knowledge and basic technology. A magnetic card reader and programmer costing as little as 500 pounds (750 dollars) which is capable of turning worthless blanks into cashcards. By using the details of the discard receipt, which contained the full account number, plus the details off a valid card, they were able to "break" the system. They used a machine which could not check the validity of the card with the banks central computer, and so forced validation by the information of the card itself.
From the article, the area of danger is the number of printouts with numbers of cards on them and the ability to find ATMs which are not on-line to the banks computer. They also demonstrated that a careful watcher of users of ATMs can "see" what PIN is used, pick up a receipt discarded by the same person who they watched, and then can make a usable card. The particular ATM still prints all the account number, and not all UK ATMs may work the way this banks one did, but they believe that it is a major loophole.
The banks deny that they are finding lots of "white" cards, and a spokesman for the Association for Payment Clearing Services (APCS) insisted that hat was done was impossible. It seems as usual that the banks are hiding their collective heads in the sand.