Cambridge Refuses To Cave To Banker Demands To Censor Paper Which Exposes Card PIN Hack

Tyler Durden's picture

Something amsuing out of England (and ever slightly less so if you happen to be the CTO for Capital One). After in late 2009 four Cambridge students uncovered a no-PIN attack that allowed those so inclined to hack ATM machines, and subsequently they made their findings public, a recent thesis paper by an Omar Choudary has summarized the findings, and has been in the public domain for some time. However, it appears that the UK banking cartel, with its 2010 bonuses finally safe and sound, has only now discovered this major weakness across their systems. But instead of taking prompt steps to fix the problem, in typical kleptocratic oligarchic fashion, the bankers' initial demand (apparently across the Atlantic, "UK Cards Association" is another name for the bailed out crew) is for Cambridge University to censor the paper. Alas, Cambridge has not agreed to fold like a lawn chair. The response that follows is quite hilarious. What will be less hilarious is if the no-PIN "attack" works in the US just as well as it did in the UK. Zero Hedge staff is currently enjoying the "all flights canceled" weather, testing out this particular null hypothesis.

From the response by Ross Anderson of the Cambridge Computer Lab:

Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera. At no time was there any intent to commit fraud; the journalist's account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense. I would not consider such an experiment to require a reference to our ethics committee. By that time the Newsnight programme had appeared and the No-PIN attack was entirely in the public domain. The French television programme was clearly in the public interest, as it made it more difficult for banks in France to defraud their customers by claiming that their systems were secure when they were not.

You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.

And here is the original post from the blog of the Computer Laboratory at the University of Cambridge:

The bankers’ trade association has written to Cambridge University asking for the MPhil thesis of one of our research students, Omar Choudary, to be taken offline. They complain it contains too much detail of our No-PIN attack on Chip-and-PIN and thus “breaches the boundary of responsible disclosure”; they also complain about Omar’s post on the subject to this blog.

Needless to say, we’re not very impressed by this, and I made this clear in my response to the bankers.
(I am embarrassed to see I accidentally left Mike Bond off the list of
authors of the No-PIN vulnerability. Sorry, Mike!) There is one piece of
Christmas cheer, though: the No-PIN attack no longer works against
Barclays’ cards at a Barclays merchant. So at least they’ve started to
fix the bug – even if it’s taken them a year. We’ll check and report on
other banks later.

The bankers also fret that “future research, which may potentially be
more damaging, may also be published in this level of detail”. Indeed.
Omar is one of my coauthors on a new Chip-and-PIN paper that’s been
accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

Yeah, yeah, shut up and give us the hack already so we may also enjoy some of that cool $3.3 trillion in taxpayer bailouts. The link is here.

h/t Ras Bongo

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Malcolm Tucker's picture

Glad to have blogged about this earlier today :)

http://fedupmontrealer.blogspot.com/2010/12/banks-try-to-cover-up-fraudagain.html

My post includes a BBC video that shows a live demonstration of the Chip and Pin security flaw

Thanks for highlighting this issue Tyler!

trav7777's picture

The Truth appears to be more than just the State's enemy, eh?

Malcolm Tucker's picture

I thought you were going to say Truth Bitchez :)

Red Neck Repugnicant's picture

censoring writings that offend the powerful is offensive to our deepest values

I can assure you this statement is total bullshit, especially at Eton College, just outside Windsor. Eton has a long, rich history in England and, in many ways, embodies everything that the British idealize about their schools.  

After writing a very satirical letter about the King's Scholarship recipient and Dr Andrew Gailey (he was my house master and is now the Vice Provost), I was kicked out of Eton due to:

"....a very poor attitude, coupled with lackluster performance that does not reflect the expectations of an Eton boy.  Furthermore, "RNR" has repeated his intention to sue the College after commencement for 'gross negligence in his development of a young man.'"

At Eton, freedom of speech is as warmly welcomed as passing around a school petition to have Tony Little (Eton Headmaster) shave his mustache as it "distracts from our studies and from the seriousness that would be expected from an Eton Headmaster. If Mr Little wishes to replicate the sexy image of Magnum PI, we wish that he would simply move to America and govern the student body of Long Beach Community College (LBCC)." 


Cognitive Dissonance's picture

"....a very poor attitude, coupled with lackluster performance that does not reflect the expectations of an Eton boy.

Nice to see you've continued with your "very poor attitude, coupled with lackluster performance" here on Zero Hedge. :>) 

Red Neck Repugnicant's picture

Don't get froggy with me, CD. 

My new year's resolution is to be nicer to people, and this was my attempt to "open up" and express my vulnerabilities.  

Don't exploit it!

 

 

Dumb Money's picture

to CD: ZING!

to RNR: does your new found openness mean that you're buying gold?

to bob: HA!

Cheesy Bastard's picture

Faux

When you start your comment with this:  "I can assure you this statement is total bullshit",  then maybe you do need work in this area, of being nicer.  I already know I do too, but in the spirit of the season,I just wanted to give you an idea.  Too bad you don't have anywhere to keep one!  Ha Ha. 

nmewn's picture

"Furthermore, "RNR" has repeated his intention to sue the College after commencement for 'gross negligence in his development of a young man.'"

I'm guessin that's goin as well as OJ's furtive under-cover search for "the real killers" at Lovelock Correctional.

RichardP's picture

Don't bash the student body of Long Beach Community College.  People like them hold the world together.

DoChenRollingBearing's picture

Actually, this time I am with the Faux Red Neck:

"....a very poor attitude, coupled with lackluster performance that does not reflect the expectations of an SPS boy.

Those terms were used by my superiors at prep school and at the very LAST place I ever had a "job".  Plenty of room for everyone here at ZH.

malikai's picture

So in that video the FED even said it was broken? What?! Its got to be bad then.

Anyway, chip+pin was theoretically broken before it was even implemented. If they had been smart and had an open review before bandwagoning the deal, it might have been better the first time. For even better lulz, check out the RFID passports. Those have lots of potential.

trav7777's picture

Cambridge, bitchez

DoChenRollingBearing's picture

.gov and banksters steal our money.  Then they complain when someone spots a hole in their security, and want to cover up that information.

Hypocrites.  Just spend the money now to fix ATM security, you ARE going to have to spend the money at some point.

+ 1000 to Cambridge, right on trav7777.

MobBarley's picture

Someone please explain to me why a chip in your card is better than a magnetic stripe on the back.

Some kind of challenge/response system? Also, do current mag stripe ATM cards have this 'signature' verification thingy? And how would that work at an ATM machine?

Especially the kind that dispenses GOLD BARS bitchez!

Merry Christmas and Lots of Love to everyone :)

 

Captain Benny's picture

I'm not familiar with this exact technology, but the basic idea is that.

In theory you should be able to do a cryptographically-based challenge/response mechanism.  In practical implementation however this isn't quite secure, because I'm betting that most of these cards (if not all) come pre-shipped with their crypto-keys already known by the manufacturer and/or bank...

virgule's picture

The chips are essentially micro computers, programable, and with an architecture that makes it somewhat harder to break into, than in your average "open device".

In the early designs (not sure if this is still in use today), the chips had a self-destruct feature, if someone tried to access them in a manner not compliant with the design protocols. In the most basic example, a micro-chip would self-destruct if your tried a brute force attack, entering too many PIN numbers with a stolen card. That is definitely much better than a passive magnetic stripe, which lets you read and write as much as you want.

For french-speakers who want more history on this invention, lookup Roland Moreno on the French Wikipedia.

Byte Me's picture

The chips have better physical robusness against data corruption and potentially much higher data density.

Mag strips are easily damaged / corrupted as well and don't allow for the challenge / response protocols (however flawed they may be)

Widowmaker's picture

"Someone please explain to me why a chip in your card is better than a magnetic stripe on the back."

Three-fold:  

To eliminate (minimize) counterfeit cards.

Two-factor authentication (the system knows you are you) based on the chip itself (possession of it) and your PIN.

To track EVERYTHING bought and sold-- POLICED MONEY.

Welcome to the mark of the beast, where ALL control of your money (buying and selling) is anything but yours.

Captain Benny's picture

In America, these cards aren't prevalent yet.  In America, we use the far weaker system which involves easily clone-able mag-strips using technology from more than 30 years ago.  In Europe they've essentially removed one part from the transaction process (mag-swipe) and replaced it with a fundamentally flawed design which introduces this vulnerability.  Wow.  Stupid banking industry...  (NOTE: I didn't say they don't use mag-strips in the above statement...)

MobBarley's picture

Pardon, but what makes SmartCHIP any more secure than a mag stripe?

Is it that it _should_ be much harder for someone to clone a SmartCHIP embedded ATM card?

I say _should_ because we all know that some black hat hacker group somewhere is already cloning the sh*t out of them in some attic somewhere, as usual.

Also, if the magstripe on the card merely presents your account information, routing number and account number, then surely it could be possible theoretically to merely enter this information by hand at a 'terminal', ATM machine for instance, and then your PIN

and have cash dispensed merely from information?

So by having the sheep beleive that some kind of CHIP is needed in the card..and then because the card can be lost or stolen the CHIP really ought to be embedded in your thick skull in your forehead or perhaps in your right hand...ring a bell?

 

Captain Benny's picture

Pardon, but what makes SmartCHIP any more secure than a mag stripe?

I didn't say it was any more secure.  In fact I said the exact opposite.  They removed the mag-stripe from being the common authentication mechanism and replaced it with a fundamentally broken design that is far worse.  This broken design allows for non-PIN based transactions.  I'm a personal believer that there shouldn't even be PINs anymore.  Anyone that has seen the Bloomberg authentication tokens (BUNITs see: http://blog.robwebb2k.com/2007/08/03/corporate-branding-the-bloomberg-b-unit/ ) knows that they are far more advanced than any stupid CC you find in the EU and US.  Its time to stop using stupid freakin pins on a wide scale.  They're fundamentally weak.

 

Eternal Student's picture

There are lots of misconceptions here. The card swiping biz is now big business. Please spare us with the old meme of some individual cracker working away in an attic. Organized crime has moved in, though they are smaller than the drug gangs. IMO, you're a total fool to use an ATM or Credit Card at a gas station, or other public places. You're not even safe at your bank, though those are harder targets. It depends on the Bank, really.

That's not to say that the chips are any safer. They make it easier to identify people carrying them, from afar. And they've historically had a number of issues. Security is not a priority with the Bank. Not when they can either harass you significantly, or just write it off as the cost of doing business.

SilverBaron's picture

Why even worry about it?  By law you are not responsible.  I've had money stolen from my acct. a couple of times and it was replaced free of charge.  Bad for visa, no big deal for me.

Eternal Student's picture

Are you talking about a debt card, or a credit card through Visa? Debit cards have no protections, and you're at the mercy of the bank. Credit cards are different, but people don't steal money from those, they just charge your card, which is a big difference. Even in that case, the process is a hassle, as you're in a dispute with a vendor. The outcome is also dependent on the amount charged, as it costs the vendor typically $50 or so to fight the claim. For more expensive items, the judgement can go against you, and yes, you can be on the hook for it. You are not guaranteed by law to not have to pay; you are only guaranteed if you can prove that it wasn't you in a normal vendor dispute. And the first judgement is made by the bank, not a court of law.

I prefer not to have these hassles, or liabilities.

 

SilverBaron's picture

Good point. I don't think they used my pin, just ran it as credit.  The first time was two $900 charges on a cruise ship somewhere, and the latest was just one cent at some home improvement store in NY.  The bank said they were probably just seeing if they could get away with it.

Botox4U2's picture

"Security is not a priority with the Bank." 

In spite of bank claims that the new RFID contactless 13.56Mhz chip cards are secure, their claims are disputed outright by various US and Canadian governments who use the same chip in the new biometric "enhanced" drivers licenses as well as the US, Canada and Mexico border services quick access service named NEXUS. When do you suppose the banks will tell the truth about RFID cards? In my opinion it's not about 50.00 that the banks will cover if there is a theft, but it's about strangers electronically pickpocketing people to get their names and card numbers and expiry dates which is the BEGINNING of identity theft.

This site explains a lot for those not too familiar

http://www.chipblockers.com

 

MobBarley's picture

 How many misconceptions? Can you provide an itemized list?

 I ask that you spare me the meme of 'meme'. It was tired the day the first government sponsored psy op 'webbot' report came out. Thanks.

 I'm sorry that any form of romantic notion offends you. You really ought to write Tyler Durden and tell him how his moniker also offends you.

 I couldn't agree with you more that it is tempting fate to use your ATM or credit card at any facility or location where one has to rely on the honesty of the persons involved not to rob you blind.

 The only security is obscurity

 

Widowmaker's picture

Captain it depends on how you define "strength"

In a previous comment I pointed out how electronic money is actually far weaker in that it guts your ability to buy and sell without an intermediary.  That premise and the intermediary (effective control of all buying and selling), should scare the hell out of you.

If a person gets robbed electronically, such as system unavailability or a "glitch", is anything really stolen?  Where is proof in an electronic system - more electrons?  

Yearn for the day masses wake up to realize that everything they thought they owned is really borrowed from the "money-makers."  The joke is on literally everyone -- except gold-holders.

knukles's picture

Douchebags.  Harrrrumph.  Christmas my ass. 

In order that we can ensure your card is not insecure on our secure network and in enhancing unnecessary and redundant upgrades to enforce impregnibale network security, an additional fee must be levied to set aside a reserve to compensate for any impossible unauthorized insecure unreimbursable thefts from our secure network.
Conversations may be recorded for your security.

lynnybee's picture

..... don't use their damn "cards" !    When I was young we didn't even have ATM machines & we liked it that way !   I'm so old that I remember walking into the local bank & when we made a deposit in our savings account the teller got out an ink pad & stamper, changed the little numbers manually on the stamper, inked that little stamper & stamped the amount of the deposit onto our passbook !! 

granolageek's picture

Hey, where are all the bankster suck-ups that have hissy fits every time a state AG goes after a bank? This is a bunch of lefty academics  telling the banks to fuck off and die and expecting to get away with it. Surely the great gods Hayek, Rand and Rothbard will smite Cambridge University with three plagues and a lightning bolt.

Ras Bongo's picture

Dear Melanie Johnson

UK Banksters Cards Association

 

FUCK YOU AND YOUR SPECIES!

 

Sincerely Pissed,

Triple Tuition Hiked UK Students

 

Thx 4 h/t. 

 

Bearster's picture

I certainly don't have any sympathy for their desire to impose censorship on Cambridge or anyone else.

But everyone sneering at them for a security bug would do well to look at the front door to his own house, his bank account passwords, and everything else from the perspective of a hacker who had more time, motivation, and expertise than he does.

Let's retain a little bit of good will and courtesy, and refrain from blaming the victim (in this case the banks with the bug).  They didn't make this bug on purpose just to hurt you!

umop episdn's picture

I hope you are merely misguided on this issue. One of these new cards can be read without your knowledge-without you taking it out of your pocket. According to the banksters, this is a feature, not a bug. According to me, it is a huge invasion of privacy, even if it worked properly. I don't wish to be tracked everytime I pass by a card reader, thankyouverymuch.

Creepy Lurker's picture

No joke, unfortunately. That's why they sell those "secure sleeves" to keep your credit cards and passport quiet. (Yes, passports have them too.)

drB's picture

The difference is that banks are paid for their customers to have security; we do not get paid for our home security. Banks here are not a victim, they just, as usual, cut corners to get everything cheaper.

granolageek's picture

I knew the suckups would show.

Nope, I blame the banksters for ignoring the problem for a year after they were told about it, and then trying to prevent publication since that would show their wilful attempt to save a quid by not bothering to fix a problem they bleeping well knew about.

 

But corporations will never do wrong, nope.

Cheesy Bastard's picture

Nope, I blame the banksters for ignoring the problem for a year after they were told about it, and then trying to prevent publication since that would show their wilful attempt to save a quid by not bothering to fix a problem they bleeping well knew about.

Nope, I blame the banksters for ignoring the problem for a year after they were told about it, and then trying to prevent publication since that would show their wilful attempt to save a Vampire Squid by not bothering to fix a problem they bleeping well knew about.

Fixed it for ya.

 

Black Friday's picture

"They didn't make this bug on purpose just to hurt you"

Yes they did.

 

Byte Me's picture

Let's retain a little bit of good will and courtesy, and refrain from blaming the victim (in this case the banks with the bug).  They didn't make this bug on purpose just to hurt you!

I shall always retain a modicum of courtesy and goodwill to any party worthy of it.

Exceptions to this would have to include the Banksta cartel who have made tremendous strides in recent times to rape the productive economy and undermine civilization itself without, for a moment, considering any form of apology even necessary.

When  some apologist for the 'victim' banks talks his book (that'll be YOU Bearster) - well, that's just too much for me.

Seasons fracking greetings to you.

 

 

Atomizer's picture

Capital One is running out of serf taxpayer monies. Do you remember?

The Obama Stimulus and Bank Bailout Plans

http://smooz.4your.net/diplomatic-world/files/WEB_DW_22_Obama_Plan.pdf

The need for a cashless banking world is the recent CNBS think tank survey. Did you email Erin?

 

Rusty Shorts's picture

Is this why the Treasury has delayed, soon to be cancelled?, issuance of the new $100 note?

Husk-Erzulie's picture

Damn, nice font Omar...anyone know what that is offhand?  Designer types, anyone? :-))