Cambridge Refuses To Cave To Banker Demands To Censor Paper Which Exposes Card PIN Hack

Something amsuing out of England (and ever slightly less so if you happen to be the CTO for Capital One). After in late 2009 four Cambridge students uncovered a no-PIN attack that allowed those so inclined to hack ATM machines, and subsequently they made their findings public, a recent thesis paper by an Omar Choudary has summarized the findings, and has been in the public domain for some time. However, it appears that the UK banking cartel, with its 2010 bonuses finally safe and sound, has only now discovered this major weakness across their systems. But instead of taking prompt steps to fix the problem, in typical kleptocratic oligarchic fashion, the bankers' initial demand (apparently across the Atlantic, "UK Cards Association" is another name for the bailed out crew) is for Cambridge University to censor the paper. Alas, Cambridge has not agreed to fold like a lawn chair. The response that follows is quite hilarious. What will be less hilarious is if the no-PIN "attack" works in the US just as well as it did in the UK. Zero Hedge staff is currently enjoying the "all flights canceled" weather, testing out this particular null hypothesis.

From the response by Ross Anderson of the Cambridge Computer Lab:

Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera. At no time was there any intent to commit fraud; the journalist's account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense. I would not consider such an experiment to require a reference to our ethics committee. By that time the Newsnight programme had appeared and the No-PIN attack was entirely in the public domain. The French television programme was clearly in the public interest, as it made it more difficult for banks in France to defraud their customers by claiming that their systems were secure when they were not.

You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.

And here is the original post from the blog of the Computer Laboratory at the University of Cambridge:

The bankers’ trade association has written to Cambridge University asking for the MPhil thesis of one of our research students, Omar Choudary, to be taken offline. They complain it contains too much detail of our No-PIN attack on Chip-and-PIN and thus “breaches the boundary of responsible disclosure”; they also complain about Omar’s post on the subject to this blog.

Needless to say, we’re not very impressed by this, and I made this clear in my response to the bankers. (I am embarrassed to see I accidentally left Mike Bond off the list of authors of the No-PIN vulnerability. Sorry, Mike!) There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

Yeah, yeah, shut up and give us the hack already so we may also enjoy some of that cool $3.3 trillion in taxpayer bailouts. The link is here.

h/t Ras Bongo


No comments yet! Be the first to add yours.