A Cambridge professor reacted angrily to a request from the UK Card Association to ‘censor’ the publication of a student research thesis into a flaw with bank card security which negates the need for a correct PIN.
The UK Card Association wrote a letter (pdf) to the ‘Director’ of Cambridge, requesting that the research paper titled “The Smart Card Detective: a hand-held EMV interceptor” by student Omar Choudary, and further requested “comfort” regarding a policy on “future disclosures.”
The bank industry body’s chief concern was that the research publication contained a “level of detail which we belief breaches the boundary of responsible disclosure,” arguing that the research thesis essentially documented the construction of a device which exploits a security hole in chip and PIN.
Cambridge professor of Security Engineering, Ross Anderson, wrote back to the UKCA (pdf) rebuffing them on “misconceptions and factual errors”, accusing the banking body of “misconception” as to the role of a University and pointing out that Choudary published the research, not the University.
“… you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest ?nds it inconvenient,” wrote Prof. Anderson.
The flaw itself relates to the fact that the PIN of bank cards is only checked against the card itself and not the bank, a practice disclosed in 2009 but still largely unfixed by the banking sector. As such the bank industry body is hoping that ‘security through obscurity’ will be an effective measure against fraud and sought to paint the research as an irresponsible disclosure.
“Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values,” wrote Prof. Anderson before pointing out that the so-called “No-PIN” attack discussed was an old vulnerability still not addressed by the banking industry.
“You complain that our work may undermine public con?dence in the payments system. What will support public con?dence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies.”
“Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.”