Slashdot Mirror
UK Banks Attempt To Censor Academic Publication
An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."
Security through obscurity is foolish. If this forces the banks to reinforce what they already know is weak, then I commend both the guy and the university.
...or through secure practices. An academic question.
security through obscurity
Albeit a foolish one.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
"Nooez don't tell people stuff they can find easily on google! D:" - E-mail from the UK bank.
Would that be governmental representatives, representatives of an independent representational body of some sort, or a single bank/group's representative front? I'm unaware of the "UK Cards Association".
The university's response completely owns the bank.
"1. Why don't you have the balls to complain to the guy who actually published it? 2. Why do you suddenly object to research based on something that was already published, like, years ago, and which we warned you about before? 3. Why are you defrauding your customers by pretending your shitty system is secure, and on what grounds do you demand our help with that? 4. Fuck you this is a anteater^W university."
In the UK, requests, when issued by such bodies, usually come close enough to demands. Look at the UK govt's countless "voluntary" regulationary systems.
by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:
Institute checks at the acquiring or issuing bank that make sure the card and the terminal agree that it was a PIN transaction, that would seem to be an obvious one. And comparatively easy.
Failing that, remove the signature verification auth method from cards, can be done via an update delivered during any transaction.
Or make all PIN transactions over the floor limit the 'online PIN verification' type.
EMV has problems by the looks of it, if you have a sophisticated MITM machine, but it wouldn't take much to fix the problem with this attack.
That said, the banks still shouldn't be suppressing the research.
There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.
Of course the bankers would just rather be lazy and not have to fix their shit system.
In the French TV programme linked from the blog entry, we see a no-pin transaction being undertaken in a Cambridge store. The banks letter states that these transactions would not work in practice as they would be detected. This raises the question of whether they only learnt that this transaction was a 'no-pin' when it was aired on TV or whether they had detected it on their own beforehand.
They just got used to be douchebags and unpunished. Until the guillottine starts chopping some heads again, it won't get any better.
Yes, I'm bitter and a bit hopeless.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Do they have anything like the 1st over there?
whistle blower laws?
"Security by obscurity" is a perfectly valid technique. It just shouldn't be used alone.
Suspect it's the same group. He won't take any shit from the banks.
:)
so what big deal you goto a bank and tell them look you pay me $$$$ ill tell you how and wella PROFIT
Incorporate his research. Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"
They're screwed right now. If they bankrupt him through litigation, you can bet that someone from the Russian mob is going to offer him a briefcase of unmarked bills to "fund his education."
The BBC Newsnight program on the issue (from last February) explains the issue pretty well. Watch it.
The funny/disturbing thing is why did it take 10 months! for some official at the UK banking industry association to have a revelation/panic and issue such a stupid letter. The professor's response to them is pretty effing on!
I think he should've said quite blunty: " listen, our students figured this weakness in your system during their free time, using our shoe string budget". Do you really think high tech criminals and criminal organizations with millions or even more at their disposal won't reproduce this? All you need to do is read the bloody manual! "
If I was a banker/bank/building society I would seriously consider funding research into this instead of whining about it. I mean those students don't have what the criminals can easily get with just money. At least buy them the latest oscilloscope/logic analyser for god sake! - its a miniscule fraction of the profits the banks make - or even what they stand to loose from such weaknesses...
www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
That's important to note. However, they're taking their fucking time fixing it (it's been a year since the first notification) - only Barclays' system has been fixed so far - so they aren't really justified in making such a request.
To prevent this day from getting worse, I'll just read ERROR as GOOD TH
Sure, this kid and Cambridge absolutely have the right to publish this paper. That doesn't mean the bank and its customers aren't going to class-action their ass, though. Their not doing anything illegal, but they are pissing people off.
Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place ... the banking industry's fraud prevention systems would be able to detect when such an attack had happened.
Yeah right!
Ross Anderson does great work in this field, and has done for decades. The banks are happy to put out a flawed system, and hope that people don't notice they are getting ripped off by criminals. Those that actually do notice get reimbursed if they fight hard enough and manage to win their court case (the banks often falsely convince the judge their system is infallible), and then this simply gets shifted back onto the customers through increased bank charges.
If you look at his February post after they broadcast the problem on Newsnight (major UK political television programme), a large number of the commenters appear to be victims.
The message is clear: if you take your credit or debit card out with you, or use it online, there is a good chance money will easily be stolen from your account. If somebody swipes and clones your card, they do not need to know your PIN number to extract money from it. The safest way to pay is currently with cash.
Phillip.
Property for sale in Nice, France
In fact work at a lab, and I say this was a major missed opportunity...
What they should've said is:
" Listen, your whole system is flawed and full of holes like a tennis racket made of swiss cheese.
For a start immediately buy our university department the following:
- One of each on their catalog...
- And their...
- And their...
...that should cost you only 50-100 million (you might get a discount). Budget it as a long term investment into transaction systems."
At least such a scenario is a recurring dream of mine. Oh well, back to the grind ... calibrating old Tektronix oscilloscopes...
www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
Some of us would have NEVER KNOWN about this if they did nothing.
This crap spreads a lot slower if they leave it alone.
The problem with the internet is once you post it.. it's there forever.
Drawing attention to it makes it a LOT worse.
Now there are torrents being made and mirroring is being done so any chance in hell of it being removed or kept quiet just went to -zero-
How many more years will it take before these corporate idiots realize that once it hits the net it's out there?
Having read the letter in the supplied link, "take-down notice" is an inappropriate and inflammatory term to use to describe the communication in question.
IANAL, but I am a speaker of the English language. A "take-down notice" would, in common usage, refer to a DMCA (most common) or other style notification that a publisher of some (often allegedly plagiarized) content is legally obligated to remove it, or will enjoy a legal safe harbor if one does so. None of these criteria are met by the letter in question. Also spurious is the use of the word "demand." The letter makes no demands. It expresses (IMO poorly founded) concerns. What we have, instead, is a letter that basically says, "Hey, this bothers us. Would you stop it?"
This may be inappropriate. (It is.) It might be silly. (It is.) It is not, however, a David-and-Goliath story of epic proportion. It is regrettable both that ./ has descended to this kind of pandering in order to attract readership and that, judging by most comments in here, they have consequently succeeded in attracting an audience that doesn't take the minimal time necessary to examine the source material provided and come to a conclusion on the actual merits.
I believe it is customary to shout, "THINK SHEEPLE!," at this time.
Fuck these guys. Fix your shit.
Lloyds is pants.
I used to do the certification of devices for Interac in Canada. It was the most frustrating experiences of my working career.
Most banks just want some one else to carry the burden when something goes wrong. Worse than telling the world what the problems are this paper tells the banks what is wrong. Before this was published the banks could have claimed:
1) they didn't know about it
2) Any money missing from some ones account had to be taken with the account holders permission because the new chip cards are completely secure.
To the banks it doesn't matter if a device or procedure is secure it's what the perception is. The UK banks are the worst I've ever dealt with, they weren't clueless they were intentionally evil. In Canada if money goes missing from your account it's up to the bank to prove that the account holder aided in taking the money. In the UK the burden is reversed and the account holder has to prove that they didn't aid in allowing the withdrawal. This leads to the banks in the UK in having some terrible security policies and auditing policies that are intentionally useless.
It would actually be very useful for the developers of debit cards, ATM and point of sale devices to have a book of well know attacks against these devices. As you can imagine there are some very easy, low tech attacks that many of the devices on the market can be beaten by and the ones that are well made are more expensive and their additional security never appreciated.
...as it is absolutely epic. I adore the parting shot:
Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased that the industry has been finally been able to deal with this security issue, albeit some considerable time after the original disclosure back in 2009.
OWNED!
They implement Chip and PIN with the chip being a mini flash drive with all your shit on it ready to steal and a PIN authenticator that basically says "this PIN is correct, scout's honour, you can use the banking details!"
I was expecting it to be implemented a'la GSM with the PIN waking up the crypto-processor, submitting the transaction to the crypto-processor, signing the transaction with the card's details and the PIN pad merely passing along the signed transaction and submitting it to the issuing bank.
Chip and PIN is the most retarded use of two factor authentication I have ever seen.
Did he sign an NDA? If not, then why are they complaining?
I notice with interest that the Ph.D paper has the acknowledgement "I thank my supervisor, Markus Kuhn, for extensive guidance and valuable advice on rigorous design and research"
Not THE Markus Kuhn for whom many of us have to thank for Season 7, the Sky smartcard emulator and a kickstart into the world of hardware hacking? (in the nicest sense of the word).
We are not worthy. Omar, you walk in the footprints of a giant.
Um, did you read the same letters I did? The Cards Association's letter was exactly a take-down notice ("Our key concern is that this type of research was ever considered suitable for publication by the University ... we would ask that this research be removed from public access immediately") and the reason it doesn't mention the DMCA is because, you know, it's in the UK. And the only reason it's not David-and-Goliath is because Cambridge is Cambridge, a huge and ancient university with one of the best academic reputations in the world, which is ready, willing, and able to fight for academic freedom, as the response letter shows. Your criticism of Slashdot for daring to present the story accurately is bizarre; I honestly have to wonder if you're being paid, or if you're just so blindly faithful to the Golden Rule ("he who has the gold makes the rules") that you can't properly interpret what's right in front of your face.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
It is regrettable both that ./ has descended to this kind of pandering in order to attract readership and that, judging by most comments in here, they have consequently succeeded in attracting an audience that doesn't take the minimal time necessary to examine the source material provided and come to a conclusion on the actual merits.
/. has descended to not RTFA'ing? For Zombie Jesus' sake, it's a sport here with its own acronym. Ever since, well, day 1. Even a 7-digit UID should know that.
Those who can, do. Those who can't, sue.
When a large, powerful corporate organization sends a "request" like that, it's a demand. If someone puts a gun to your head and says, "I'd like to request your wallet now," do you think you're not being mugged?
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
mmmm... Sheeple
IANAL, but I am a speaker of the English language.
You don't say.
Please do tell us what the name of this fancy "UK DMCA" law is called. What's that, you're an authoritarian who wants the world to live by the USA's laws? I couldn't quite hear you, that's all I could make out.
Oh right, you're actually referring to the "other style notification." What form would this take, exactly, in order to be legally defensible? In the UK? Maybe "state secrets," eh?
When I was a kid, we only had one Darth.
Speaking English is not particularly relevant. Understanding the language is something entirely different. To anyone raised in the British Isles this is very clearly a 'Gentleman's' way of phrasing a demand. What surprises me is not the arrogance of the Banks in making this demand, but the fact they actually think they can intimidate one of the worlds oldest universities. The reply they got was not only right to the point, but devastating in its clarity and accuracy. P.S. Been a /. watcher for years, but only now thought I'd participate :)
Is there no difference between the interrogative ("..we would ask...") and the imperative (for example, "...we demand that you remove...")?
If we're going to call this a "take-down notice," what will we call it when Cards actually notifies Cambridge that they are demanding that Cambridge remove some other content and that Cards believes they have the legal force of law to require it? Will that be a "take-down sexual assault?"
Simply put, there can be letters that are not take-down notices. This is one of them.
But, to answer your question: I'm reasonably certain that we did read the same document. However, I'm also reasonably certain that my interpretation of it is informed by the meanings of the words on the page and a verifiable reconstruction of the authors' understanding of the scope of actions available to them. In contrast, you quoted back to me the supplication, "...we would ask that this research be removed...," and called the document that contained that phrase a "notice," with apparent sincerity. I allege that this characterization is not supported by the text of the letter.
Furthermore, in your brief missive, you managed to impugn my motives in a very silly way, accusing me either of being on the bankers' dole or of being so prostrate before moneyed interests on principle (Heh. "Moneyed interest on princip[le|al]." Get it?) that I'm unable to properly read the letter. Is this a serious way to think or argue? Specifically, is this a way to think or argue that is even capable either of engaging the facts of the matter or of fostering any kind of intellectual progress?
Also, if I don't get modded up for "moneyed interests on principle," then you people have hearts of stone.
...it really doesn't turn out like that.
If for instance a transaction gets processed with your Chip and Pin and it comes from some place that you really could not have been at that time then it doesn't matter what the banks say...
Also there are some transactions that do not require a pin (many low cost transactions for example Pret a Manger (a sandwich chain) never used to require a pin for transactions less than 10 quid, ditto Tescos and most car park 'pay-at-gate' facilities.
Whether that is bad or not (and I believe that Tesco's stopped that after it was being abused by fraud - again I know of no person who was held neglible for their own card) - the simple fact is that Chip and Pin is waaay more convenient and 'as secure' (some may argue) as stupid wait to sign a piece of paper in a long queue.
There needs to be some kind of 'check and balance' and chip and pin as far as I can tell is a happy balance.
You can (for those that don't know) change the PIN very easily at any time at your local ATM of your own branch if you so wish.
So no, in practice it doesn't shift the liability anywhere. It makes transactions simpler and quicker.
Chip and PIN is the most retarded use of two factor authentication I have ever seen.
Certainly the UK version is. Read pages 16 and 17 of the thesis.
What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.
The way this is done right is that the bank and merchant send the transaction details to the device, where the user checks them and signs the transaction using their PIN and crypto within the device. The bank and merchant confirm that the transaction is signed properly and the bank confirms the account information. The merchant system never sees the PIN or the customer's private key.
Of course, the problem with doing it right is that to do a true mutually mistrustful system, the customer has to have a device with a keyboard and display, plus some CPU power. If the merchant owns the PIN pad, that's a vulnerability. That's usually a phone, not a dedicated device, which opens up a new range of vulnerabilities.
I just hate those pushy bankers. Why can't they just keep their place in line behind lawyers for who is going to get it when the revolution comes? Are they afraid we are going to run out of bullets or something?
Okay, so the line is lawyers, bankers, politicians, republicans. NO pushing ahead. We probably run out of bullets before we got to republicans but we can just have them watch Fox showing a video of a gun firing and they will drop dead from fright.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Who cares? EMV is FAR more secure than the other methods of CC payments, most notably buying online with nothing more than the information displayed on the card in full view of the customers (or hidden cameras) next to you. For this exploit to work in the real world, the criminals must already have the card. If they already have the card they can easily withdraw money in other methods.
So EMV is flawed? It is by no means the weakest link. If EMV was 100% secure, CCs would still be just as insecure as they are now.
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
I designed the CAP/EMV check system employed by one of the UK banks eBanking system. These are the little battery operated units that offer 3 types of 'authentication' that can be typed into an ebanking website after inserting a debit card and performing a PIN entry etc. Some debit cards simply have another couple of programs on the chip on the card that can do simple challenge/response type algorithms to encode input data along with the cards cert to produce a 6 to 8 digit number that the user then types into an ebanking website etc.
I was wondering how long it would take for the retail chip and pin system to be broken. the core difference between retail units and the ebanking system is that the user returns an encrypted block (inside 6 to 8 digits) containing the card counter (which you can determine by pressing the menu button on any hand held CAP disconnected 2FA reader). If the card counter is out by a **censored** number then the transaction is stopped and a fraud warning is placed on the card.
Clearly, people can increase their card counter by buggering around putting the card in an out of card readers without doing a transaction and so the odd person gets their card locked down and they just have to ring in for a new one. n (I actually did this by mistake with my own debit card).
the disconnected CAP 2FA systems were a good few years later than "Chip and PIN" and so had the benefit of a bit better understanding. It should be noted that a large UK bank does not do this with their eBanking system and was nearly picked up on an earlier light-blue touchpaper paper but they didn't quite get that far so i think there are some problems looming for some of the handheld 2 factor authentication units as well. we'll wait and see.
How long does it take to fix a vulnerability that exists in a credit card system which covers many millions of cards and countless chip and pin units? I'm just asking because I don't know and you obviously do.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
This looks more like the opening volley in a lawsuit than a polite request. It details that the student built a device (or designed it), that the police know he falsified a transaction in a shop, and claims that publication is a hazard to people's money. That the language is polite is irrelevant: it's notification of a cause for action that can be referred to later and it demands ('requests') that the paper be removed from public access.
As for being prostrate before moneyed interests, i don't understand it either, but I'm in the US and I see a whole lot of people doing just that - arguing against progressive taxation, demanding tax breaks in a recession, and so on; personally, I blame our right wing talk show idiots for whipping the mob into a frenzy, and the GP may have confused you with one of them.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
... an audience that doesn't take the minimal time necessary to examine the source material provided ...
In other words, people don't RTFA.
In other news: water is wet, the sun it bright, the moon is round and sarcasm is the lowest form of wit.
What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.
The really impressive bit is that the cards do have enough CPU power to do encryption. (I think they may even be able to do hardware accelerated public-key encryption.) It's just that whoever designed the system completely and utterly failed make use of this correctly.
The fix is simple. There is none. The hole only exists if you don't trust the POS machines. And if you don't trust them, then you'd have to assume that every one logs the keys pressed for the PIN and records the magnetic strip, at which point the whole thing fails.
It isn't a security vulnerability if you trust the terminals. They trust the terminals. Thus, asserting there's some hole is false in their minds. Someone is spreading false information that harms their business, so they want that information suppressed. It's not a conspiracy to continue insecure policies, but to prevent people from running around yelling "they are insecure" when, by their definitions, they are not.
Learn to love Alaska
What surprises me is not the arrogance of the Banks in making this demand, but the fact they actually think they can intimidate one of the worlds oldest universities.
This is nearly precisely my point. It's not a "notice" unless someone is being notified of a legal infraction. This is just pure arrogant bumbling. They may be evil, but it's more important that they're hilariously inept.
Yes, there is a difference. It's called the Atlantic Ocean. The former is how we do it here - politely. An English demand starts "Would you mind awfully if..." But the sense is identical.
They did not send a "take-down notice", at least in the way the term is usually used. It normally is used to mean a notice under the DMCA to a service provider that something must be taken down, or more loosely a notice warning that something is in violation of law.
What was actually sent was simply a request, with no claim of legal authority behind it, asking that the material be removed.
That's not how a GSM SIM works (I am working on a couple of SIM products). Firstly, most of them don't have crypto coprocessors. Secondly, the PIN (or PIN2) doesn't wake anything up. Entering the PIN is required to get access to some of the files on the SIM, so it's more like entering a password the first time you use sudo. However there have been proposals for SIM toolkit financial applications which would work roughly as you describe.
Having done multiple deals and such in the UK, and having had to deal with legal threats, this is in FACT a take-down notice.
Yes appeal by authority is flawed but when you're the research director for a UK, AUS, and USA company, and you deal with this EVERY SINGLE DAY, you tend to know what is what.
This is also basically "Remove it or we'll sue." It is a threat.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Cambridge is Cambridge, a huge and ancient university with one of the best academic reputations in the world, which is ready, willing, and able to fight for academic freedom
That gives me this mental image of Stephen Hawking wearing one of those old WW1 British "pie-pan" helmets while chasing scantily-clad female soldiers in his trademark powered wheelchair which has had all manner of huge guns, rockets, etc bolted to it such that it suddenly over-balances and falls over on its' side in typical "Monty Python"/"Benny Hill" style ("Yakkety Sax" theme music optional).
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
In the law, you can't have a tie. Otherwise, you'd have babies split down the middle all over the place, and that would be awful.
There needs to be a rule to break the tie. In baseball, I was taught, the runner gets the tie. That means that the presumption is that the runner is not out at first base. In other words, if the umpire can't make up her mind, then the runner wins.
These presumptions are necessary--and quite useful. Such presumptions are REBUTTABLE presumptions. In other words the default is "X", but if the evidence meets a certain standard (preponderance of the evidence, beyond a reasonable doubt, clear and convincing, etc.) then, and only then, "not X" is proven.
An irrebuttable presumption is a MONSTER. It is a fact that is presumed to exist and no amount of proof can disprove that fact. Irrebuttable presumptions are often used when it comes to proof of knowledge. In other words if I've got a contract and it's signed by you (and there is no proof of fraud, undue influence, etc.) then it is irrebuttably proven that you knew what the heck you signed--and no amount of proof that you could introduce would ever change that fact in court.
Such irrebuttable presumptions are exceedingly useful because they avoid bogging courts down in useless arguments. They are also useful because people are aware of these presumptions.
This case appears to be an example of a really harsh irrebuttable presumption. Over there in GB, the law appears to irrebuttably presume that the Banks' computer programmers know what the fuck they are doing.
That's like irrebuttably presuming that an interest rate of 100 percent monthly is reasonable! Don't laugh: Read your laws.
Forget abortion, the right to arm bears, family values, political correctness, and all that distracting nonsense! THIS IS THE STUFF TO PAY ATTENTION TO. All that other stuff comes after the money!
Depends if you're talking about the dumb ones that you just provision with something like Gemalto's Card Admin or the ones that you can actually program applications for and write to the card. In any case, EMV smartcards aren't mere "flash drives"
Is there no difference between the interrogative ("..we would ask...") and the imperative (for example, "...we demand that you remove...")?
When the person asking has infinite money and infinite lawyers... no.
...through the roof. If only I'd thought of getting my thesis /.ed - I could have had tenure by now!
Been a /. watcher for years, but only now thought I'd participate :)
Welcome! : ) And happy holidays.
P.S. Been a /. watcher for years, but only now thought I'd participate :)
Welcome! And enjoy your first +5 mod! :)
Well, I admit my assumptions are:
1. Barclays is a big bank (or banking syndicate, or whatever).
2. There aren't massive differences between big banks as far as the extent of chip and pin services or the ability to roll out updates to them are concerned.
->
What the hell are they (except Barclays) doing? They've got enough money to pay themselves big fat bonuses in a depression - how come they haven't got enough to repair a widely-used system in order to protect their customers from fraud? It's almost as if they don't give a fuck!
The important thing is, a shitload of people are risking a shitload of money over this without so much as an email from the bank telling them it's even happening.
To prevent this day from getting worse, I'll just read ERROR as GOOD TH
It's not false information. The system has become more open to fraud, and very few people who own these cards has been told about it.
Isn't it totally disingenuous to act like nothing's changed, when in fact owning these cards has become more risky? Isn't it even more of a dick move to ask that all information regarding it be censored?
To prevent this day from getting worse, I'll just read ERROR as GOOD TH
Pin or not in Africa they just blow up the ATM and rip it out with a pickup truck or else hold a gun to your head until you draw all your money for them.
Just accept that you don't know what you're talking about. In British English, this was as strong a "take down notice" as you're likely to see - a senior figure in one organisation writing to (what they clearly thought is) a senior figure in another organisation.
Dr Steven Murdoch (Cambridge) presents: "Chip and PIN is Broken" Vulnerabilities in the EMV Protocol
https://events.ccc.de/congress/2010/Fahrplan/events/4211.en.html
Have fun take-downing them :-)
Atari rules... ermm... ruled.
Bank throws down gauntlet....
Cambridge Prof. picks up gauntlet and smacks bank across the chops with it.
Move along nothing to see here....
ROFLMFAO!
Yes, and he'll find out as well, when the bullet decides it doesn't like titanium alloy plating on skulls.
I know tobacco is bad for you, so I smoke weed with crack.