Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Banks Attempt To Censor Academic Publication

Posted by timothy on from the here-are-some-rugs-for-your-eyes dept.

An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."

3 of 162 comments (clear)

  1. Re:Good. by green1 · · Score: 5, Informative

    This is the problem. The banks claim that if a PIN transaction goes through, then it can not be fraudulent as you must have given out your PIN. the problem being what this student is exposing, that PIN transactions don't require the CORRECT PIN as the PIN is verified against the card itself, and not against the bank. meaning a fraudulent card, or fraudulent terminal, can report a correct PIN even when an incorrect PIN was entered.

    Basically if someone does this to you, you as the end user are screwed. The bank will refuse liability as "you must have given out your PIN", and if you push the issue, the bank is likely to charge you with fraud yourself (it has happened several times!)

    This is the real reason for chip and PIN, it shifts the liability from the bank to the consumer, without shifting the security.

  2. Re:The article title is inaccurate and inflammator by folderol · · Score: 5, Informative

    Speaking English is not particularly relevant. Understanding the language is something entirely different. To anyone raised in the British Isles this is very clearly a 'Gentleman's' way of phrasing a demand. What surprises me is not the arrogance of the Banks in making this demand, but the fact they actually think they can intimidate one of the worlds oldest universities. The reply they got was not only right to the point, but devastating in its clarity and accuracy. P.S. Been a /. watcher for years, but only now thought I'd participate :)

  3. Re:Good. by Anonymous Coward · · Score: 5, Informative

    The PIN is not verified against the card. The vulnerability is a protocol flaw which allows the card to use a different authentication than the terminal. The terminal thinks that the card uses PIN authentication and the card thinks that the transaction is authenticated with a pen and paper signature. If the card actually performed the PIN authentication protocol, it would not verify the PIN itself but use the terminal to communicate with a server which verifies the PIN.