UK Banks Attempt To Censor Academic Publication

An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."

Good.

[Nemyst]

Security through obscurity is foolish. If this forces the banks to reinforce what they already know is weak, then I commend both the guy and the university.

Re:Good.

[jimicus]

It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Around here the best you can hope for is a minor slap on the wrist.

HAHAHAHAHAHAHAHAHAHAHAHHAHAHAHA!!!! You are having a fucking laugh!

Seriously, have you ever thought of going into stand up? My own mortgage company was raked over the coals for losing a laptop with customer data on it. IIRC the fine wasn't huge by mortgage company standards - around £500,000. It got in the news all right - it was still one of the biggest fines that had been levied at the time. They're not a bank, they're a building society. I don't know if these things exist in the US, but essentially it's a money-lending institution owned by its customers.

They wrote me (along with, I imagine, all their other customers) a letter.

It was a couple of years ago and I can't remember the exact wording, but broadly speaking they said:

"As you may be aware, we have been fined for losing all this customer data. We don't think it's fair to take it out of the chairman's bonus, so instead we're passing it on to you lot. Thank you for being a customer".

Re:Good.

[Sir_Lewk]

After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).

Since this exploit seems to allow you to preform fraudulent PIN transactions without actually knowing the PIN, it really does kind of seem like in the case of fraud with this system and this exploit, the system is designed to place liability on the consumer. And if liability is being placed on the consumer, you might as well just use a debit card...

Re:Good.

[drmerope]

You as a consumer should never use a pin-based card--doing so completely vitiates your protections under the law.

Consequently, PINs are almost never used in the US for credit card transactions. You have to go to Europe to encounter this oddity. What's crazy is that no one seems to realize that the best remedy is to just abandon the farce.

Farce? Yes, the incident of fraud does not go down with pin systems. This is one in a long stream of vulnerabilities; there have always been attacks against these fixed-pin systems that make them pointless: pin observation either visually or through man-in-middle compromise of the hardware. Basically there is always a moment when the pin is in the clear. This interacts badly with legal regimes that regard 'pin as proof' of identify, and ultimately consumers can and should reject to participate in these systems. period.

What does need to be more common--for online banking and e-commerce--are key fobs with rotating time-based pin displays. That would be a marked step forward.

There are ways around their attacks

[Nursie]

Institute checks at the acquiring or issuing bank that make sure the card and the terminal agree that it was a PIN transaction, that would seem to be an obvious one. And comparatively easy.

Failing that, remove the signature verification auth method from cards, can be done via an update delivered during any transaction.
Or make all PIN transactions over the floor limit the 'online PIN verification' type.

EMV has problems by the looks of it, if you have a sophisticated MITM machine, but it wouldn't take much to fix the problem with this attack.

That said, the banks still shouldn't be suppressing the research.

Banks

[blind+biker]

They just got used to be douchebags and unpunished. Until the guillottine starts chopping some heads again, it won't get any better.

Yes, I'm bitter and a bit hopeless.

Better idea

[MikeRT]

Incorporate his research. Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

They're screwed right now. If they bankrupt him through litigation, you can bet that someone from the Russian mob is going to offer him a briefcase of unmarked bills to "fund his education."

Re:Better idea

[rhizome]

Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

Because they are corrupt. If they incorporate this research, their friends who own the chip and pin companies may not be capable of fulfilling the concomitant contracts that would derive from increased rigor. They consider security to be a cost center.

Advice to Bankers

[bananaendian]

The BBC Newsnight program on the issue (from last February) explains the issue pretty well. Watch it.

The funny/disturbing thing is why did it take 10 months! for some official at the UK banking industry association to have a revelation/panic and issue such a stupid letter. The professor's response to them is pretty effing on!

I think he should've said quite blunty: " listen, our students figured this weakness in your system during their free time, using our shoe string budget". Do you really think high tech criminals and criminal organizations with millions or even more at their disposal won't reproduce this? All you need to do is read the bloody manual! "

If I was a banker/bank/building society I would seriously consider funding research into this instead of whining about it. I mean those students don't have what the criminals can easily get with just money. At least buy them the latest oscilloscope/logic analyser for god sake! - its a miniscule fraction of the profits the banks make - or even what they stand to loose from such weaknesses...

Well done Ross Anderson

[horza]

Ross Anderson does great work in this field, and has done for decades. The banks are happy to put out a flawed system, and hope that people don't notice they are getting ripped off by criminals. Those that actually do notice get reimbursed if they fight hard enough and manage to win their court case (the banks often falsely convince the judge their system is infallible), and then this simply gets shifted back onto the customers through increased bank charges.

If you look at his February post after they broadcast the problem on Newsnight (major UK political television programme), a large number of the commenters appear to be victims.

The message is clear: if you take your credit or debit card out with you, or use it online, there is a good chance money will easily be stolen from your account. If somebody swipes and clones your card, they do not need to know your PIN number to extract money from it. The safest way to pay is currently with cash.

Phillip.

Re:Well done Ross Anderson

[rapiddescent]

he does great work in this area but often gets quite a bit of it wrong. I used to work on the other side (i.e. for the banks) and have designed one of the largest CAP 2FA systems in the UK. (which hasn't been broken (yet)). I was never a fan of the retail "chip and PIN" (not the same as CAP, which is Chip Authentication programme) because it trained our customers to type their PIN into any old device which could quite easily be skimming details. (there are lots of cases of this from fake chip and PIN readers to hacked petrol pumps)

The piggy back method is quite clever - but also well known and has been done before with other ship technologies and the video on TFA was the first time I'd actually seen it working with EMV. It plays on some social hacking because UK customers are being trained to keep hold of their card and not hand over to the checkout person (although, some supermarkets do breach the merchant acquirer principles by "taking a swipe" -- which I personally hate)

the problem as I see it is that the card should have been sending back a message containing an encoded card counter and other information instead of a binary YES/NO "PIN OK" but the problem has always been that a large proportion of the transactions are under the floor limit or large shops batch up transactions to save on processing fees to the merchant acquirer.

Why the fuck does a PIN pad get the bank details?

[Talez]

They implement Chip and PIN with the chip being a mini flash drive with all your shit on it ready to steal and a PIN authenticator that basically says "this PIN is correct, scout's honour, you can use the banking details!"

I was expecting it to be implemented a'la GSM with the PIN waking up the crypto-processor, submitting the transaction to the crypto-processor, signing the transaction with the card's details and the PIN pad merely passing along the signed transaction and submitting it to the issuing bank.

Chip and PIN is the most retarded use of two factor authentication I have ever seen.

Re:I smell a lawsuit.

[Peil]

And what exactly would they sue him for?