UK Banks Attempt To Censor Academic Publication

An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."

Good.

[Nemyst]

Security through obscurity is foolish. If this forces the banks to reinforce what they already know is weak, then I commend both the guy and the university.

Re:Good.

[hedwards]

Except it won't. The only reason why they use chip and pin over there is that regulators actually regulate. In the US we haven't been using chip and pin because the bankers figured out that it's cheaper to just pay off any claims due to fraud than to pay the $50 or so it costs per card to use chip and pin.

It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Around here the best you can hope for is a minor slap on the wrist.

Re:Good.

[interkin3tic]

Ideally this streisand effect multiplier will force them to change, and that will be good, but how is it in this day and age that large institutions are still trying to suppress news stories? It implies that not only did they totally miss one of the big lessons of wikileaks, they didn't see "Serenity" either ("you can't stop the signal") and that's just sad.

What was going on in the board room or exec room when that decision was made? "Well, gee, this is bad. Our strategy guy and media guy are both out on holidays, but I think our action is pretty clear: murder the guy. Oh, we don't have an assassin on retainer? Well, lets get on that and in the meantime we'll just try to keep it from press. That will probably work, no harm there."

Re:Good.

The only reason why they use chip and pin over there is that regulators actually regulate.

It also removes their liability for losses. If there is a problem it'll be because someone got your pin so its your fault.

Re:Good.

[jimicus]

It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Around here the best you can hope for is a minor slap on the wrist.

HAHAHAHAHAHAHAHAHAHAHAHHAHAHAHA!!!! You are having a fucking laugh!

Seriously, have you ever thought of going into stand up? My own mortgage company was raked over the coals for losing a laptop with customer data on it. IIRC the fine wasn't huge by mortgage company standards - around £500,000. It got in the news all right - it was still one of the biggest fines that had been levied at the time. They're not a bank, they're a building society. I don't know if these things exist in the US, but essentially it's a money-lending institution owned by its customers.

They wrote me (along with, I imagine, all their other customers) a letter.

It was a couple of years ago and I can't remember the exact wording, but broadly speaking they said:

"As you may be aware, we have been fined for losing all this customer data. We don't think it's fair to take it out of the chairman's bonus, so instead we're passing it on to you lot. Thank you for being a customer".

Re:Good.

[Nursie]

That's just not true.

It moves the liability for fraudulent non-PIN transactions to the merchant. They still have to (by law) refund anything you claim as fraud and then investigate.

Re:Good.

[Pax681]

pay the $50 or so it costs per card to use chip and pin.

$50 per card? what planet are you on?

they are glorified, oversized SIM cards...lol

most banks don't charge for a replacement card here in the UK however those that do only charge a mere £5 which is pretty FAR from $50

Re:Good.

[Sir_Lewk]

And what about the liability for PIN transactions?

Not trolling here, I actually don't know.

Re:Good.

[betterunixthanunix]

It's a case of the market finding the lowest cost solution that still protects the banks from CC fraud.

ftfy

Re:Good.

[Sir_Lewk]

After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).

Since this exploit seems to allow you to preform fraudulent PIN transactions without actually knowing the PIN, it really does kind of seem like in the case of fraud with this system and this exploit, the system is designed to place liability on the consumer. And if liability is being placed on the consumer, you might as well just use a debit card...

Re:Good.

[NoSig]

It may be that it works perfectly well 99% of the time, yet there is a 1% chance that it will backfire on them like in this case. You only hear about the 1% cases, so you think it never works.

Re:Good.

[moortak]

The equivalent loss in the US would have only led to the bad press, if that. What laws we do have, regarding electronic privacy, rarely ever result in prosecutions or fines of any size.

Re:Good.

[moortak]

That may be, but it should have been clear to them that trying to get a thesis pulled from an institution like Cambridge is almost certainly in that 1%.

Re:Good.

[green1]

This is the problem. The banks claim that if a PIN transaction goes through, then it can not be fraudulent as you must have given out your PIN. the problem being what this student is exposing, that PIN transactions don't require the CORRECT PIN as the PIN is verified against the card itself, and not against the bank. meaning a fraudulent card, or fraudulent terminal, can report a correct PIN even when an incorrect PIN was entered.

Basically if someone does this to you, you as the end user are screwed. The bank will refuse liability as "you must have given out your PIN", and if you push the issue, the bank is likely to charge you with fraud yourself (it has happened several times!)

This is the real reason for chip and PIN, it shifts the liability from the bank to the consumer, without shifting the security.

Re:Good.

[Stevecrox]

We have credit unions as well, you have building societies, credit unions and banks. Each has their own limitations and roles.

Re:Good.

[TubeSteak]

After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).

When they wrote the law, the system was presumed to be bulletproof, thus allowing the banks to pass on all liability to the customer.

The law needs to be re-written.

Re:Good.

The PIN is not verified against the card. The vulnerability is a protocol flaw which allows the card to use a different authentication than the terminal. The terminal thinks that the card uses PIN authentication and the card thinks that the transaction is authenticated with a pen and paper signature. If the card actually performed the PIN authentication protocol, it would not verify the PIN itself but use the terminal to communicate with a server which verifies the PIN.

Re:Good.

[Sir_Lewk]

Even with the assumption that the scheme is secure (a bad assumption) automatically making the consumer liable for PIN transactions on a credit-card is a pretty lame idea. We already know from ATM skimmers that PINs are quite easy for fraudsters to acquire. I don't see why credit-cards would ever be desirable over debit-cards with this scheme and law.

Re:Good.

[drmerope]

You as a consumer should never use a pin-based card--doing so completely vitiates your protections under the law.

Consequently, PINs are almost never used in the US for credit card transactions. You have to go to Europe to encounter this oddity. What's crazy is that no one seems to realize that the best remedy is to just abandon the farce.

Farce? Yes, the incident of fraud does not go down with pin systems. This is one in a long stream of vulnerabilities; there have always been attacks against these fixed-pin systems that make them pointless: pin observation either visually or through man-in-middle compromise of the hardware. Basically there is always a moment when the pin is in the clear. This interacts badly with legal regimes that regard 'pin as proof' of identify, and ultimately consumers can and should reject to participate in these systems. period.

What does need to be more common--for online banking and e-commerce--are key fobs with rotating time-based pin displays. That would be a marked step forward.

Re:Good.

[TheSunborn]

I don't think its fair to call the pin code pointless. Without the pin code, you could use my card just by stealing it. Now you also have to know the pin code which mean that you can't just steal a card and use it.

But how do you prevent me from stealing a credit card, and just using it(In an atm?) if it don't require a pin code?

But the security situation in eu is getting much better now, because almost all new cards will use a small chip on the card to do the encryption making it much more difficult to read and copy cards.

Re:Good.

[compro01]

Consequently, PINs are almost never used in the US for credit card transactions.

yes, instead you have signatures, which are just as laughable.

Re:Good.

[kevinmenzel]

Maybe you just need better banks.

In Canada, debit is not run by the credit companies, it's directly run by the banks themselves, and most credit cards are offered by banks. Most of the banks are actually pretty good about fraud, with fraud departments that will pro-actively look for any sign that either your credit or debit card was misused. My bank (TD), has been quick to alert me that my card MIGHT have been copied, calling to confirm transactions even if my card hasn't actually been copied, and getting a new [debit] card is free and takes about 3 minutes during any of their (quite long) banking hours. Credit cards might take a day or two to arrive in the mail, max.

They are also generally faster than their 4-6 week guideline for refunding fraudulent charges, especially for low amounts (I had about 13.40 or something of fraudulent charges on my debit once, they rushed it through by the end of business day).

Largely, this is because my bank does NOT assume that their security is perfect, and their fraud department often treats you with quite a bit of respect, assuming that you are likely being honest. I'm not sure if this is a regulation thing, having very little experience with other Canadian banks, or a matter of customer service, but there you have it. PIN on debit, PIN on credit, and I have never failed to have any fraudulent transaction, no matter how big or small reversed within the month, and generally they proactively call me before I might notice myself.

It's not a bad situation to be in.

Re:Good.

[ToreTS]

From what I've read, UK banks will say "the correct PIN was used, so you must have been negligent and written it down somehow, the Chip and PIN system itself is unbreakable". Here in Norway we have had a PIN-based system since the 1980s, and in the beginning, Norwegian banks took the same stance (correct PIN used - customer automatically at fault), but time has shown that this is not true, as shown by skimming frauds where criminals read a customer's PIN using stealthily mounted cameras. Another approach is for the criminals to watch people typing in their PINs using binoculars and then pickpocket them. It's clear that stories coming out such as the exploit where a stolen card can be used without knowing the correct PIN must be really bad for the banks, since it breaks their "the system is perfectly secure, it must be your fault" line of argumentation.

Amusing to read

[Arancaytar]

The university's response completely owns the bank.

"1. Why don't you have the balls to complain to the guy who actually published it? 2. Why do you suddenly object to research based on something that was already published, like, years ago, and which we warned you about before? 3. Why are you defrauding your customers by pretending your shitty system is secure, and on what grounds do you demand our help with that? 4. Fuck you this is a anteater^W university."

Nice...

by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:

Re:Nice...

[arekq]

I think he may not really believe that.
It may be just a sarcasm about an earlier article "Crookes, RIAA, MPAA, ICE — 'Linking Is Publishing'":
      http://yro.slashdot.org/story/10/12/24/196216/Crookes-RIAA-MPAA-ICE-mdash-Linking-Is-Publishing

There are ways around their attacks

[Nursie]

Institute checks at the acquiring or issuing bank that make sure the card and the terminal agree that it was a PIN transaction, that would seem to be an obvious one. And comparatively easy.

Failing that, remove the signature verification auth method from cards, can be done via an update delivered during any transaction.
Or make all PIN transactions over the floor limit the 'online PIN verification' type.

EMV has problems by the looks of it, if you have a sophisticated MITM machine, but it wouldn't take much to fix the problem with this attack.

That said, the banks still shouldn't be suppressing the research.

Banks

[blind+biker]

They just got used to be douchebags and unpunished. Until the guillottine starts chopping some heads again, it won't get any better.

Yes, I'm bitter and a bit hopeless.

Better idea

[MikeRT]

Incorporate his research. Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

They're screwed right now. If they bankrupt him through litigation, you can bet that someone from the Russian mob is going to offer him a briefcase of unmarked bills to "fund his education."

Re:Better idea

[rhizome]

Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

Because they are corrupt. If they incorporate this research, their friends who own the chip and pin companies may not be capable of fulfilling the concomitant contracts that would derive from increased rigor. They consider security to be a cost center.

Re:Better idea

[orlanz]

What's sad is the assumption that the "bad guys" don't know about this already. This is one of those stupid "What I don't know, can't hurt me" craps. God forbid someone points out that the emperor has no clothes.

It's something I have observed in many businesses. Unknown risk can't be quantified, and thus doesn't get a dollar cost or reported in figures. It's unknown. Known risk gets reported, tracked, quantified, and requires expenditure of resources to mitigate. Unfortunately, failure to do so of the later has personal consequences, and failure of the former doesn't have any. We have evolved a whole "Cover Your Ass" culture around it, where the responsibility can't be avoided (that equals higher salary) but the consequences are just passed around. We end up with fall guys, or expensive litigation/arbitration, or C&D letters + lawsuit like this. Which ever is cheaper. Along with sub-sub-contractors, over paid CEOs, and useless managerial middle men/policies. The "business smart" guys know how to do CYA real well, and don't look into things that could cause trouble. The conclusion is that the less people know, the better. Curiosity is an exercise done in a dark closet, alone.

Small businesses (peasants) can't afford not to look, cause one instance can take them out. And once they are gone, the system just moves on w/o a glitch. Big business (emperors) on the other hand has the financial muscle to ignore what they want to. Any windfall costs associated with any ignorance is taken up by anyone but them cause they are "Too big to fail". The smaller day to day costs are spread to customers and stockholders. It's a sad state of affairs; makes one wonder how anything gets done. Or how much those that do get stuff done, carry the dead weight of those that don't.

Advice to Bankers

[bananaendian]

The BBC Newsnight program on the issue (from last February) explains the issue pretty well. Watch it.

The funny/disturbing thing is why did it take 10 months! for some official at the UK banking industry association to have a revelation/panic and issue such a stupid letter. The professor's response to them is pretty effing on!

I think he should've said quite blunty: " listen, our students figured this weakness in your system during their free time, using our shoe string budget". Do you really think high tech criminals and criminal organizations with millions or even more at their disposal won't reproduce this? All you need to do is read the bloody manual! "

If I was a banker/bank/building society I would seriously consider funding research into this instead of whining about it. I mean those students don't have what the criminals can easily get with just money. At least buy them the latest oscilloscope/logic analyser for god sake! - its a miniscule fraction of the profits the banks make - or even what they stand to loose from such weaknesses...

Re:That's not a demand. It's a request.

[DarkIye]

That's important to note. However, they're taking their fucking time fixing it (it's been a year since the first notification) - only Barclays' system has been fixed so far - so they aren't really justified in making such a request.

Well done Ross Anderson

[horza]

Ross Anderson does great work in this field, and has done for decades. The banks are happy to put out a flawed system, and hope that people don't notice they are getting ripped off by criminals. Those that actually do notice get reimbursed if they fight hard enough and manage to win their court case (the banks often falsely convince the judge their system is infallible), and then this simply gets shifted back onto the customers through increased bank charges.

If you look at his February post after they broadcast the problem on Newsnight (major UK political television programme), a large number of the commenters appear to be victims.

The message is clear: if you take your credit or debit card out with you, or use it online, there is a good chance money will easily be stolen from your account. If somebody swipes and clones your card, they do not need to know your PIN number to extract money from it. The safest way to pay is currently with cash.

Phillip.

Re:Well done Ross Anderson

[rapiddescent]

he does great work in this area but often gets quite a bit of it wrong. I used to work on the other side (i.e. for the banks) and have designed one of the largest CAP 2FA systems in the UK. (which hasn't been broken (yet)). I was never a fan of the retail "chip and PIN" (not the same as CAP, which is Chip Authentication programme) because it trained our customers to type their PIN into any old device which could quite easily be skimming details. (there are lots of cases of this from fake chip and PIN readers to hacked petrol pumps)

The piggy back method is quite clever - but also well known and has been done before with other ship technologies and the video on TFA was the first time I'd actually seen it working with EMV. It plays on some social hacking because UK customers are being trained to keep hold of their card and not hand over to the checkout person (although, some supermarkets do breach the merchant acquirer principles by "taking a swipe" -- which I personally hate)

the problem as I see it is that the card should have been sending back a message containing an encoded card counter and other information instead of a binary YES/NO "PIN OK" but the problem has always been that a large proportion of the transactions are under the floor limit or large shops batch up transactions to save on processing fees to the merchant acquirer.

Re:Well done Ross Anderson

[rapiddescent]

sure, this paper "Optimised to Fail: Card Readers for Online Banking"

Whilst section 2 "protocol description" is fairly good at the logical description of the process - after that they get it wrong; especially the section around the "bit filter" and the way the various card schemes make use of this feature. e.g. they pick up that bank CAP cards have a different bit filter but not "why" and why that makes a card scheme implementation better or worse. Obviously I can't quite remember the exact maths behind the bit masking. it's been a few years.

even after all the work we did, we didn't predict section 4.1, that's something I personally regret that I hadn't designed in better safeguards for the cardholder in a theft situation. I could have used different PINs (it supports multiple PIN) but that might have caused more problems than its worth.

Some parts of the protocol weakness section was off the mark and I think they were using a new CAP card during the tests because it is just wrong.

Now, none of this is their fault because, as far as I know, CAP (Chip Authentication programme) was never publicly released. I have a great deal of respect for LightBlueTouchpaper.

Re:Did the banks detect the no-pin transaction

[Merlin.T.Wizard]

Looking through the article, it looks like the terminal requests the transaction as chip and PIN, the MITM hardware changes the transaction flag to chip and signature, and the smart card responds with an OK. Unfortunately, it's the same OK as if the smart card had in fact received a transaction type of chip and PIN with the attached PIN being the correct one. The flaw is in having the smart card response being the same for both kinds of transactions. If instead, there was a signature method OK, and a different PIN # OK, then the terminal would catch the difference. This way, the terminal sends back to the bank: "I requested a chip and PIN transaction, and the smart card said that the PIN was good", when in fact all the smart card saw was the terminal say that the user requested a chip and signature transaction. The bank would have no way to realize that what the smart card saw wasn't what the terminal (and probably the bank) requested.

Please RTFA

...as it is absolutely epic. I adore the parting shot:

Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased that the industry has been finally been able to deal with this security issue, albeit some considerable time after the original disclosure back in 2009.

OWNED!

Why the fuck does a PIN pad get the bank details?

[Talez]

They implement Chip and PIN with the chip being a mini flash drive with all your shit on it ready to steal and a PIN authenticator that basically says "this PIN is correct, scout's honour, you can use the banking details!"

I was expecting it to be implemented a'la GSM with the PIN waking up the crypto-processor, submitting the transaction to the crypto-processor, signing the transaction with the card's details and the PIN pad merely passing along the signed transaction and submitting it to the issuing bank.

Chip and PIN is the most retarded use of two factor authentication I have ever seen.

The hand of a famous smart card hacker behind this

[niks42]

I notice with interest that the Ph.D paper has the acknowledgement "I thank my supervisor, Markus Kuhn, for extensive guidance and valuable advice on rigorous design and research"

Not THE Markus Kuhn for whom many of us have to thank for Season 7, the Sky smartcard emulator and a kickstart into the world of hardware hacking? (in the nicest sense of the word).

We are not worthy. Omar, you walk in the footprints of a giant.

Re:I smell a lawsuit.

[Peil]

And what exactly would they sue him for?

Re:The article title is inaccurate and inflammator

[Daniel+Dvorkin]

Um, did you read the same letters I did? The Cards Association's letter was exactly a take-down notice ("Our key concern is that this type of research was ever considered suitable for publication by the University ... we would ask that this research be removed from public access immediately") and the reason it doesn't mention the DMCA is because, you know, it's in the UK. And the only reason it's not David-and-Goliath is because Cambridge is Cambridge, a huge and ancient university with one of the best academic reputations in the world, which is ready, willing, and able to fight for academic freedom, as the response letter shows. Your criticism of Slashdot for daring to present the story accurately is bizarre; I honestly have to wonder if you're being paid, or if you're just so blindly faithful to the Golden Rule ("he who has the gold makes the rules") that you can't properly interpret what's right in front of your face.

Re:I smell a lawsuit.

[nosferatu1001]

Except in the UK they will lose, and lose big. Frivolous lawsuits are looked down upon.

Taking on one of the largest universities in the world, with alumni who are incredibly powerful, is not a good idea.

Re:The article title is inaccurate and inflammator

[folderol]

Speaking English is not particularly relevant. Understanding the language is something entirely different. To anyone raised in the British Isles this is very clearly a 'Gentleman's' way of phrasing a demand. What surprises me is not the arrogance of the Banks in making this demand, but the fact they actually think they can intimidate one of the worlds oldest universities. The reply they got was not only right to the point, but devastating in its clarity and accuracy. P.S. Been a /. watcher for years, but only now thought I'd participate :)

Re:The article title is inaccurate and inflammator

[Melee_Fracas]

Is there no difference between the interrogative ("..we would ask...") and the imperative (for example, "...we demand that you remove...")?

If we're going to call this a "take-down notice," what will we call it when Cards actually notifies Cambridge that they are demanding that Cambridge remove some other content and that Cards believes they have the legal force of law to require it? Will that be a "take-down sexual assault?"

Simply put, there can be letters that are not take-down notices. This is one of them.

But, to answer your question: I'm reasonably certain that we did read the same document. However, I'm also reasonably certain that my interpretation of it is informed by the meanings of the words on the page and a verifiable reconstruction of the authors' understanding of the scope of actions available to them. In contrast, you quoted back to me the supplication, "...we would ask that this research be removed...," and called the document that contained that phrase a "notice," with apparent sincerity. I allege that this characterization is not supported by the text of the letter.

Furthermore, in your brief missive, you managed to impugn my motives in a very silly way, accusing me either of being on the bankers' dole or of being so prostrate before moneyed interests on principle (Heh. "Moneyed interest on princip[le|al]." Get it?) that I'm unable to properly read the letter. Is this a serious way to think or argue? Specifically, is this a way to think or argue that is even capable either of engaging the facts of the matter or of fostering any kind of intellectual progress?

Also, if I don't get modded up for "moneyed interests on principle," then you people have hearts of stone.

Re:Why the fuck does a PIN pad get the bank detail

[Animats]

Chip and PIN is the most retarded use of two factor authentication I have ever seen.

Certainly the UK version is. Read pages 16 and 17 of the thesis.

What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.

The way this is done right is that the bank and merchant send the transaction details to the device, where the user checks them and signs the transaction using their PIN and crypto within the device. The bank and merchant confirm that the transaction is signed properly and the bank confirms the account information. The merchant system never sees the PIN or the customer's private key.

Of course, the problem with doing it right is that to do a true mutually mistrustful system, the customer has to have a device with a keyboard and display, plus some CPU power. If the merchant owns the PIN pad, that's a vulnerability. That's usually a phone, not a dedicated device, which opens up a new range of vulnerabilities.

Geez, stop SHOVING you bankers

[SmallFurryCreature]

I just hate those pushy bankers. Why can't they just keep their place in line behind lawyers for who is going to get it when the revolution comes? Are they afraid we are going to run out of bullets or something?

Okay, so the line is lawyers, bankers, politicians, republicans. NO pushing ahead. We probably run out of bullets before we got to republicans but we can just have them watch Fox showing a video of a gun firing and they will drop dead from fright.

I designed ...

[rapiddescent]

I designed the CAP/EMV check system employed by one of the UK banks eBanking system. These are the little battery operated units that offer 3 types of 'authentication' that can be typed into an ebanking website after inserting a debit card and performing a PIN entry etc. Some debit cards simply have another couple of programs on the chip on the card that can do simple challenge/response type algorithms to encode input data along with the cards cert to produce a 6 to 8 digit number that the user then types into an ebanking website etc.

I was wondering how long it would take for the retail chip and pin system to be broken. the core difference between retail units and the ebanking system is that the user returns an encrypted block (inside 6 to 8 digits) containing the card counter (which you can determine by pressing the menu button on any hand held CAP disconnected 2FA reader). If the card counter is out by a **censored** number then the transaction is stopped and a fraud warning is placed on the card.

Clearly, people can increase their card counter by buggering around putting the card in an out of card readers without doing a transaction and so the odd person gets their card locked down and they just have to ring in for a new one. n (I actually did this by mistake with my own debit card).

the disconnected CAP 2FA systems were a good few years later than "Chip and PIN" and so had the benefit of a bit better understanding. It should be noted that a large UK bank does not do this with their eBanking system and was nearly picked up on an earlier light-blue touchpaper paper but they didn't quite get that far so i think there are some problems looming for some of the handheld 2 factor authentication units as well. we'll wait and see.

Re:The article title is inaccurate and inflammator

[Fulcrum+of+Evil]

This looks more like the opening volley in a lawsuit than a polite request. It details that the student built a device (or designed it), that the police know he falsified a transaction in a shop, and claims that publication is a hazard to people's money. That the language is polite is irrelevant: it's notification of a cause for action that can be referred to later and it demands ('requests') that the paper be removed from public access.

As for being prostrate before moneyed interests, i don't understand it either, but I'm in the US and I see a whole lot of people doing just that - arguing against progressive taxation, demanding tax breaks in a recession, and so on; personally, I blame our right wing talk show idiots for whipping the mob into a frenzy, and the GP may have confused you with one of them.

Not a "take-down notice".

[harlows_monkeys]

They did not send a "take-down notice", at least in the way the term is usually used. It normally is used to mean a notice under the DMCA to a service provider that something must be taken down, or more loosely a notice warning that something is in violation of law.

What was actually sent was simply a request, with no claim of legal authority behind it, asking that the material be removed.

Re:The article title is inaccurate and inflammator

[Alarindris]

Is there no difference between the interrogative ("..we would ask...") and the imperative (for example, "...we demand that you remove...")?

When the person asking has infinite money and infinite lawyers... no.

Re:That's not a demand. It's a request.

[DarkIye]

Well, I admit my assumptions are:

1. Barclays is a big bank (or banking syndicate, or whatever).
2. There aren't massive differences between big banks as far as the extent of chip and pin services or the ability to roll out updates to them are concerned.

->

What the hell are they (except Barclays) doing? They've got enough money to pay themselves big fat bonuses in a depression - how come they haven't got enough to repair a widely-used system in order to protect their customers from fraud? It's almost as if they don't give a fuck!

The important thing is, a shitload of people are risking a shitload of money over this without so much as an email from the bank telling them it's even happening.