Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Banks Attempt To Censor Academic Publication

Posted by timothy on from the here-are-some-rugs-for-your-eyes dept.

An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."

19 of 162 comments (clear)

  1. Good. by Nemyst · · Score: 4, Insightful

    Security through obscurity is foolish. If this forces the banks to reinforce what they already know is weak, then I commend both the guy and the university.

    1. Re:Good. by interkin3tic · · Score: 4, Funny

      Ideally this streisand effect multiplier will force them to change, and that will be good, but how is it in this day and age that large institutions are still trying to suppress news stories? It implies that not only did they totally miss one of the big lessons of wikileaks, they didn't see "Serenity" either ("you can't stop the signal") and that's just sad.

      What was going on in the board room or exec room when that decision was made? "Well, gee, this is bad. Our strategy guy and media guy are both out on holidays, but I think our action is pretty clear: murder the guy. Oh, we don't have an assassin on retainer? Well, lets get on that and in the meantime we'll just try to keep it from press. That will probably work, no harm there."

    2. Re:Good. by jimicus · · Score: 4, Insightful

      It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Around here the best you can hope for is a minor slap on the wrist.

      HAHAHAHAHAHAHAHAHAHAHAHHAHAHAHA!!!! You are having a fucking laugh!

      Seriously, have you ever thought of going into stand up? My own mortgage company was raked over the coals for losing a laptop with customer data on it. IIRC the fine wasn't huge by mortgage company standards - around £500,000. It got in the news all right - it was still one of the biggest fines that had been levied at the time. They're not a bank, they're a building society. I don't know if these things exist in the US, but essentially it's a money-lending institution owned by its customers.

      They wrote me (along with, I imagine, all their other customers) a letter.

      It was a couple of years ago and I can't remember the exact wording, but broadly speaking they said:

      "As you may be aware, we have been fined for losing all this customer data. We don't think it's fair to take it out of the chairman's bonus, so instead we're passing it on to you lot. Thank you for being a customer".

    3. Re:Good. by green1 · · Score: 5, Informative

      This is the problem. The banks claim that if a PIN transaction goes through, then it can not be fraudulent as you must have given out your PIN. the problem being what this student is exposing, that PIN transactions don't require the CORRECT PIN as the PIN is verified against the card itself, and not against the bank. meaning a fraudulent card, or fraudulent terminal, can report a correct PIN even when an incorrect PIN was entered.

      Basically if someone does this to you, you as the end user are screwed. The bank will refuse liability as "you must have given out your PIN", and if you push the issue, the bank is likely to charge you with fraud yourself (it has happened several times!)

      This is the real reason for chip and PIN, it shifts the liability from the bank to the consumer, without shifting the security.

    4. Re:Good. by Anonymous Coward · · Score: 5, Informative

      The PIN is not verified against the card. The vulnerability is a protocol flaw which allows the card to use a different authentication than the terminal. The terminal thinks that the card uses PIN authentication and the card thinks that the transaction is authenticated with a pen and paper signature. If the card actually performed the PIN authentication protocol, it would not verify the PIN itself but use the terminal to communicate with a server which verifies the PIN.

    5. Re:Good. by kevinmenzel · · Score: 4, Informative

      Maybe you just need better banks.

      In Canada, debit is not run by the credit companies, it's directly run by the banks themselves, and most credit cards are offered by banks. Most of the banks are actually pretty good about fraud, with fraud departments that will pro-actively look for any sign that either your credit or debit card was misused. My bank (TD), has been quick to alert me that my card MIGHT have been copied, calling to confirm transactions even if my card hasn't actually been copied, and getting a new [debit] card is free and takes about 3 minutes during any of their (quite long) banking hours. Credit cards might take a day or two to arrive in the mail, max.

      They are also generally faster than their 4-6 week guideline for refunding fraudulent charges, especially for low amounts (I had about 13.40 or something of fraudulent charges on my debit once, they rushed it through by the end of business day).

      Largely, this is because my bank does NOT assume that their security is perfect, and their fraud department often treats you with quite a bit of respect, assuming that you are likely being honest. I'm not sure if this is a regulation thing, having very little experience with other Canadian banks, or a matter of customer service, but there you have it. PIN on debit, PIN on credit, and I have never failed to have any fraudulent transaction, no matter how big or small reversed within the month, and generally they proactively call me before I might notice myself.

      It's not a bad situation to be in.

  2. Amusing to read by Arancaytar · · Score: 4, Interesting

    The university's response completely owns the bank.

    "1. Why don't you have the balls to complain to the guy who actually published it? 2. Why do you suddenly object to research based on something that was already published, like, years ago, and which we warned you about before? 3. Why are you defrauding your customers by pretending your shitty system is secure, and on what grounds do you demand our help with that? 4. Fuck you this is a anteater^W university."

  3. Nice... by Anonymous Coward · · Score: 5, Funny

    by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:

  4. Better idea by MikeRT · · Score: 4, Insightful

    Incorporate his research. Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

    They're screwed right now. If they bankrupt him through litigation, you can bet that someone from the Russian mob is going to offer him a briefcase of unmarked bills to "fund his education."

    1. Re:Better idea by rhizome · · Score: 4, Insightful

      Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

      Because they are corrupt. If they incorporate this research, their friends who own the chip and pin companies may not be capable of fulfilling the concomitant contracts that would derive from increased rigor. They consider security to be a cost center.

      --
      When I was a kid, we only had one Darth.
  5. Advice to Bankers by bananaendian · · Score: 5, Insightful

    The BBC Newsnight program on the issue (from last February) explains the issue pretty well. Watch it.

    The funny/disturbing thing is why did it take 10 months! for some official at the UK banking industry association to have a revelation/panic and issue such a stupid letter. The professor's response to them is pretty effing on!

    I think he should've said quite blunty: " listen, our students figured this weakness in your system during their free time, using our shoe string budget". Do you really think high tech criminals and criminal organizations with millions or even more at their disposal won't reproduce this? All you need to do is read the bloody manual! "

    If I was a banker/bank/building society I would seriously consider funding research into this instead of whining about it. I mean those students don't have what the criminals can easily get with just money. At least buy them the latest oscilloscope/logic analyser for god sake! - its a miniscule fraction of the profits the banks make - or even what they stand to loose from such weaknesses...

    --
    www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
  6. Well done Ross Anderson by horza · · Score: 4, Insightful

    Ross Anderson does great work in this field, and has done for decades. The banks are happy to put out a flawed system, and hope that people don't notice they are getting ripped off by criminals. Those that actually do notice get reimbursed if they fight hard enough and manage to win their court case (the banks often falsely convince the judge their system is infallible), and then this simply gets shifted back onto the customers through increased bank charges.

    If you look at his February post after they broadcast the problem on Newsnight (major UK political television programme), a large number of the commenters appear to be victims.

    The message is clear: if you take your credit or debit card out with you, or use it online, there is a good chance money will easily be stolen from your account. If somebody swipes and clones your card, they do not need to know your PIN number to extract money from it. The safest way to pay is currently with cash.

    Phillip.

    --
    Property for sale in Nice, France
    1. Re:Well done Ross Anderson by rapiddescent · · Score: 4, Insightful

      he does great work in this area but often gets quite a bit of it wrong. I used to work on the other side (i.e. for the banks) and have designed one of the largest CAP 2FA systems in the UK. (which hasn't been broken (yet)). I was never a fan of the retail "chip and PIN" (not the same as CAP, which is Chip Authentication programme) because it trained our customers to type their PIN into any old device which could quite easily be skimming details. (there are lots of cases of this from fake chip and PIN readers to hacked petrol pumps)

      The piggy back method is quite clever - but also well known and has been done before with other ship technologies and the video on TFA was the first time I'd actually seen it working with EMV. It plays on some social hacking because UK customers are being trained to keep hold of their card and not hand over to the checkout person (although, some supermarkets do breach the merchant acquirer principles by "taking a swipe" -- which I personally hate)

      the problem as I see it is that the card should have been sending back a message containing an encoded card counter and other information instead of a binary YES/NO "PIN OK" but the problem has always been that a large proportion of the transactions are under the floor limit or large shops batch up transactions to save on processing fees to the merchant acquirer.

  7. Why the fuck does a PIN pad get the bank details? by Talez · · Score: 4, Insightful

    They implement Chip and PIN with the chip being a mini flash drive with all your shit on it ready to steal and a PIN authenticator that basically says "this PIN is correct, scout's honour, you can use the banking details!"

    I was expecting it to be implemented a'la GSM with the PIN waking up the crypto-processor, submitting the transaction to the crypto-processor, signing the transaction with the card's details and the PIN pad merely passing along the signed transaction and submitting it to the issuing bank.

    Chip and PIN is the most retarded use of two factor authentication I have ever seen.

  8. The hand of a famous smart card hacker behind this by niks42 · · Score: 4, Interesting

    I notice with interest that the Ph.D paper has the acknowledgement "I thank my supervisor, Markus Kuhn, for extensive guidance and valuable advice on rigorous design and research"

    Not THE Markus Kuhn for whom many of us have to thank for Season 7, the Sky smartcard emulator and a kickstart into the world of hardware hacking? (in the nicest sense of the word).

    We are not worthy. Omar, you walk in the footprints of a giant.

  9. Re:The article title is inaccurate and inflammator by Daniel+Dvorkin · · Score: 4, Informative

    Um, did you read the same letters I did? The Cards Association's letter was exactly a take-down notice ("Our key concern is that this type of research was ever considered suitable for publication by the University ... we would ask that this research be removed from public access immediately") and the reason it doesn't mention the DMCA is because, you know, it's in the UK. And the only reason it's not David-and-Goliath is because Cambridge is Cambridge, a huge and ancient university with one of the best academic reputations in the world, which is ready, willing, and able to fight for academic freedom, as the response letter shows. Your criticism of Slashdot for daring to present the story accurately is bizarre; I honestly have to wonder if you're being paid, or if you're just so blindly faithful to the Golden Rule ("he who has the gold makes the rules") that you can't properly interpret what's right in front of your face.

    --
    The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  10. Re:The article title is inaccurate and inflammator by folderol · · Score: 5, Informative

    Speaking English is not particularly relevant. Understanding the language is something entirely different. To anyone raised in the British Isles this is very clearly a 'Gentleman's' way of phrasing a demand. What surprises me is not the arrogance of the Banks in making this demand, but the fact they actually think they can intimidate one of the worlds oldest universities. The reply they got was not only right to the point, but devastating in its clarity and accuracy. P.S. Been a /. watcher for years, but only now thought I'd participate :)

  11. Re:Why the fuck does a PIN pad get the bank detail by Animats · · Score: 4, Interesting

    Chip and PIN is the most retarded use of two factor authentication I have ever seen.

    Certainly the UK version is. Read pages 16 and 17 of the thesis.

    What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.

    The way this is done right is that the bank and merchant send the transaction details to the device, where the user checks them and signs the transaction using their PIN and crypto within the device. The bank and merchant confirm that the transaction is signed properly and the bank confirms the account information. The merchant system never sees the PIN or the customer's private key.

    Of course, the problem with doing it right is that to do a true mutually mistrustful system, the customer has to have a device with a keyboard and display, plus some CPU power. If the merchant owns the PIN pad, that's a vulnerability. That's usually a phone, not a dedicated device, which opens up a new range of vulnerabilities.

  12. I designed ... by rapiddescent · · Score: 4, Informative

    I designed the CAP/EMV check system employed by one of the UK banks eBanking system. These are the little battery operated units that offer 3 types of 'authentication' that can be typed into an ebanking website after inserting a debit card and performing a PIN entry etc. Some debit cards simply have another couple of programs on the chip on the card that can do simple challenge/response type algorithms to encode input data along with the cards cert to produce a 6 to 8 digit number that the user then types into an ebanking website etc.

    I was wondering how long it would take for the retail chip and pin system to be broken. the core difference between retail units and the ebanking system is that the user returns an encrypted block (inside 6 to 8 digits) containing the card counter (which you can determine by pressing the menu button on any hand held CAP disconnected 2FA reader). If the card counter is out by a **censored** number then the transaction is stopped and a fraud warning is placed on the card.

    Clearly, people can increase their card counter by buggering around putting the card in an out of card readers without doing a transaction and so the odd person gets their card locked down and they just have to ring in for a new one. n (I actually did this by mistake with my own debit card).

    the disconnected CAP 2FA systems were a good few years later than "Chip and PIN" and so had the benefit of a bit better understanding. It should be noted that a large UK bank does not do this with their eBanking system and was nearly picked up on an earlier light-blue touchpaper paper but they didn't quite get that far so i think there are some problems looming for some of the handheld 2 factor authentication units as well. we'll wait and see.