Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Banks Attempt To Censor Academic Publication

timothy posted more than 3 years ago | from the here-are-some-rugs-for-your-eyes dept.

Censorship 162

An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."

cancel ×

162 comments

Good. (4, Insightful)

Nemyst (1383049) | more than 3 years ago | (#34665610)

Security through obscurity is foolish. If this forces the banks to reinforce what they already know is weak, then I commend both the guy and the university.

Re:Good. (2, Insightful)

hedwards (940851) | more than 3 years ago | (#34665654)

Except it won't. The only reason why they use chip and pin over there is that regulators actually regulate. In the US we haven't been using chip and pin because the bankers figured out that it's cheaper to just pay off any claims due to fraud than to pay the $50 or so it costs per card to use chip and pin.

It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Around here the best you can hope for is a minor slap on the wrist.

Re:Good. (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34665738)

The only reason why they use chip and pin over there is that regulators actually regulate.

It also removes their liability for losses. If there is a problem it'll be because someone got your pin so its your fault.

Re:Good. (2)

Nursie (632944) | more than 3 years ago | (#34665928)

That's just not true.

It moves the liability for fraudulent non-PIN transactions to the merchant. They still have to (by law) refund anything you claim as fraud and then investigate.

Re:Good. (2)

Sir_Lewk (967686) | more than 3 years ago | (#34666308)

And what about the liability for PIN transactions?

Not trolling here, I actually don't know.

Re:Good. (1)

nosferatu1001 (264446) | more than 3 years ago | (#34666348)

The banking code still stipulates they have to prove negligence on your part. They will,l of course, pretend otherwise - but it is irrelevant.

Re:Good. (3, Insightful)

Sir_Lewk (967686) | more than 3 years ago | (#34666382)

After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).

Since this exploit seems to allow you to preform fraudulent PIN transactions without actually knowing the PIN, it really does kind of seem like in the case of fraud with this system and this exploit, the system is designed to place liability on the consumer. And if liability is being placed on the consumer, you might as well just use a debit card...

Re:Good. (2)

TubeSteak (669689) | more than 3 years ago | (#34666850)

After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).

When they wrote the law, the system was presumed to be bulletproof, thus allowing the banks to pass on all liability to the customer.

The law needs to be re-written.

Re:Good. (5, Informative)

green1 (322787) | more than 3 years ago | (#34666568)

This is the problem. The banks claim that if a PIN transaction goes through, then it can not be fraudulent as you must have given out your PIN. the problem being what this student is exposing, that PIN transactions don't require the CORRECT PIN as the PIN is verified against the card itself, and not against the bank. meaning a fraudulent card, or fraudulent terminal, can report a correct PIN even when an incorrect PIN was entered.

Basically if someone does this to you, you as the end user are screwed. The bank will refuse liability as "you must have given out your PIN", and if you push the issue, the bank is likely to charge you with fraud yourself (it has happened several times!)

This is the real reason for chip and PIN, it shifts the liability from the bank to the consumer, without shifting the security.

except in practice... (0)

Anonymous Coward | more than 3 years ago | (#34666614)

...it really doesn't turn out like that.

If for instance a transaction gets processed with your Chip and Pin and it comes from some place that you really could not have been at that time then it doesn't matter what the banks say...

Also there are some transactions that do not require a pin (many low cost transactions for example Pret a Manger (a sandwich chain) never used to require a pin for transactions less than 10 quid, ditto Tescos and most car park 'pay-at-gate' facilities.

Whether that is bad or not (and I believe that Tesco's stopped that after it was being abused by fraud - again I know of no person who was held neglible for their own card) - the simple fact is that Chip and Pin is waaay more convenient and 'as secure' (some may argue) as stupid wait to sign a piece of paper in a long queue.

There needs to be some kind of 'check and balance' and chip and pin as far as I can tell is a happy balance.

You can (for those that don't know) change the PIN very easily at any time at your local ATM of your own branch if you so wish.

So no, in practice it doesn't shift the liability anywhere. It makes transactions simpler and quicker.

Re:Good. (5, Informative)

Anonymous Coward | more than 3 years ago | (#34666864)

The PIN is not verified against the card. The vulnerability is a protocol flaw which allows the card to use a different authentication than the terminal. The terminal thinks that the card uses PIN authentication and the card thinks that the transaction is authenticated with a pen and paper signature. If the card actually performed the PIN authentication protocol, it would not verify the PIN itself but use the terminal to communicate with a server which verifies the PIN.

Re:Good. (4, Insightful)

jimicus (737525) | more than 3 years ago | (#34665820)

It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Around here the best you can hope for is a minor slap on the wrist.

HAHAHAHAHAHAHAHAHAHAHAHHAHAHAHA!!!! You are having a fucking laugh!

Seriously, have you ever thought of going into stand up? My own mortgage company was raked over the coals for losing a laptop with customer data on it. IIRC the fine wasn't huge by mortgage company standards - around £500,000. It got in the news all right - it was still one of the biggest fines that had been levied at the time. They're not a bank, they're a building society. I don't know if these things exist in the US, but essentially it's a money-lending institution owned by its customers.

They wrote me (along with, I imagine, all their other customers) a letter.

It was a couple of years ago and I can't remember the exact wording, but broadly speaking they said:

"As you may be aware, we have been fined for losing all this customer data. We don't think it's fair to take it out of the chairman's bonus, so instead we're passing it on to you lot. Thank you for being a customer".

Re:Good. (0)

Anonymous Coward | more than 3 years ago | (#34665978)

They're not a bank, they're a building society. I don't know if these things exist in the US, but essentially it's a money-lending institution owned by its customers.

We do have those, we call them credit unions.

Re:Good. (2)

Stevecrox (962208) | more than 3 years ago | (#34666580)

We have credit unions as well, you have building societies, credit unions and banks. Each has their own limitations and roles.

Re:Good. (2)

moortak (1273582) | more than 3 years ago | (#34666486)

The equivalent loss in the US would have only led to the bad press, if that. What laws we do have, regarding electronic privacy, rarely ever result in prosecutions or fines of any size.

Re:Good. (0)

Anonymous Coward | more than 3 years ago | (#34666646)

Assuming you're talking about Nationwide Building Society, they were fined more than £1 million. No data was lost because of the Society's strict encryption protocols; the fine was issued because an investigation wasn't launched promptly (the employee who lost it went on holiday without telling anyone it had been customer data) and not communicating it properly (the letters were sent out wuite a while after the theft occured). The reason no data was lost was because of the FSA's very strict Data Protection regulations, so yeah, the regulations sort of worked there. Compare and contrast with the UK government's various lost data scandals (HMRC lost child benefit data, DVLA lost driver data, all cases actual data was exposed) to see what difference regulation makes.

Disclaimer, I am an employee.

Re:Good. (2)

Pax681 (1002592) | more than 3 years ago | (#34665988)

pay the $50 or so it costs per card to use chip and pin.

$50 per card? what planet are you on?

they are glorified, oversized SIM cards...lol

most banks don't charge for a replacement card here in the UK however those that do only charge a mere £5 which is pretty FAR from $50

Re:Good. (1)

icebike (68054) | more than 3 years ago | (#34665990)

You make it sound so sleazy.

The speed with which you can get a credit card canceled and a new one issued by US banks after a loss or theft probably DOES make it cheaper to simply pay off the losses rather than us an expensive (and flawed) chip & pin system.

Plus, there is no evidence c&p was a regulatory mandate. And if it turns out that it was a regulatory mandate it was still defective.

Nor is there any evidence c&p has lead to lower credit card fees.

This has nothing to do with regulations. It's a case of the market finding the lowest cost solution that still protects the consumer from CC fraud.

Re:Good. (0)

Anonymous Coward | more than 3 years ago | (#34666092)

It's a case of the market finding the lowest cost solution that at the time had provided the illusion that it protects the consumer from CC fraud.

FTFY

Re:Good. (2)

betterunixthanunix (980855) | more than 3 years ago | (#34666314)

It's a case of the market finding the lowest cost solution that still protects the banks from CC fraud.

ftfy

Re:Good. (1)

Foobar of Borg (690622) | more than 3 years ago | (#34666898)

Around here the best you can hope for is a minor slap on the wrist.

A slap on the wrist? A SLAP ON THE WRIST??? We can't go around slapping bankers on the wrist! Capitalism will die, the economy will collapse, and we'll all decline into socialism(*)! Then, the gulags and death camps will open! Stalin will rise from the grave with Hitler and have a coffee klatch! There is no Dana, only Zuul!

Re:Good. (4, Funny)

interkin3tic (1469267) | more than 3 years ago | (#34665670)

Ideally this streisand effect multiplier will force them to change, and that will be good, but how is it in this day and age that large institutions are still trying to suppress news stories? It implies that not only did they totally miss one of the big lessons of wikileaks, they didn't see "Serenity" either ("you can't stop the signal") and that's just sad.

What was going on in the board room or exec room when that decision was made? "Well, gee, this is bad. Our strategy guy and media guy are both out on holidays, but I think our action is pretty clear: murder the guy. Oh, we don't have an assassin on retainer? Well, lets get on that and in the meantime we'll just try to keep it from press. That will probably work, no harm there."

Re:Good. (0)

Anonymous Coward | more than 3 years ago | (#34665704)

In reality that tactic of "suppress it" probably works far more often than it fails. We would just never hear about the success. If the person rolls over when threatened (sometimes these threats include a lot of "lawyer talk" and sound like an imminent lawsuit), then it doesn't hit the news very often. Generally we only hear about the cases where someone stands up to the suppression.

Re:Good. (2)

NoSig (1919688) | more than 3 years ago | (#34666396)

It may be that it works perfectly well 99% of the time, yet there is a 1% chance that it will backfire on them like in this case. You only hear about the 1% cases, so you think it never works.

Re:Good. (2)

moortak (1273582) | more than 3 years ago | (#34666506)

That may be, but it should have been clear to them that trying to get a thesis pulled from an institution like Cambridge is almost certainly in that 1%.

Security by obscurity is a valid technique. (1)

Anonymous Coward | more than 3 years ago | (#34665790)

"Security by obscurity" is a perfectly valid technique. It just shouldn't be used alone.

and my friend taught me how to exploit ATM's (2)

chronoss2010 (1825454) | more than 3 years ago | (#34665908)

so what big deal you goto a bank and tell them look you pay me $$$$ ill tell you how and wella PROFIT

Re:Good. (0)

Anonymous Coward | more than 3 years ago | (#34666252)

Perhaps a student should write a paper on the FRACTIONAL RESERVE banking system, and how it's counterfeiting, pure and simple, and should be illegal...

Re:Good. (0)

Anonymous Coward | more than 3 years ago | (#34666632)

+1 Insightful

Fix the weakest link first (1)

igreaterthanu (1942456) | more than 3 years ago | (#34666638)

Who cares? EMV is FAR more secure than the other methods of CC payments, most notably buying online with nothing more than the information displayed on the card in full view of the customers (or hidden cameras) next to you. For this exploit to work in the real world, the criminals must already have the card. If they already have the card they can easily withdraw money in other methods.

So EMV is flawed? It is by no means the weakest link. If EMV was 100% secure, CCs would still be just as insecure as they are now.

security through obscurity... (0)

Anonymous Coward | more than 3 years ago | (#34665614)

...or through secure practices. An academic question.

fail (0)

Anonymous Coward | more than 3 years ago | (#34665632)

security through obscurity

That's not a demand. It's a request. (1)

John Hasler (414242) | more than 3 years ago | (#34665646)

Albeit a foolish one.

Re:That's not a demand. It's a request. (1)

a Flatbed Darkly (1964478) | more than 3 years ago | (#34665668)

In the UK, requests, when issued by such bodies, usually come close enough to demands. Look at the UK govt's countless "voluntary" regulationary systems.

Re:That's not a demand. It's a request. (2)

DarkIye (875062) | more than 3 years ago | (#34665948)

That's important to note. However, they're taking their fucking time fixing it (it's been a year since the first notification) - only Barclays' system has been fixed so far - so they aren't really justified in making such a request.

Re:That's not a demand. It's a request. (1)

h4rm0ny (722443) | more than 3 years ago | (#34666792)

How long does it take to fix a vulnerability that exists in a credit card system which covers many millions of cards and countless chip and pin units? I'm just asking because I don't know and you obviously do.

Re:That's not a demand. It's a request. (1)

AK Marc (707885) | more than 3 years ago | (#34667040)

The fix is simple. There is none. The hole only exists if you don't trust the POS machines. And if you don't trust them, then you'd have to assume that every one logs the keys pressed for the PIN and records the magnetic strip, at which point the whole thing fails.

It isn't a security vulnerability if you trust the terminals. They trust the terminals. Thus, asserting there's some hole is false in their minds. Someone is spreading false information that harms their business, so they want that information suppressed. It's not a conspiracy to continue insecure policies, but to prevent people from running around yelling "they are insecure" when, by their definitions, they are not.

Re:That's not a demand. It's a request. (1)

Daniel Dvorkin (106857) | more than 3 years ago | (#34666354)

When a large, powerful corporate organization sends a "request" like that, it's a demand. If someone puts a gun to your head and says, "I'd like to request your wallet now," do you think you're not being mugged?

Silly banks. (1)

Octopuscabbage (1932234) | more than 3 years ago | (#34665656)

"Nooez don't tell people stuff they can find easily on google! D:" - E-mail from the UK bank.

"Representatives of the UK banking industry"? (1)

a Flatbed Darkly (1964478) | more than 3 years ago | (#34665660)

Would that be governmental representatives, representatives of an independent representational body of some sort, or a single bank/group's representative front? I'm unaware of the "UK Cards Association".

Amusing to read (4, Interesting)

Arancaytar (966377) | more than 3 years ago | (#34665664)

The university's response completely owns the bank.

"1. Why don't you have the balls to complain to the guy who actually published it? 2. Why do you suddenly object to research based on something that was already published, like, years ago, and which we warned you about before? 3. Why are you defrauding your customers by pretending your shitty system is secure, and on what grounds do you demand our help with that? 4. Fuck you this is a anteater^W university."

Re:Amusing to read (1)

elashish14 (1302231) | more than 3 years ago | (#34666360)

It's nice. I wish academics more often had the balls to call these crooks out. Maybe it will serve as a memo to more people that there's a greater sense to be had. I mean, it's not gonna fix the world's problems, but at least it will stop peopel from worshipping the corporate machine (at least to the extent that they are so worshipped in the US).

Re:Amusing to read (1)

Fallingwater (1465567) | more than 3 years ago | (#34666404)

I read the pdf with the response. You forgot "we just made it even easier for people to find it, ha-ha".

Nice... (5, Funny)

Anonymous Coward | more than 3 years ago | (#34665676)

by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:

Re:Nice... (1)

jc42 (318812) | more than 3 years ago | (#34666668)

by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:

And I suppose you're also going to tell us that by listing a book's author, publisher and ISDN [wikipedia.org] , a library or bookseller's catalog is also "publishing" the book.

Both are equally nonsense. Publishing is done by the publisher (the university in this case), not by someone who merely tells you where to find the publication.

This would be simple silliness if it weren't for the fact that organizations (companies and governments) have been known to file charges against web sites that merely link to some infringing material. Google and other search sites have been hit with this, and it's the basis of the bogus charges against piratebay. So we should be objecting publicly to the attempts to blur the distinction between actually publishing something and merely telling people where the publishers or distributors can be found.

There are ways around their attacks (3, Insightful)

Nursie (632944) | more than 3 years ago | (#34665696)

Institute checks at the acquiring or issuing bank that make sure the card and the terminal agree that it was a PIN transaction, that would seem to be an obvious one. And comparatively easy.

Failing that, remove the signature verification auth method from cards, can be done via an update delivered during any transaction.
Or make all PIN transactions over the floor limit the 'online PIN verification' type.

EMV has problems by the looks of it, if you have a sophisticated MITM machine, but it wouldn't take much to fix the problem with this attack.

That said, the banks still shouldn't be suppressing the research.

Well done, Cambridge. (1)

crow_t_robot (528562) | more than 3 years ago | (#34665698)

It is refreshing to see them stand up against them and in the end this kind of disclosure does work:

There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

Of course the bankers would just rather be lazy and not have to fix their shit system.

Did the banks detect the no-pin transaction (1)

grahammm (9083) | more than 3 years ago | (#34665702)

In the French TV programme linked from the blog entry, we see a no-pin transaction being undertaken in a Cambridge store. The banks letter states that these transactions would not work in practice as they would be detected. This raises the question of whether they only learnt that this transaction was a 'no-pin' when it was aired on TV or whether they had detected it on their own beforehand.

Re:Did the banks detect the no-pin transaction (0)

Anonymous Coward | more than 3 years ago | (#34665896)

If you watch the Newsnight segment that shows the original attack they state that the bank never noticed the transactions they tried on a bunch of different cards. From my understanding of how the attack works, there is no way for them to detect it as everything looks normal, protocol wise. Any claims that a bank "detected" the transaction is probably bullshit.

Re:Did the banks detect the no-pin transaction (1)

Nursie (632944) | more than 3 years ago | (#34665944)

It's a few years since I worked with EMV, but IIRC the terminal and the card send a cryptogram to the bank on transactions over the floor limit. These should contain the methods that each think was used for authorisation. Sounds like the banks don't check for irt being consistent, at present.

Re:Did the banks detect the no-pin transaction (2)

Merlin.T.Wizard (1893384) | more than 3 years ago | (#34666032)

Looking through the article, it looks like the terminal requests the transaction as chip and PIN, the MITM hardware changes the transaction flag to chip and signature, and the smart card responds with an OK. Unfortunately, it's the same OK as if the smart card had in fact received a transaction type of chip and PIN with the attached PIN being the correct one. The flaw is in having the smart card response being the same for both kinds of transactions. If instead, there was a signature method OK, and a different PIN # OK, then the terminal would catch the difference. This way, the terminal sends back to the bank: "I requested a chip and PIN transaction, and the smart card said that the PIN was good", when in fact all the smart card saw was the terminal say that the user requested a chip and signature transaction. The bank would have no way to realize that what the smart card saw wasn't what the terminal (and probably the bank) requested.

Banks (3, Insightful)

blind biker (1066130) | more than 3 years ago | (#34665714)

They just got used to be douchebags and unpunished. Until the guillottine starts chopping some heads again, it won't get any better.

Yes, I'm bitter and a bit hopeless.

Do they have anything like the 1st over there? (1)

Joe The Dragon (967727) | more than 3 years ago | (#34665764)

Do they have anything like the 1st over there?

whistle blower laws?

Re:Do they have anything like the 1st over there? (1)

a Flatbed Darkly (1964478) | more than 3 years ago | (#34665816)

Not on that level of inviolability, no.

Ross Anderson is at Cambridge (0)

Anonymous Coward | more than 3 years ago | (#34665800)

Suspect it's the same group. He won't take any shit from the banks.

Re:Ross Anderson is at Cambridge (0)

Anonymous Coward | more than 3 years ago | (#34665878)

He is, it is, and no he doesn't. My congratulations to the whole team, it's always heartening to see good security research get the backing and protection it deserves.

Whilst it may be considered polite in some circles to disclose the existence and nature of the vulnerability to the vendor prior to publication to the general public so that the impact of the vulnerability can be mitigated, if the vendor instead chooses to sit on that information and knowingly neglects to take steps to fix it despite the pre-disclosure time window provided, and seeks to prevent that information coming to light, I might respectfully suggest that the interests of the public might perhaps better be served by a full public disclosure with no prior notification.

Such public notification does not constitute something constitute to the general guideline of 'responsible' disclosure; rather, the irresponsible action would be that of a vendor actively seeking to occlude information on real, verified security vulnerabilities from public view whilst not only failing to fix the vulnerabilities given months of lead time, but also maintaining a general claim that their systems are in fact secure - which could, politely, be described as misleading at best.

I look forward to the paper in 2011.

Re:Ross Anderson is at Cambridge (0)

Anonymous Coward | more than 3 years ago | (#34666068)

Steven J. Murdoch is going to be at the 27th Chaos Communication Congress which will be held in Berlin from 27th to 30th of December 2010. [events.ccc.de] The linked page has links to a BBC news video and the details of the attack. Streams and video archives of the talks at 27C3 will be available here. [events.ccc.de]

Good for you, Cambridge (0)

Anonymous Coward | more than 3 years ago | (#34665870)

:)

Better idea (4, Insightful)

MikeRT (947531) | more than 3 years ago | (#34665930)

Incorporate his research. Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

They're screwed right now. If they bankrupt him through litigation, you can bet that someone from the Russian mob is going to offer him a briefcase of unmarked bills to "fund his education."

Re:Better idea (4, Insightful)

rhizome (115711) | more than 3 years ago | (#34666466)

Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

Because they are corrupt. If they incorporate this research, their friends who own the chip and pin companies may not be capable of fulfilling the concomitant contracts that would derive from increased rigor. They consider security to be a cost center.

Re:Better idea (2)

orlanz (882574) | more than 3 years ago | (#34666472)

What's sad is the assumption that the "bad guys" don't know about this already. This is one of those stupid "What I don't know, can't hurt me" craps. God forbid someone points out that the emperor has no clothes.

It's something I have observed in many businesses. Unknown risk can't be quantified, and thus doesn't get a dollar cost or reported in figures. It's unknown. Known risk gets reported, tracked, quantified, and requires expenditure of resources to mitigate. Unfortunately, failure to do so of the later has personal consequences, and failure of the former doesn't have any. We have evolved a whole "Cover Your Ass" culture around it, where the responsibility can't be avoided (that equals higher salary) but the consequences are just passed around. We end up with fall guys, or expensive litigation/arbitration, or C&D letters + lawsuit like this. Which ever is cheaper. Along with sub-sub-contractors, over paid CEOs, and useless managerial middle men/policies. The "business smart" guys know how to do CYA real well, and don't look into things that could cause trouble. The conclusion is that the less people know, the better. Curiosity is an exercise done in a dark closet, alone.

Small businesses (peasants) can't afford not to look, cause one instance can take them out. And once they are gone, the system just moves on w/o a glitch. Big business (emperors) on the other hand has the financial muscle to ignore what they want to. Any windfall costs associated with any ignorance is taken up by anyone but them cause they are "Too big to fail". The smaller day to day costs are spread to customers and stockholders. It's a sad state of affairs; makes one wonder how anything gets done. Or how much those that do get stuff done, carry the dead weight of those that don't.

Re:Better idea (1)

orlanz (882574) | more than 3 years ago | (#34666480)

Curiosity is an exercise done in a dark closet, alone.

That sounded dirtier than I meant it to be.

Re:Better idea (1)

Renraku (518261) | more than 3 years ago | (#34666654)

In the wonderful world of corporations, you take a perfectly working (to them) system and leave it be. Doesn't matter if .0001% of transactions are fraudulent. It's cheaper for them to let it be until market forces (increasing fraud, legislation, etc) make them shell out the money to upgrade the system. Doesn't matter who gets screwed in the process as long as it isn't them. Publishing this research is basically taking the inevitable (widespread fraud) and moving that a bit closer.

The way the legal system is here in the US, I'd expect the university to be facing multi-million dollar lawsuits from different banks for 'breaking' their system.

Advice to Bankers (5, Insightful)

bananaendian (928499) | more than 3 years ago | (#34665940)

The BBC Newsnight program on the issue (from last February) explains the issue pretty well. Watch it [bbc.co.uk] .

The funny/disturbing thing is why did it take 10 months! for some official at the UK banking industry association to have a revelation/panic and issue such a stupid letter. The professor's response to them is pretty effing on! [cam.ac.uk]

I think he should've said quite blunty: " listen, our students figured this weakness in your system during their free time, using our shoe string budget". Do you really think high tech criminals and criminal organizations with millions or even more at their disposal won't reproduce this? All you need to do is read the bloody manual! "

If I was a banker/bank/building society I would seriously consider funding research into this instead of whining about it. I mean those students don't have what the criminals can easily get with just money. At least buy them the latest oscilloscope/logic analyser for god sake! - its a miniscule fraction of the profits the banks make - or even what they stand to loose from such weaknesses...

Shopping list for Bankers (1)

bananaendian (928499) | more than 3 years ago | (#34666026)

In fact work at a lab, and I say this was a major missed opportunity...

What they should've said is:

" Listen, your whole system is flawed and full of holes like a tennis racket made of swiss cheese.

For a start immediately buy our university department the following:

- One of each on their catalog [agilent.com] ...

- And their [ni.com] ...

- And their [fluke.com] ...

...that should cost you only 50-100 million (you might get a discount). Budget it as a long term investment into transaction systems."

At least such a scenario is a recurring dream of mine. Oh well, back to the grind ... calibrating old Tektronix oscilloscopes...

Re:Advice to Bankers (0)

Anonymous Coward | more than 3 years ago | (#34666150)

Working for one of the larger card issuers and acquirers in the UK, I'm amazed it only took them 10 months - to say things move at glacial speed in the UK banking sector would be dissing glaciers.

I smell a lawsuit. (1)

timeaisis (1679624) | more than 3 years ago | (#34665962)

Sure, this kid and Cambridge absolutely have the right to publish this paper. That doesn't mean the bank and its customers aren't going to class-action their ass, though. Their not doing anything illegal, but they are pissing people off.

Re:I smell a lawsuit. (1)

Brannoncyll (894648) | more than 3 years ago | (#34666004)

Is pissing people off against the law now? I thought that was only true if you're pissing off the US government?

Re:I smell a lawsuit. (0)

Anonymous Coward | more than 3 years ago | (#34666074)

Banks have more than enough resources to sue a grad student for intimidation purposes, even if the lawsuit is completely groundless.

Fortunately, the professors won't yield to this bullshit, and they can get Cambridge to back them up.

Re:I smell a lawsuit. (3, Insightful)

Peil (549875) | more than 3 years ago | (#34666232)

And what exactly would they sue him for?

Re:I smell a lawsuit. (1)

Fulcrum of Evil (560260) | more than 3 years ago | (#34666788)

making them look bad.

Re:I smell a lawsuit. (2)

nosferatu1001 (264446) | more than 3 years ago | (#34666366)

Except in the UK they will lose, and lose big. Frivolous lawsuits are looked down upon.

Taking on one of the largest universities in the world, with alumni who are incredibly powerful, is not a good idea.

fail (1)

deltaromeo (821761) | more than 3 years ago | (#34665976)

When security measures involve trying to keep people quiet about its flaws, I think it's time to accept the security is broken! Also, this paragraph of the UK Card Associations complaint letter attempts to downplay the effectiveness of the hack, looks to me like it's just there to deter anyone considering trying it.

Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place ... the banking industry's fraud prevention systems would be able to detect when such an attack had happened.

Yeah right!

Well done Ross Anderson (4, Insightful)

horza (87255) | more than 3 years ago | (#34666000)

Ross Anderson does great work in this field, and has done for decades. The banks are happy to put out a flawed system, and hope that people don't notice they are getting ripped off by criminals. Those that actually do notice get reimbursed if they fight hard enough and manage to win their court case (the banks often falsely convince the judge their system is infallible), and then this simply gets shifted back onto the customers through increased bank charges.

If you look at his February post [lightbluetouchpaper.org] after they broadcast the problem on Newsnight (major UK political television programme), a large number of the commenters appear to be victims.

The message is clear: if you take your credit or debit card out with you, or use it online, there is a good chance money will easily be stolen from your account. If somebody swipes and clones your card, they do not need to know your PIN number to extract money from it. The safest way to pay is currently with cash.

Phillip.

Re:Well done Ross Anderson (4, Insightful)

rapiddescent (572442) | more than 3 years ago | (#34666802)

he does great work in this area but often gets quite a bit of it wrong. I used to work on the other side (i.e. for the banks) and have designed one of the largest CAP 2FA systems in the UK. (which hasn't been broken (yet)). I was never a fan of the retail "chip and PIN" (not the same as CAP, which is Chip Authentication programme) because it trained our customers to type their PIN into any old device which could quite easily be skimming details. (there are lots of cases of this from fake chip and PIN readers to hacked petrol pumps)

The piggy back method is quite clever - but also well known and has been done before with other ship technologies and the video on TFA was the first time I'd actually seen it working with EMV. It plays on some social hacking because UK customers are being trained to keep hold of their card and not hand over to the checkout person (although, some supermarkets do breach the merchant acquirer principles by "taking a swipe" -- which I personally hate)

the problem as I see it is that the card should have been sending back a message containing an encoded card counter and other information instead of a binary YES/NO "PIN OK" but the problem has always been that a large proportion of the transactions are under the floor limit or large shops batch up transactions to save on processing fees to the merchant acquirer.

Why does it always happen this way..... (1)

Mark19960 (539856) | more than 3 years ago | (#34666034)

Some of us would have NEVER KNOWN about this if they did nothing.
This crap spreads a lot slower if they leave it alone.
The problem with the internet is once you post it.. it's there forever.
Drawing attention to it makes it a LOT worse.
Now there are torrents being made and mirroring is being done so any chance in hell of it being removed or kept quiet just went to -zero-

How many more years will it take before these corporate idiots realize that once it hits the net it's out there?

The article title is inaccurate and inflammatory. (1, Informative)

Melee_Fracas (1092093) | more than 3 years ago | (#34666038)

Having read the letter in the supplied link, "take-down notice" is an inappropriate and inflammatory term to use to describe the communication in question.

IANAL, but I am a speaker of the English language. A "take-down notice" would, in common usage, refer to a DMCA (most common) or other style notification that a publisher of some (often allegedly plagiarized) content is legally obligated to remove it, or will enjoy a legal safe harbor if one does so. None of these criteria are met by the letter in question. Also spurious is the use of the word "demand." The letter makes no demands. It expresses (IMO poorly founded) concerns. What we have, instead, is a letter that basically says, "Hey, this bothers us. Would you stop it?"

This may be inappropriate. (It is.) It might be silly. (It is.) It is not, however, a David-and-Goliath story of epic proportion. It is regrettable both that ./ has descended to this kind of pandering in order to attract readership and that, judging by most comments in here, they have consequently succeeded in attracting an audience that doesn't take the minimal time necessary to examine the source material provided and come to a conclusion on the actual merits.

I believe it is customary to shout, "THINK SHEEPLE!," at this time.

Re:The article title is inaccurate and inflammator (4, Informative)

Daniel Dvorkin (106857) | more than 3 years ago | (#34666320)

Um, did you read the same letters I did? The Cards Association's letter was exactly a take-down notice ("Our key concern is that this type of research was ever considered suitable for publication by the University ... we would ask that this research be removed from public access immediately") and the reason it doesn't mention the DMCA is because, you know, it's in the UK. And the only reason it's not David-and-Goliath is because Cambridge is Cambridge, a huge and ancient university with one of the best academic reputations in the world, which is ready, willing, and able to fight for academic freedom, as the response letter shows. Your criticism of Slashdot for daring to present the story accurately is bizarre; I honestly have to wonder if you're being paid, or if you're just so blindly faithful to the Golden Rule ("he who has the gold makes the rules") that you can't properly interpret what's right in front of your face.

Re:The article title is inaccurate and inflammator (2, Insightful)

Melee_Fracas (1092093) | more than 3 years ago | (#34666600)

Is there no difference between the interrogative ("..we would ask...") and the imperative (for example, "...we demand that you remove...")?

If we're going to call this a "take-down notice," what will we call it when Cards actually notifies Cambridge that they are demanding that Cambridge remove some other content and that Cards believes they have the legal force of law to require it? Will that be a "take-down sexual assault?"

Simply put, there can be letters that are not take-down notices. This is one of them.

But, to answer your question: I'm reasonably certain that we did read the same document. However, I'm also reasonably certain that my interpretation of it is informed by the meanings of the words on the page and a verifiable reconstruction of the authors' understanding of the scope of actions available to them. In contrast, you quoted back to me the supplication, "...we would ask that this research be removed...," and called the document that contained that phrase a "notice," with apparent sincerity. I allege that this characterization is not supported by the text of the letter.

Furthermore, in your brief missive, you managed to impugn my motives in a very silly way, accusing me either of being on the bankers' dole or of being so prostrate before moneyed interests on principle (Heh. "Moneyed interest on princip[le|al]." Get it?) that I'm unable to properly read the letter. Is this a serious way to think or argue? Specifically, is this a way to think or argue that is even capable either of engaging the facts of the matter or of fostering any kind of intellectual progress?

Also, if I don't get modded up for "moneyed interests on principle," then you people have hearts of stone.

Re:The article title is inaccurate and inflammator (2)

Fulcrum of Evil (560260) | more than 3 years ago | (#34666822)

This looks more like the opening volley in a lawsuit than a polite request. It details that the student built a device (or designed it), that the police know he falsified a transaction in a shop, and claims that publication is a hazard to people's money. That the language is polite is irrelevant: it's notification of a cause for action that can be referred to later and it demands ('requests') that the paper be removed from public access.

As for being prostrate before moneyed interests, i don't understand it either, but I'm in the US and I see a whole lot of people doing just that - arguing against progressive taxation, demanding tax breaks in a recession, and so on; personally, I blame our right wing talk show idiots for whipping the mob into a frenzy, and the GP may have confused you with one of them.

Re:The article title is inaccurate and inflammator (1)

NeutronCowboy (896098) | more than 3 years ago | (#34666336)

It is regrettable both that ./ has descended to this kind of pandering in order to attract readership and that, judging by most comments in here, they have consequently succeeded in attracting an audience that doesn't take the minimal time necessary to examine the source material provided and come to a conclusion on the actual merits.

/. has descended to not RTFA'ing? For Zombie Jesus' sake, it's a sport here with its own acronym. Ever since, well, day 1. Even a 7-digit UID should know that.

Re:The article title is inaccurate and inflammator (0)

Anonymous Coward | more than 3 years ago | (#34666398)

mmmm... Sheeple [paheal.net]

Re:The article title is inaccurate and inflammator (1)

rhizome (115711) | more than 3 years ago | (#34666564)

IANAL, but I am a speaker of the English language.

You don't say.

Please do tell us what the name of this fancy "UK DMCA" law is called. What's that, you're an authoritarian who wants the world to live by the USA's laws? I couldn't quite hear you, that's all I could make out.

Oh right, you're actually referring to the "other style notification." What form would this take, exactly, in order to be legally defensible? In the UK? Maybe "state secrets," eh?

Re:The article title is inaccurate and inflammator (5, Informative)

folderol (1965326) | more than 3 years ago | (#34666572)

Speaking English is not particularly relevant. Understanding the language is something entirely different. To anyone raised in the British Isles this is very clearly a 'Gentleman's' way of phrasing a demand. What surprises me is not the arrogance of the Banks in making this demand, but the fact they actually think they can intimidate one of the worlds oldest universities. The reply they got was not only right to the point, but devastating in its clarity and accuracy. P.S. Been a /. watcher for years, but only now thought I'd participate :)

Re:The article title is inaccurate and inflammator (0)

Melee_Fracas (1092093) | more than 3 years ago | (#34667066)

What surprises me is not the arrogance of the Banks in making this demand, but the fact they actually think they can intimidate one of the worlds oldest universities.

This is nearly precisely my point. It's not a "notice" unless someone is being notified of a legal infraction. This is just pure arrogant bumbling. They may be evil, but it's more important that they're hilariously inept.

Re:The article title is inaccurate and inflammator (1)

IchBinEinPenguin (589252) | more than 3 years ago | (#34666944)

... an audience that doesn't take the minimal time necessary to examine the source material provided ...

In other words, people don't RTFA.

In other news: water is wet, the sun it bright, the moon is round and sarcasm is the lowest form of wit.

wth? (1)

cloakedpegasus (1761746) | more than 3 years ago | (#34666046)

Fuck these guys. Fix your shit.

Lloyds is pants. (0)

Anonymous Coward | more than 3 years ago | (#34666100)

Lloyds is pants.

The Banks Goal is not security (1)

Anonymous Coward | more than 3 years ago | (#34666110)

I used to do the certification of devices for Interac in Canada. It was the most frustrating experiences of my working career.

Most banks just want some one else to carry the burden when something goes wrong. Worse than telling the world what the problems are this paper tells the banks what is wrong. Before this was published the banks could have claimed:
1) they didn't know about it
2) Any money missing from some ones account had to be taken with the account holders permission because the new chip cards are completely secure.

To the banks it doesn't matter if a device or procedure is secure it's what the perception is. The UK banks are the worst I've ever dealt with, they weren't clueless they were intentionally evil. In Canada if money goes missing from your account it's up to the bank to prove that the account holder aided in taking the money. In the UK the burden is reversed and the account holder has to prove that they didn't aid in allowing the withdrawal. This leads to the banks in the UK in having some terrible security policies and auditing policies that are intentionally useless.

It would actually be very useful for the developers of debit cards, ATM and point of sale devices to have a book of well know attacks against these devices. As you can imagine there are some very easy, low tech attacks that many of the devices on the market can be beaten by and the ones that are well made are more expensive and their additional security never appreciated.

Re:The Banks Goal is not security (1)

joebagodonuts (561066) | more than 3 years ago | (#34666380)

To the banks it doesn't matter if a device or procedure is secure it's what the perception is...

This behavior is not just limited to banks. Any institution behaves in a similar fashion.

Please RTFA (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34666132)

...as it is absolutely epic. I adore the parting shot:

Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased that the industry has been finally been able to deal with this security issue, albeit some considerable time after the original disclosure back in 2009.

OWNED!

pl@us 3, Troll) (-1)

Anonymous Coward | more than 3 years ago | (#34666156)

Why the fuck does a PIN pad get the bank details? (4, Insightful)

Talez (468021) | more than 3 years ago | (#34666160)

They implement Chip and PIN with the chip being a mini flash drive with all your shit on it ready to steal and a PIN authenticator that basically says "this PIN is correct, scout's honour, you can use the banking details!"

I was expecting it to be implemented a'la GSM with the PIN waking up the crypto-processor, submitting the transaction to the crypto-processor, signing the transaction with the card's details and the PIN pad merely passing along the signed transaction and submitting it to the issuing bank.

Chip and PIN is the most retarded use of two factor authentication I have ever seen.

Re:Why the fuck does a PIN pad get the bank detail (4, Interesting)

Animats (122034) | more than 3 years ago | (#34666626)

Chip and PIN is the most retarded use of two factor authentication I have ever seen.

Certainly the UK version is. Read pages 16 and 17 of the thesis.

What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.

The way this is done right is that the bank and merchant send the transaction details to the device, where the user checks them and signs the transaction using their PIN and crypto within the device. The bank and merchant confirm that the transaction is signed properly and the bank confirms the account information. The merchant system never sees the PIN or the customer's private key.

Of course, the problem with doing it right is that to do a true mutually mistrustful system, the customer has to have a device with a keyboard and display, plus some CPU power. If the merchant owns the PIN pad, that's a vulnerability. That's usually a phone, not a dedicated device, which opens up a new range of vulnerabilities.

Re:Why the fuck does a PIN pad get the bank detail (1)

makomk (752139) | more than 3 years ago | (#34667002)

What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.

The really impressive bit is that the cards do have enough CPU power to do encryption. (I think they may even be able to do hardware accelerated public-key encryption.) It's just that whoever designed the system completely and utterly failed make use of this correctly.

NDA (0)

Anonymous Coward | more than 3 years ago | (#34666164)

Did he sign an NDA? If not, then why are they complaining?

The hand of a famous smart card hacker behind this (4, Interesting)

niks42 (768188) | more than 3 years ago | (#34666210)

I notice with interest that the Ph.D paper has the acknowledgement "I thank my supervisor, Markus Kuhn, for extensive guidance and valuable advice on rigorous design and research"

Not THE Markus Kuhn for whom many of us have to thank for Season 7, the Sky smartcard emulator and a kickstart into the world of hardware hacking? (in the nicest sense of the word).

We are not worthy. Omar, you walk in the footprints of a giant.

Geez, stop SHOVING you bankers (2, Insightful)

SmallFurryCreature (593017) | more than 3 years ago | (#34666636)

I just hate those pushy bankers. Why can't they just keep their place in line behind lawyers for who is going to get it when the revolution comes? Are they afraid we are going to run out of bullets or something?

Okay, so the line is lawyers, bankers, politicians, republicans. NO pushing ahead. We probably run out of bullets before we got to republicans but we can just have them watch Fox showing a video of a gun firing and they will drop dead from fright.

I designed ... (4, Informative)

rapiddescent (572442) | more than 3 years ago | (#34666764)

I designed the CAP/EMV check system employed by one of the UK banks eBanking system. These are the little battery operated units that offer 3 types of 'authentication' that can be typed into an ebanking website after inserting a debit card and performing a PIN entry etc. Some debit cards simply have another couple of programs on the chip on the card that can do simple challenge/response type algorithms to encode input data along with the cards cert to produce a 6 to 8 digit number that the user then types into an ebanking website etc.

I was wondering how long it would take for the retail chip and pin system to be broken. the core difference between retail units and the ebanking system is that the user returns an encrypted block (inside 6 to 8 digits) containing the card counter (which you can determine by pressing the menu button on any hand held CAP disconnected 2FA reader). If the card counter is out by a **censored** number then the transaction is stopped and a fraud warning is placed on the card.

Clearly, people can increase their card counter by buggering around putting the card in an out of card readers without doing a transaction and so the odd person gets their card locked down and they just have to ring in for a new one. n (I actually did this by mistake with my own debit card).

the disconnected CAP 2FA systems were a good few years later than "Chip and PIN" and so had the benefit of a bit better understanding. It should be noted that a large UK bank does not do this with their eBanking system and was nearly picked up on an earlier light-blue touchpaper paper but they didn't quite get that far so i think there are some problems looming for some of the handheld 2 factor authentication units as well. we'll wait and see.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...