A Cambridge University professor has accused the bank cards industry of making a ''very nasty attempt at censorship'' over a flaw in chip and PIN technology.
The UK Cards Association (UKCA), which represents the country's biggest banks, wrote to the university to try to remove the online publication of research which shows how a ?20 hand-held device could be used to buy goods without entering the correct PIN.
Melanie Johnson, a former Labour Treasury minister who is now chair of the UKCA, wrote to the university's director of communications earlier this month saying the publication ''oversteps the boundaries of what constitutes responsible disclosure''.
She (news) said the paper, The Smart Card Detective, by MPhil research student Omar Choudary, ''places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN''.
She said the type of attack described was ''difficult to undertake'' and ''unlikely to interest genuine fraudsters'' but said the ''level of detail'' published was worrying and asked for the research to be removed.
And she said police had expressed concern the student ''was allowed to falsify a transaction in a shop in Cambridge (E2:J91U.SI - news) without first warning the merchant''.
Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory, said: ''This was absolutely unacceptable. It was a very very nasty attempt at censorship.''
He said exposing vulnerabilities in the system was an example of ''responsible disclosure'' and said the industry had been guilty of ''sitting on their butts and doing nothing'' since he and fellow scientists first revealed the flaw in late 2009.
In a response letter dated December 24, he wrote: ''You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient.
''This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.''
He continued: ''You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.''
Prof Anderson said he had authorised the thesis to be issued as a Computer Laboratory (Dusseldorf: LAB.DU - news) technical report, saying: ''This will make it easier for people to find and to cite, and will ensure that its presence on our website is permanent.''
He said there was no basis for police concern as there was no intent to commit fraud, as the card holder gave his consent and the merchant was paid.
He added that Barclays Bank (NYSE: BCS-PA - news) did appear to have closed the technological loophole although other banks were yet to fix the problem.
A UKCA spokeswoman said: ''The UK Cards Association has written to Cambridge not to challenge the work of the university's security academics but only to challenge whether publishing explicit details of how to attempt a fraud - specifically one which there is no evidence of a fraudster yet undertaking - is necessary and serving the public's best interest.
''We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters - as unfortunately it is only the fraudsters who stand to gain from any lack of cooperation between us.''
She said it was questionable whether publishing a ''DIY guide for fraudsters'' was ''in the best interests of the card-holding public''.
And she said while ''nothing is 100% secure'' fraud on UK issued cards had dropped to ?186.8 million in the first six months of the year, down 20% on the same period in 2009
The UK Cards Association (UKCA), which represents the country's biggest banks, wrote to the university to try to remove the online publication of research which shows how a ?20 hand-held device could be used to buy goods without entering the correct PIN.
Melanie Johnson, a former Labour Treasury minister who is now chair of the UKCA, wrote to the university's director of communications earlier this month saying the publication ''oversteps the boundaries of what constitutes responsible disclosure''.
She (news) said the paper, The Smart Card Detective, by MPhil research student Omar Choudary, ''places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN''.
She said the type of attack described was ''difficult to undertake'' and ''unlikely to interest genuine fraudsters'' but said the ''level of detail'' published was worrying and asked for the research to be removed.
And she said police had expressed concern the student ''was allowed to falsify a transaction in a shop in Cambridge (E2:J91U.SI - news) without first warning the merchant''.
Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory, said: ''This was absolutely unacceptable. It was a very very nasty attempt at censorship.''
He said exposing vulnerabilities in the system was an example of ''responsible disclosure'' and said the industry had been guilty of ''sitting on their butts and doing nothing'' since he and fellow scientists first revealed the flaw in late 2009.
In a response letter dated December 24, he wrote: ''You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient.
''This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.''
He continued: ''You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.''
Prof Anderson said he had authorised the thesis to be issued as a Computer Laboratory (Dusseldorf: LAB.DU - news) technical report, saying: ''This will make it easier for people to find and to cite, and will ensure that its presence on our website is permanent.''
He said there was no basis for police concern as there was no intent to commit fraud, as the card holder gave his consent and the merchant was paid.
He added that Barclays Bank (NYSE: BCS-PA - news) did appear to have closed the technological loophole although other banks were yet to fix the problem.
A UKCA spokeswoman said: ''The UK Cards Association has written to Cambridge not to challenge the work of the university's security academics but only to challenge whether publishing explicit details of how to attempt a fraud - specifically one which there is no evidence of a fraudster yet undertaking - is necessary and serving the public's best interest.
''We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters - as unfortunately it is only the fraudsters who stand to gain from any lack of cooperation between us.''
She said it was questionable whether publishing a ''DIY guide for fraudsters'' was ''in the best interests of the card-holding public''.
And she said while ''nothing is 100% secure'' fraud on UK issued cards had dropped to ?186.8 million in the first six months of the year, down 20% on the same period in 2009
Comment