Forgot your password?
typodupeerror
Censorship Bug Security United Kingdom Hardware

UK Banks Attempt To Censor Academic Publication 162

Posted by timothy
from the here-are-some-rugs-for-your-eyes dept.
An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."
This discussion has been archived. No new comments can be posted.

UK Banks Attempt To Censor Academic Publication

Comments Filter:
  • Amusing to read (Score:5, Interesting)

    by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Saturday December 25, 2010 @12:06PM (#34665664) Homepage

    The university's response completely owns the bank.

    "1. Why don't you have the balls to complain to the guy who actually published it? 2. Why do you suddenly object to research based on something that was already published, like, years ago, and which we warned you about before? 3. Why are you defrauding your customers by pretending your shitty system is secure, and on what grounds do you demand our help with that? 4. Fuck you this is a anteater^W university."

  • by niks42 (768188) on Saturday December 25, 2010 @02:15PM (#34666210)
    I notice with interest that the Ph.D paper has the acknowledgement "I thank my supervisor, Markus Kuhn, for extensive guidance and valuable advice on rigorous design and research"

    Not THE Markus Kuhn for whom many of us have to thank for Season 7, the Sky smartcard emulator and a kickstart into the world of hardware hacking? (in the nicest sense of the word).

    We are not worthy. Omar, you walk in the footprints of a giant.
  • by Animats (122034) on Saturday December 25, 2010 @03:56PM (#34666626) Homepage

    Chip and PIN is the most retarded use of two factor authentication I have ever seen.

    Certainly the UK version is. Read pages 16 and 17 of the thesis.

    What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.

    The way this is done right is that the bank and merchant send the transaction details to the device, where the user checks them and signs the transaction using their PIN and crypto within the device. The bank and merchant confirm that the transaction is signed properly and the bank confirms the account information. The merchant system never sees the PIN or the customer's private key.

    Of course, the problem with doing it right is that to do a true mutually mistrustful system, the customer has to have a device with a keyboard and display, plus some CPU power. If the merchant owns the PIN pad, that's a vulnerability. That's usually a phone, not a dedicated device, which opens up a new range of vulnerabilities.

To understand a program you must become both the machine and the program.

Working...