Forgot your password?
typodupeerror
Censorship Bug Security United Kingdom Hardware

UK Banks Attempt To Censor Academic Publication 162

Posted by timothy
from the here-are-some-rugs-for-your-eyes dept.
An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."
This discussion has been archived. No new comments can be posted.

UK Banks Attempt To Censor Academic Publication

Comments Filter:
  • Good. (Score:5, Insightful)

    by Nemyst (1383049) on Saturday December 25, 2010 @11:57AM (#34665610) Homepage

    Security through obscurity is foolish. If this forces the banks to reinforce what they already know is weak, then I commend both the guy and the university.

    • Re: (Score:3, Insightful)

      by hedwards (940851)
      Except it won't. The only reason why they use chip and pin over there is that regulators actually regulate. In the US we haven't been using chip and pin because the bankers figured out that it's cheaper to just pay off any claims due to fraud than to pay the $50 or so it costs per card to use chip and pin.

      It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Aroun
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        The only reason why they use chip and pin over there is that regulators actually regulate.

        It also removes their liability for losses. If there is a problem it'll be because someone got your pin so its your fault.

        • by Nursie (632944)

          That's just not true.

          It moves the liability for fraudulent non-PIN transactions to the merchant. They still have to (by law) refund anything you claim as fraud and then investigate.

          • by Sir_Lewk (967686)

            And what about the liability for PIN transactions?

            Not trolling here, I actually don't know.

            • The banking code still stipulates they have to prove negligence on your part. They will,l of course, pretend otherwise - but it is irrelevant.

              • Re:Good. (Score:4, Insightful)

                by Sir_Lewk (967686) <(moc.liamg) (ta) (kwelris)> on Saturday December 25, 2010 @02:53PM (#34666382)

                After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).

                Since this exploit seems to allow you to preform fraudulent PIN transactions without actually knowing the PIN, it really does kind of seem like in the case of fraud with this system and this exploit, the system is designed to place liability on the consumer. And if liability is being placed on the consumer, you might as well just use a debit card...

                • by TubeSteak (669689)

                  After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).

                  When they wrote the law, the system was presumed to be bulletproof, thus allowing the banks to pass on all liability to the customer.

                  The law needs to be re-written.

                  • by Sir_Lewk (967686)

                    Even with the assumption that the scheme is secure (a bad assumption) automatically making the consumer liable for PIN transactions on a credit-card is a pretty lame idea. We already know from ATM skimmers that PINs are quite easy for fraudsters to acquire. I don't see why credit-cards would ever be desirable over debit-cards with this scheme and law.

                    • by ultranova (717540)

                      I don't see why credit-cards would ever be desirable over debit-cards with this scheme and law.

                      Well, from what I've understood, the banks don't get various late-payment fees with debit cards which they do with credit cards.

              • by ToreTS (811203) *
                From what I've read, UK banks will say "the correct PIN was used, so you must have been negligent and written it down somehow, the Chip and PIN system itself is unbreakable". Here in Norway we have had a PIN-based system since the 1980s, and in the beginning, Norwegian banks took the same stance (correct PIN used - customer automatically at fault), but time has shown that this is not true, as shown by skimming frauds where criminals read a customer's PIN using stealthily mounted cameras. Another approach is
            • Re:Good. (Score:5, Informative)

              by green1 (322787) on Saturday December 25, 2010 @03:36PM (#34666568)

              This is the problem. The banks claim that if a PIN transaction goes through, then it can not be fraudulent as you must have given out your PIN. the problem being what this student is exposing, that PIN transactions don't require the CORRECT PIN as the PIN is verified against the card itself, and not against the bank. meaning a fraudulent card, or fraudulent terminal, can report a correct PIN even when an incorrect PIN was entered.

              Basically if someone does this to you, you as the end user are screwed. The bank will refuse liability as "you must have given out your PIN", and if you push the issue, the bank is likely to charge you with fraud yourself (it has happened several times!)

              This is the real reason for chip and PIN, it shifts the liability from the bank to the consumer, without shifting the security.

              • Re:Good. (Score:5, Informative)

                by Anonymous Coward on Saturday December 25, 2010 @04:56PM (#34666864)

                The PIN is not verified against the card. The vulnerability is a protocol flaw which allows the card to use a different authentication than the terminal. The terminal thinks that the card uses PIN authentication and the card thinks that the transaction is authenticated with a pen and paper signature. If the card actually performed the PIN authentication protocol, it would not verify the PIN itself but use the terminal to communicate with a server which verifies the PIN.

                • by Nursie (632944)

                  Of course PIN is verified against the card!

                  that's part of the point of EMV. The PIN you enter is mangled with some other data and presented to the card, which then answers yes or no.

                  This attack is to bypass that section, but without the bypass yes the card does verify. The server can (and should, IMHO) verify also

                • by Sir_Lewk (967686)

                  Not saying it is correct, but wikipedia suggests that the pin is verified by the card.

              • Re:Good. (Score:4, Insightful)

                by drmerope (771119) on Saturday December 25, 2010 @07:30PM (#34667556)

                You as a consumer should never use a pin-based card--doing so completely vitiates your protections under the law.

                Consequently, PINs are almost never used in the US for credit card transactions. You have to go to Europe to encounter this oddity. What's crazy is that no one seems to realize that the best remedy is to just abandon the farce.

                Farce? Yes, the incident of fraud does not go down with pin systems. This is one in a long stream of vulnerabilities; there have always been attacks against these fixed-pin systems that make them pointless: pin observation either visually or through man-in-middle compromise of the hardware. Basically there is always a moment when the pin is in the clear. This interacts badly with legal regimes that regard 'pin as proof' of identify, and ultimately consumers can and should reject to participate in these systems. period.

                What does need to be more common--for online banking and e-commerce--are key fobs with rotating time-based pin displays. That would be a marked step forward.

                • Re:Good. (Score:4, Informative)

                  by TheSunborn (68004) <tiller@nOsPAM.daimi.au.dk> on Saturday December 25, 2010 @08:28PM (#34667750)

                  I don't think its fair to call the pin code pointless. Without the pin code, you could use my card just by stealing it. Now you also have to know the pin code which mean that you can't just steal a card and use it.

                  But how do you prevent me from stealing a credit card, and just using it(In an atm?) if it don't require a pin code?

                  But the security situation in eu is getting much better now, because almost all new cards will use a small chip on the card to do the encryption making it much more difficult to read and copy cards.

                • by compro01 (777531)

                  Consequently, PINs are almost never used in the US for credit card transactions.

                  yes, instead you have signatures, which are just as laughable.

                  • by Sir_Lewk (967686)

                    Signatures don't transfer liability to the consumer.

                    Therefore, far less laughable. The only reason I use a credit-card is because they remove liability from myself.

                • Re:Good. (Score:5, Informative)

                  by kevinmenzel (1403457) <kevinmenzel AT gmail DOT com> on Saturday December 25, 2010 @09:20PM (#34667960)

                  Maybe you just need better banks.

                  In Canada, debit is not run by the credit companies, it's directly run by the banks themselves, and most credit cards are offered by banks. Most of the banks are actually pretty good about fraud, with fraud departments that will pro-actively look for any sign that either your credit or debit card was misused. My bank (TD), has been quick to alert me that my card MIGHT have been copied, calling to confirm transactions even if my card hasn't actually been copied, and getting a new [debit] card is free and takes about 3 minutes during any of their (quite long) banking hours. Credit cards might take a day or two to arrive in the mail, max.

                  They are also generally faster than their 4-6 week guideline for refunding fraudulent charges, especially for low amounts (I had about 13.40 or something of fraudulent charges on my debit once, they rushed it through by the end of business day).

                  Largely, this is because my bank does NOT assume that their security is perfect, and their fraud department often treats you with quite a bit of respect, assuming that you are likely being honest. I'm not sure if this is a regulation thing, having very little experience with other Canadian banks, or a matter of customer service, but there you have it. PIN on debit, PIN on credit, and I have never failed to have any fraudulent transaction, no matter how big or small reversed within the month, and generally they proactively call me before I might notice myself.

                  It's not a bad situation to be in.

                  • by ishobo (160209)

                    In Canada, debit is not run by the credit companies, it's directly run by the banks themselves...

                    The banks are credit companies. Visa and Mastercard are payment processors not credit providers, they do not issue or manage credit accounts.

                • by vegiVamp (518171)

                  Under US law, you mean.

                  It's funny that the rest of the debitcard-using world looks at the US signature system as an oddity, a hopelessly backwards legacy system.

                  For fuck's sake, do you really think Visa and Mastercard would be forcibly rolling out chipcards if it wasn't safer ? The cards are certainly not cheaper for them.

                • by xaxa (988988)

                  "Cardholder present" fraud has dropped massively in the UK. It's been replaced by online fraud, and overseas fraud -- typically, producing fake cards in the US with UK card details, since the UK bank will accept a non-PIN transaction from the US. If I want to use my card outside Europe I have to phone the bank (otherwise, they'll block the transaction and phone me when I try and use the card).

            • by Nursie (632944)

              Legally, it has nothing toi do with what type of transaction (in the UK where I did my EMV stuff). In law the CC company is a party to the debt and therefore responsible for it (for some reason). Therefore (and I really don't know how this follows, but IANAL) they have to give the money back the moment you challenge it, regardless of circumstance.

              They then investigate with the help of the authorities and if they can prove it was you then you get charged with fraud (well, maybe, it's possible, I've never see

      • Re:Good. (Score:5, Insightful)

        by jimicus (737525) on Saturday December 25, 2010 @12:39PM (#34665820)

        It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Around here the best you can hope for is a minor slap on the wrist.

        HAHAHAHAHAHAHAHAHAHAHAHHAHAHAHA!!!! You are having a fucking laugh!

        Seriously, have you ever thought of going into stand up? My own mortgage company was raked over the coals for losing a laptop with customer data on it. IIRC the fine wasn't huge by mortgage company standards - around £500,000. It got in the news all right - it was still one of the biggest fines that had been levied at the time. They're not a bank, they're a building society. I don't know if these things exist in the US, but essentially it's a money-lending institution owned by its customers.

        They wrote me (along with, I imagine, all their other customers) a letter.

        It was a couple of years ago and I can't remember the exact wording, but broadly speaking they said:

        "As you may be aware, we have been fined for losing all this customer data. We don't think it's fair to take it out of the chairman's bonus, so instead we're passing it on to you lot. Thank you for being a customer".

        • by moortak (1273582)
          The equivalent loss in the US would have only led to the bad press, if that. What laws we do have, regarding electronic privacy, rarely ever result in prosecutions or fines of any size.
        • by Lost Race (681080)

          Sounds like everything worked out exactly as it should: The company misbehaved, got fined, and the owners of the company (i.e. you) paid the fine. If you don't like the way management is taking care of business, you and the other owners get together and sack the bastards.

          a money-lending institution owned by its customers

      • by Pax681 (1002592)

        pay the $50 or so it costs per card to use chip and pin.

        $50 per card? what planet are you on?

        they are glorified, oversized SIM cards...lol

        most banks don't charge for a replacement card here in the UK however those that do only charge a mere £5 which is pretty FAR from $50

        • by lennier1 (264730)

          Same for Germany and Austria. 5 bucks replacement fee for the whole procedure, including the two letters which will get you the new card and the new PIN.

      • by icebike (68054)

        You make it sound so sleazy.

        The speed with which you can get a credit card canceled and a new one issued by US banks after a loss or theft probably DOES make it cheaper to simply pay off the losses rather than us an expensive (and flawed) chip & pin system.

        Plus, there is no evidence c&p was a regulatory mandate. And if it turns out that it was a regulatory mandate it was still defective.

        Nor is there any evidence c&p has lead to lower credit card fees.

        This has nothing to do with regulations. It

      • Around here the best you can hope for is a minor slap on the wrist.

        A slap on the wrist? A SLAP ON THE WRIST??? We can't go around slapping bankers on the wrist! Capitalism will die, the economy will collapse, and we'll all decline into socialism(*)! Then, the gulags and death camps will open! Stalin will rise from the grave with Hitler and have a coffee klatch! There is no Dana, only Zuul!

    • Re:Good. (Score:5, Funny)

      by interkin3tic (1469267) on Saturday December 25, 2010 @12:08PM (#34665670)

      Ideally this streisand effect multiplier will force them to change, and that will be good, but how is it in this day and age that large institutions are still trying to suppress news stories? It implies that not only did they totally miss one of the big lessons of wikileaks, they didn't see "Serenity" either ("you can't stop the signal") and that's just sad.

      What was going on in the board room or exec room when that decision was made? "Well, gee, this is bad. Our strategy guy and media guy are both out on holidays, but I think our action is pretty clear: murder the guy. Oh, we don't have an assassin on retainer? Well, lets get on that and in the meantime we'll just try to keep it from press. That will probably work, no harm there."

      • by NoSig (1919688)
        It may be that it works perfectly well 99% of the time, yet there is a 1% chance that it will backfire on them like in this case. You only hear about the 1% cases, so you think it never works.
        • by moortak (1273582)
          That may be, but it should have been clear to them that trying to get a thesis pulled from an institution like Cambridge is almost certainly in that 1%.
      • by Ihmhi (1206036)

        BANKER: I want that students paper rated EC-10 and BURNED!

        ASSISTANT: For the last time sir, Equilibrium was not a documentary...

    • Who cares? EMV is FAR more secure than the other methods of CC payments, most notably buying online with nothing more than the information displayed on the card in full view of the customers (or hidden cameras) next to you. For this exploit to work in the real world, the criminals must already have the card. If they already have the card they can easily withdraw money in other methods.

      So EMV is flawed? It is by no means the weakest link. If EMV was 100% secure, CCs would still be just as insecure as they ar

    • by DarkIye (875062)

      That's important to note. However, they're taking their fucking time fixing it (it's been a year since the first notification) - only Barclays' system has been fixed so far - so they aren't really justified in making such a request.

      • by h4rm0ny (722443)
        How long does it take to fix a vulnerability that exists in a credit card system which covers many millions of cards and countless chip and pin units? I'm just asking because I don't know and you obviously do.
        • by AK Marc (707885)
          The fix is simple. There is none. The hole only exists if you don't trust the POS machines. And if you don't trust them, then you'd have to assume that every one logs the keys pressed for the PIN and records the magnetic strip, at which point the whole thing fails.

          It isn't a security vulnerability if you trust the terminals. They trust the terminals. Thus, asserting there's some hole is false in their minds. Someone is spreading false information that harms their business, so they want that informati
          • by DarkIye (875062)

            It's not false information. The system has become more open to fraud, and very few people who own these cards has been told about it.

            Isn't it totally disingenuous to act like nothing's changed, when in fact owning these cards has become more risky? Isn't it even more of a dick move to ask that all information regarding it be censored?

        • by DarkIye (875062)

          Well, I admit my assumptions are:

          1. Barclays is a big bank (or banking syndicate, or whatever).
          2. There aren't massive differences between big banks as far as the extent of chip and pin services or the ability to roll out updates to them are concerned.

          ->

          What the hell are they (except Barclays) doing? They've got enough money to pay themselves big fat bonuses in a depression - how come they haven't got enough to repair a widely-used system in order to protect their customers from fraud? It's almost as if

    • When a large, powerful corporate organization sends a "request" like that, it's a demand. If someone puts a gun to your head and says, "I'd like to request your wallet now," do you think you're not being mugged?

  • Amusing to read (Score:5, Interesting)

    by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Saturday December 25, 2010 @12:06PM (#34665664) Homepage

    The university's response completely owns the bank.

    "1. Why don't you have the balls to complain to the guy who actually published it? 2. Why do you suddenly object to research based on something that was already published, like, years ago, and which we warned you about before? 3. Why are you defrauding your customers by pretending your shitty system is secure, and on what grounds do you demand our help with that? 4. Fuck you this is a anteater^W university."

    • It's nice. I wish academics more often had the balls to call these crooks out. Maybe it will serve as a memo to more people that there's a greater sense to be had. I mean, it's not gonna fix the world's problems, but at least it will stop peopel from worshipping the corporate machine (at least to the extent that they are so worshipped in the US).

  • Nice... (Score:5, Funny)

    by Anonymous Coward on Saturday December 25, 2010 @12:10PM (#34665676)

    by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:

    • by jc42 (318812)

      by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:

      And I suppose you're also going to tell us that by listing a book's author, publisher and ISDN [wikipedia.org], a library or bookseller's catalog is also "publishing" the book.

      Both are equally nonsense. Publishing is done by the publisher (the university in this case), not by someone who merely tells you where to find the publication.

      This would be simple silliness if it weren't for the fact that organizations (companies and governments) have been known to file charges against web sites that merely link to some infringing material. Google and other search sites have been hit with this, and it's the basis of the bogus charges against piratebay. So we should be objecting publicly to the attempts to blur the distinction between actually publishing something and merely telling people where the publishers or distributors can be found.

      • by arekq (651007)

        I think he may not really believe that.
        It may be just a sarcasm about an earlier article "Crookes, RIAA, MPAA, ICE — 'Linking Is Publishing'":
              http://yro.slashdot.org/story/10/12/24/196216/Crookes-RIAA-MPAA-ICE-mdash-Linking-Is-Publishing [slashdot.org]

      • by ultranova (717540)

        This would be simple silliness if it weren't for the fact that organizations (companies and governments) have been known to file charges against web sites that merely link to some infringing material. Google and other search sites have been hit with this, and it's the basis of the bogus charges against piratebay. So we should be objecting publicly to the attempts to blur the distinction between actually publishing something and merely telling people where the publishers or distributors can be found.

        To be f

  • by Nursie (632944) on Saturday December 25, 2010 @12:11PM (#34665696)

    Institute checks at the acquiring or issuing bank that make sure the card and the terminal agree that it was a PIN transaction, that would seem to be an obvious one. And comparatively easy.

    Failing that, remove the signature verification auth method from cards, can be done via an update delivered during any transaction.
    Or make all PIN transactions over the floor limit the 'online PIN verification' type.

    EMV has problems by the looks of it, if you have a sophisticated MITM machine, but it wouldn't take much to fix the problem with this attack.

    That said, the banks still shouldn't be suppressing the research.

  • It is refreshing to see them stand up against them and in the end this kind of disclosure does work:

    There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

    Of course the bankers would just rather be lazy and not have to fix their shit system.

  • Banks (Score:4, Insightful)

    by blind biker (1066130) on Saturday December 25, 2010 @12:14PM (#34665714) Journal

    They just got used to be douchebags and unpunished. Until the guillottine starts chopping some heads again, it won't get any better.

    Yes, I'm bitter and a bit hopeless.

  • Do they have anything like the 1st over there?

    whistle blower laws?

  • Better idea (Score:5, Insightful)

    by MikeRT (947531) on Saturday December 25, 2010 @01:12PM (#34665930) Homepage

    Incorporate his research. Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

    They're screwed right now. If they bankrupt him through litigation, you can bet that someone from the Russian mob is going to offer him a briefcase of unmarked bills to "fund his education."

    • Re:Better idea (Score:5, Insightful)

      by rhizome (115711) on Saturday December 25, 2010 @03:12PM (#34666466) Homepage Journal

      Seriously, what the fuck is wrong with the suits that they don't look at this and go "hmmmm, free research" instead of "OMG TEH WURLD IZ FALLIN?!"

      Because they are corrupt. If they incorporate this research, their friends who own the chip and pin companies may not be capable of fulfilling the concomitant contracts that would derive from increased rigor. They consider security to be a cost center.

    • by orlanz (882574)

      What's sad is the assumption that the "bad guys" don't know about this already. This is one of those stupid "What I don't know, can't hurt me" craps. God forbid someone points out that the emperor has no clothes.

      It's something I have observed in many businesses. Unknown risk can't be quantified, and thus doesn't get a dollar cost or reported in figures. It's unknown. Known risk gets reported, tracked, quantified, and requires expenditure of resources to mitigate. Unfortunately, failure to do so of the

      • by orlanz (882574)

        Curiosity is an exercise done in a dark closet, alone.

        That sounded dirtier than I meant it to be.

    • by Renraku (518261)

      In the wonderful world of corporations, you take a perfectly working (to them) system and leave it be. Doesn't matter if .0001% of transactions are fraudulent. It's cheaper for them to let it be until market forces (increasing fraud, legislation, etc) make them shell out the money to upgrade the system. Doesn't matter who gets screwed in the process as long as it isn't them. Publishing this research is basically taking the inevitable (widespread fraud) and moving that a bit closer.

      The way the legal syst

  • Advice to Bankers (Score:5, Insightful)

    by bananaendian (928499) on Saturday December 25, 2010 @01:15PM (#34665940) Homepage Journal

    The BBC Newsnight program on the issue (from last February) explains the issue pretty well. Watch it [bbc.co.uk].

    The funny/disturbing thing is why did it take 10 months! for some official at the UK banking industry association to have a revelation/panic and issue such a stupid letter. The professor's response to them is pretty effing on! [cam.ac.uk]

    I think he should've said quite blunty: " listen, our students figured this weakness in your system during their free time, using our shoe string budget". Do you really think high tech criminals and criminal organizations with millions or even more at their disposal won't reproduce this? All you need to do is read the bloody manual! "

    If I was a banker/bank/building society I would seriously consider funding research into this instead of whining about it. I mean those students don't have what the criminals can easily get with just money. At least buy them the latest oscilloscope/logic analyser for god sake! - its a miniscule fraction of the profits the banks make - or even what they stand to loose from such weaknesses...

    • In fact work at a lab, and I say this was a major missed opportunity...

      What they should've said is:

      " Listen, your whole system is flawed and full of holes like a tennis racket made of swiss cheese.

      For a start immediately buy our university department the following:

      - One of each on their catalog [agilent.com]...

      - And their [ni.com]...

      - And their [fluke.com]...

      ...that should cost you only 50-100 million (you might get a discount). Budget it as a long term investment into transaction systems."

      At least such a scenario is a recurr

    • Thanks for linking to that letter! (mod parent up - Informative) I am eager to see the follow-up to this letter, by "UK Cards Association". Probably none, though, as they were thoroughly shown their place by Prof. Anderson.

    • I am baffled as to the mental model people have of academic research. This was a grad student working in a research lab dedicated to software and chip security. You honestly think he didn't have access to a logic analyzer if he needed one?

  • by horza (87255) on Saturday December 25, 2010 @01:27PM (#34666000) Homepage

    Ross Anderson does great work in this field, and has done for decades. The banks are happy to put out a flawed system, and hope that people don't notice they are getting ripped off by criminals. Those that actually do notice get reimbursed if they fight hard enough and manage to win their court case (the banks often falsely convince the judge their system is infallible), and then this simply gets shifted back onto the customers through increased bank charges.

    If you look at his February post [lightbluetouchpaper.org] after they broadcast the problem on Newsnight (major UK political television programme), a large number of the commenters appear to be victims.

    The message is clear: if you take your credit or debit card out with you, or use it online, there is a good chance money will easily be stolen from your account. If somebody swipes and clones your card, they do not need to know your PIN number to extract money from it. The safest way to pay is currently with cash.

    Phillip.

    • by rapiddescent (572442) on Saturday December 25, 2010 @04:42PM (#34666802)

      he does great work in this area but often gets quite a bit of it wrong. I used to work on the other side (i.e. for the banks) and have designed one of the largest CAP 2FA systems in the UK. (which hasn't been broken (yet)). I was never a fan of the retail "chip and PIN" (not the same as CAP, which is Chip Authentication programme) because it trained our customers to type their PIN into any old device which could quite easily be skimming details. (there are lots of cases of this from fake chip and PIN readers to hacked petrol pumps)

      The piggy back method is quite clever - but also well known and has been done before with other ship technologies and the video on TFA was the first time I'd actually seen it working with EMV. It plays on some social hacking because UK customers are being trained to keep hold of their card and not hand over to the checkout person (although, some supermarkets do breach the merchant acquirer principles by "taking a swipe" -- which I personally hate)

      the problem as I see it is that the card should have been sending back a message containing an encoded card counter and other information instead of a binary YES/NO "PIN OK" but the problem has always been that a large proportion of the transactions are under the floor limit or large shops batch up transactions to save on processing fees to the merchant acquirer.

      • by pjt33 (739471)

        he does great work in this area but often gets quite a bit of it wrong.

        Example?

        • sure, this paper "Optimised to Fail: Card Readers for Online Banking" [cam.ac.uk]

          Whilst section 2 "protocol description" is fairly good at the logical description of the process - after that they get it wrong; especially the section around the "bit filter" and the way the various card schemes make use of this feature. e.g. they pick up that bank CAP cards have a different bit filter but not "why" and why that makes a card scheme implementation better or worse. Obviously I can't quite remember the exact maths behind th

  • Some of us would have NEVER KNOWN about this if they did nothing.
    This crap spreads a lot slower if they leave it alone.
    The problem with the internet is once you post it.. it's there forever.
    Drawing attention to it makes it a LOT worse.
    Now there are torrents being made and mirroring is being done so any chance in hell of it being removed or kept quiet just went to -zero-

    How many more years will it take before these corporate idiots realize that once it hits the net it's out there?

  • Please RTFA (Score:2, Insightful)

    by Anonymous Coward

    ...as it is absolutely epic. I adore the parting shot:

    Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased that the industry has been finally been able to deal with this security issue, albeit some considerable time after the original disclosure back in 2009.

    OWNED!

  • by Talez (468021) on Saturday December 25, 2010 @02:02PM (#34666160)

    They implement Chip and PIN with the chip being a mini flash drive with all your shit on it ready to steal and a PIN authenticator that basically says "this PIN is correct, scout's honour, you can use the banking details!"

    I was expecting it to be implemented a'la GSM with the PIN waking up the crypto-processor, submitting the transaction to the crypto-processor, signing the transaction with the card's details and the PIN pad merely passing along the signed transaction and submitting it to the issuing bank.

    Chip and PIN is the most retarded use of two factor authentication I have ever seen.

    • by Animats (122034) on Saturday December 25, 2010 @03:56PM (#34666626) Homepage

      Chip and PIN is the most retarded use of two factor authentication I have ever seen.

      Certainly the UK version is. Read pages 16 and 17 of the thesis.

      What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.

      The way this is done right is that the bank and merchant send the transaction details to the device, where the user checks them and signs the transaction using their PIN and crypto within the device. The bank and merchant confirm that the transaction is signed properly and the bank confirms the account information. The merchant system never sees the PIN or the customer's private key.

      Of course, the problem with doing it right is that to do a true mutually mistrustful system, the customer has to have a device with a keyboard and display, plus some CPU power. If the merchant owns the PIN pad, that's a vulnerability. That's usually a phone, not a dedicated device, which opens up a new range of vulnerabilities.

      • by makomk (752139)

        What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.

        The really impressive bit is that the cards do have enough CPU power to do encryption. (I think they may even be able to do hardware accelerated public-key encryption.) It's just that whoever designed the system completely and utterly failed make use of this correctly.

    • by tengwar (600847)
      That's not how a GSM SIM works (I am working on a couple of SIM products). Firstly, most of them don't have crypto coprocessors. Secondly, the PIN (or PIN2) doesn't wake anything up. Entering the PIN is required to get access to some of the files on the SIM, so it's more like entering a password the first time you use sudo. However there have been proposals for SIM toolkit financial applications which would work roughly as you describe.
  • by niks42 (768188) on Saturday December 25, 2010 @02:15PM (#34666210)
    I notice with interest that the Ph.D paper has the acknowledgement "I thank my supervisor, Markus Kuhn, for extensive guidance and valuable advice on rigorous design and research"

    Not THE Markus Kuhn for whom many of us have to thank for Season 7, the Sky smartcard emulator and a kickstart into the world of hardware hacking? (in the nicest sense of the word).

    We are not worthy. Omar, you walk in the footprints of a giant.
  • by SmallFurryCreature (593017) on Saturday December 25, 2010 @03:58PM (#34666636) Journal

    I just hate those pushy bankers. Why can't they just keep their place in line behind lawyers for who is going to get it when the revolution comes? Are they afraid we are going to run out of bullets or something?

    Okay, so the line is lawyers, bankers, politicians, republicans. NO pushing ahead. We probably run out of bullets before we got to republicans but we can just have them watch Fox showing a video of a gun firing and they will drop dead from fright.

  • I designed ... (Score:5, Informative)

    by rapiddescent (572442) on Saturday December 25, 2010 @04:32PM (#34666764)

    I designed the CAP/EMV check system employed by one of the UK banks eBanking system. These are the little battery operated units that offer 3 types of 'authentication' that can be typed into an ebanking website after inserting a debit card and performing a PIN entry etc. Some debit cards simply have another couple of programs on the chip on the card that can do simple challenge/response type algorithms to encode input data along with the cards cert to produce a 6 to 8 digit number that the user then types into an ebanking website etc.

    I was wondering how long it would take for the retail chip and pin system to be broken. the core difference between retail units and the ebanking system is that the user returns an encrypted block (inside 6 to 8 digits) containing the card counter (which you can determine by pressing the menu button on any hand held CAP disconnected 2FA reader). If the card counter is out by a **censored** number then the transaction is stopped and a fraud warning is placed on the card.

    Clearly, people can increase their card counter by buggering around putting the card in an out of card readers without doing a transaction and so the odd person gets their card locked down and they just have to ring in for a new one. n (I actually did this by mistake with my own debit card).

    the disconnected CAP 2FA systems were a good few years later than "Chip and PIN" and so had the benefit of a bit better understanding. It should be noted that a large UK bank does not do this with their eBanking system and was nearly picked up on an earlier light-blue touchpaper paper but they didn't quite get that far so i think there are some problems looming for some of the handheld 2 factor authentication units as well. we'll wait and see.

  • by harlows_monkeys (106428) on Saturday December 25, 2010 @06:06PM (#34667144) Homepage

    They did not send a "take-down notice", at least in the way the term is usually used. It normally is used to mean a notice under the DMCA to a service provider that something must be taken down, or more loosely a notice warning that something is in violation of law.

    What was actually sent was simply a request, with no claim of legal authority behind it, asking that the material be removed.

  • In the law, you can't have a tie. Otherwise, you'd have babies split down the middle all over the place, and that would be awful.

    There needs to be a rule to break the tie. In baseball, I was taught, the runner gets the tie. That means that the presumption is that the runner is not out at first base. In other words, if the umpire can't make up her mind, then the runner wins.

    These presumptions are necessary--and quite useful. Such presumptions are REBUTTABLE presumptions. In other words the default is "

"Only the hypocrite is really rotten to the core." -- Hannah Arendt.

Working...