UK Banks Attempt To Censor Academic Publication

An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."

The article title is inaccurate and inflammatory.

[Melee_Fracas]

Having read the letter in the supplied link, "take-down notice" is an inappropriate and inflammatory term to use to describe the communication in question.

IANAL, but I am a speaker of the English language. A "take-down notice" would, in common usage, refer to a DMCA (most common) or other style notification that a publisher of some (often allegedly plagiarized) content is legally obligated to remove it, or will enjoy a legal safe harbor if one does so. None of these criteria are met by the letter in question. Also spurious is the use of the word "demand." The letter makes no demands. It expresses (IMO poorly founded) concerns. What we have, instead, is a letter that basically says, "Hey, this bothers us. Would you stop it?"

This may be inappropriate. (It is.) It might be silly. (It is.) It is not, however, a David-and-Goliath story of epic proportion. It is regrettable both that ./ has descended to this kind of pandering in order to attract readership and that, judging by most comments in here, they have consequently succeeded in attracting an audience that doesn't take the minimal time necessary to examine the source material provided and come to a conclusion on the actual merits.

I believe it is customary to shout, "THINK SHEEPLE!," at this time.

Re:The article title is inaccurate and inflammator

[Daniel Dvorkin]

Um, did you read the same letters I did? The Cards Association's letter was exactly a take-down notice ("Our key concern is that this type of research was ever considered suitable for publication by the University ... we would ask that this research be removed from public access immediately") and the reason it doesn't mention the DMCA is because, you know, it's in the UK. And the only reason it's not David-and-Goliath is because Cambridge is Cambridge, a huge and ancient university with one of the best academic reputations in the world, which is ready, willing, and able to fight for academic freedom, as the response letter shows. Your criticism of Slashdot for daring to present the story accurately is bizarre; I honestly have to wonder if you're being paid, or if you're just so blindly faithful to the Golden Rule ("he who has the gold makes the rules") that you can't properly interpret what's right in front of your face.

Re:Good.

[green1]

This is the problem. The banks claim that if a PIN transaction goes through, then it can not be fraudulent as you must have given out your PIN. the problem being what this student is exposing, that PIN transactions don't require the CORRECT PIN as the PIN is verified against the card itself, and not against the bank. meaning a fraudulent card, or fraudulent terminal, can report a correct PIN even when an incorrect PIN was entered.

Basically if someone does this to you, you as the end user are screwed. The bank will refuse liability as "you must have given out your PIN", and if you push the issue, the bank is likely to charge you with fraud yourself (it has happened several times!)

This is the real reason for chip and PIN, it shifts the liability from the bank to the consumer, without shifting the security.

Re:The article title is inaccurate and inflammator

[folderol]

Speaking English is not particularly relevant. Understanding the language is something entirely different. To anyone raised in the British Isles this is very clearly a 'Gentleman's' way of phrasing a demand. What surprises me is not the arrogance of the Banks in making this demand, but the fact they actually think they can intimidate one of the worlds oldest universities. The reply they got was not only right to the point, but devastating in its clarity and accuracy. P.S. Been a /. watcher for years, but only now thought I'd participate :)

I designed ...

[rapiddescent]

I designed the CAP/EMV check system employed by one of the UK banks eBanking system. These are the little battery operated units that offer 3 types of 'authentication' that can be typed into an ebanking website after inserting a debit card and performing a PIN entry etc. Some debit cards simply have another couple of programs on the chip on the card that can do simple challenge/response type algorithms to encode input data along with the cards cert to produce a 6 to 8 digit number that the user then types into an ebanking website etc.

I was wondering how long it would take for the retail chip and pin system to be broken. the core difference between retail units and the ebanking system is that the user returns an encrypted block (inside 6 to 8 digits) containing the card counter (which you can determine by pressing the menu button on any hand held CAP disconnected 2FA reader). If the card counter is out by a **censored** number then the transaction is stopped and a fraud warning is placed on the card.

Clearly, people can increase their card counter by buggering around putting the card in an out of card readers without doing a transaction and so the odd person gets their card locked down and they just have to ring in for a new one. n (I actually did this by mistake with my own debit card).

the disconnected CAP 2FA systems were a good few years later than "Chip and PIN" and so had the benefit of a bit better understanding. It should be noted that a large UK bank does not do this with their eBanking system and was nearly picked up on an earlier light-blue touchpaper paper but they didn't quite get that far so i think there are some problems looming for some of the handheld 2 factor authentication units as well. we'll wait and see.

Re:Good.

[Anonymous Coward]

The PIN is not verified against the card. The vulnerability is a protocol flaw which allows the card to use a different authentication than the terminal. The terminal thinks that the card uses PIN authentication and the card thinks that the transaction is authenticated with a pen and paper signature. If the card actually performed the PIN authentication protocol, it would not verify the PIN itself but use the terminal to communicate with a server which verifies the PIN.

Re:Good.

[TheSunborn]

I don't think its fair to call the pin code pointless. Without the pin code, you could use my card just by stealing it. Now you also have to know the pin code which mean that you can't just steal a card and use it.

But how do you prevent me from stealing a credit card, and just using it(In an atm?) if it don't require a pin code?

But the security situation in eu is getting much better now, because almost all new cards will use a small chip on the card to do the encryption making it much more difficult to read and copy cards.

Re:Good.

[kevinmenzel]

Maybe you just need better banks.

In Canada, debit is not run by the credit companies, it's directly run by the banks themselves, and most credit cards are offered by banks. Most of the banks are actually pretty good about fraud, with fraud departments that will pro-actively look for any sign that either your credit or debit card was misused. My bank (TD), has been quick to alert me that my card MIGHT have been copied, calling to confirm transactions even if my card hasn't actually been copied, and getting a new [debit] card is free and takes about 3 minutes during any of their (quite long) banking hours. Credit cards might take a day or two to arrive in the mail, max.

They are also generally faster than their 4-6 week guideline for refunding fraudulent charges, especially for low amounts (I had about 13.40 or something of fraudulent charges on my debit once, they rushed it through by the end of business day).

Largely, this is because my bank does NOT assume that their security is perfect, and their fraud department often treats you with quite a bit of respect, assuming that you are likely being honest. I'm not sure if this is a regulation thing, having very little experience with other Canadian banks, or a matter of customer service, but there you have it. PIN on debit, PIN on credit, and I have never failed to have any fraudulent transaction, no matter how big or small reversed within the month, and generally they proactively call me before I might notice myself.

It's not a bad situation to be in.