UK Banks Attempt To Censor Academic Publication 162
An anonymous reader writes "Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF). The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online."
Good. (Score:5, Insightful)
Security through obscurity is foolish. If this forces the banks to reinforce what they already know is weak, then I commend both the guy and the university.
Re: (Score:3, Insightful)
It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Aroun
Re: (Score:2, Insightful)
The only reason why they use chip and pin over there is that regulators actually regulate.
It also removes their liability for losses. If there is a problem it'll be because someone got your pin so its your fault.
Re: (Score:3)
That's just not true.
It moves the liability for fraudulent non-PIN transactions to the merchant. They still have to (by law) refund anything you claim as fraud and then investigate.
Re: (Score:3)
And what about the liability for PIN transactions?
Not trolling here, I actually don't know.
Re: (Score:2)
The banking code still stipulates they have to prove negligence on your part. They will,l of course, pretend otherwise - but it is irrelevant.
Re:Good. (Score:4, Insightful)
After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).
Since this exploit seems to allow you to preform fraudulent PIN transactions without actually knowing the PIN, it really does kind of seem like in the case of fraud with this system and this exploit, the system is designed to place liability on the consumer. And if liability is being placed on the consumer, you might as well just use a debit card...
Re: (Score:3)
After a brief googling, the internets (who have been known to lie) seem to indicate that they will claim that if somebody managed to preform a fraudulent PIN transaction, that you were negligent (by allowing your PIN to become known).
When they wrote the law, the system was presumed to be bulletproof, thus allowing the banks to pass on all liability to the customer.
The law needs to be re-written.
Re: (Score:3)
Even with the assumption that the scheme is secure (a bad assumption) automatically making the consumer liable for PIN transactions on a credit-card is a pretty lame idea. We already know from ATM skimmers that PINs are quite easy for fraudsters to acquire. I don't see why credit-cards would ever be desirable over debit-cards with this scheme and law.
Re: (Score:2)
Well, from what I've understood, the banks don't get various late-payment fees with debit cards which they do with credit cards.
Re: (Score:2)
Re:Good. (Score:5, Informative)
This is the problem. The banks claim that if a PIN transaction goes through, then it can not be fraudulent as you must have given out your PIN. the problem being what this student is exposing, that PIN transactions don't require the CORRECT PIN as the PIN is verified against the card itself, and not against the bank. meaning a fraudulent card, or fraudulent terminal, can report a correct PIN even when an incorrect PIN was entered.
Basically if someone does this to you, you as the end user are screwed. The bank will refuse liability as "you must have given out your PIN", and if you push the issue, the bank is likely to charge you with fraud yourself (it has happened several times!)
This is the real reason for chip and PIN, it shifts the liability from the bank to the consumer, without shifting the security.
Re:Good. (Score:5, Informative)
The PIN is not verified against the card. The vulnerability is a protocol flaw which allows the card to use a different authentication than the terminal. The terminal thinks that the card uses PIN authentication and the card thinks that the transaction is authenticated with a pen and paper signature. If the card actually performed the PIN authentication protocol, it would not verify the PIN itself but use the terminal to communicate with a server which verifies the PIN.
Re: (Score:2)
Of course PIN is verified against the card!
that's part of the point of EMV. The PIN you enter is mangled with some other data and presented to the card, which then answers yes or no.
This attack is to bypass that section, but without the bypass yes the card does verify. The server can (and should, IMHO) verify also
Re: (Score:2)
Not saying it is correct, but wikipedia suggests that the pin is verified by the card.
Re:Good. (Score:4, Insightful)
You as a consumer should never use a pin-based card--doing so completely vitiates your protections under the law.
Consequently, PINs are almost never used in the US for credit card transactions. You have to go to Europe to encounter this oddity. What's crazy is that no one seems to realize that the best remedy is to just abandon the farce.
Farce? Yes, the incident of fraud does not go down with pin systems. This is one in a long stream of vulnerabilities; there have always been attacks against these fixed-pin systems that make them pointless: pin observation either visually or through man-in-middle compromise of the hardware. Basically there is always a moment when the pin is in the clear. This interacts badly with legal regimes that regard 'pin as proof' of identify, and ultimately consumers can and should reject to participate in these systems. period.
What does need to be more common--for online banking and e-commerce--are key fobs with rotating time-based pin displays. That would be a marked step forward.
Re:Good. (Score:4, Informative)
I don't think its fair to call the pin code pointless. Without the pin code, you could use my card just by stealing it. Now you also have to know the pin code which mean that you can't just steal a card and use it.
But how do you prevent me from stealing a credit card, and just using it(In an atm?) if it don't require a pin code?
But the security situation in eu is getting much better now, because almost all new cards will use a small chip on the card to do the encryption making it much more difficult to read and copy cards.
Re: (Score:3)
Consequently, PINs are almost never used in the US for credit card transactions.
yes, instead you have signatures, which are just as laughable.
Re: (Score:2)
Signatures don't transfer liability to the consumer.
Therefore, far less laughable. The only reason I use a credit-card is because they remove liability from myself.
Re:Good. (Score:5, Informative)
Maybe you just need better banks.
In Canada, debit is not run by the credit companies, it's directly run by the banks themselves, and most credit cards are offered by banks. Most of the banks are actually pretty good about fraud, with fraud departments that will pro-actively look for any sign that either your credit or debit card was misused. My bank (TD), has been quick to alert me that my card MIGHT have been copied, calling to confirm transactions even if my card hasn't actually been copied, and getting a new [debit] card is free and takes about 3 minutes during any of their (quite long) banking hours. Credit cards might take a day or two to arrive in the mail, max.
They are also generally faster than their 4-6 week guideline for refunding fraudulent charges, especially for low amounts (I had about 13.40 or something of fraudulent charges on my debit once, they rushed it through by the end of business day).
Largely, this is because my bank does NOT assume that their security is perfect, and their fraud department often treats you with quite a bit of respect, assuming that you are likely being honest. I'm not sure if this is a regulation thing, having very little experience with other Canadian banks, or a matter of customer service, but there you have it. PIN on debit, PIN on credit, and I have never failed to have any fraudulent transaction, no matter how big or small reversed within the month, and generally they proactively call me before I might notice myself.
It's not a bad situation to be in.
Re: (Score:2)
The banks are credit companies. Visa and Mastercard are payment processors not credit providers, they do not issue or manage credit accounts.
Re: (Score:2)
Under US law, you mean.
It's funny that the rest of the debitcard-using world looks at the US signature system as an oddity, a hopelessly backwards legacy system.
For fuck's sake, do you really think Visa and Mastercard would be forcibly rolling out chipcards if it wasn't safer ? The cards are certainly not cheaper for them.
Re: (Score:2)
"Cardholder present" fraud has dropped massively in the UK. It's been replaced by online fraud, and overseas fraud -- typically, producing fake cards in the US with UK card details, since the UK bank will accept a non-PIN transaction from the US. If I want to use my card outside Europe I have to phone the bank (otherwise, they'll block the transaction and phone me when I try and use the card).
Re: (Score:2)
Legally, it has nothing toi do with what type of transaction (in the UK where I did my EMV stuff). In law the CC company is a party to the debt and therefore responsible for it (for some reason). Therefore (and I really don't know how this follows, but IANAL) they have to give the money back the moment you challenge it, regardless of circumstance.
They then investigate with the help of the authorities and if they can prove it was you then you get charged with fraud (well, maybe, it's possible, I've never see
Re:Good. (Score:5, Insightful)
It's probably not as big an issue in the UK and Europe in general given that they seem to be at least halfway serious about holding financial institutions responsible when they lose customer data. Around here the best you can hope for is a minor slap on the wrist.
HAHAHAHAHAHAHAHAHAHAHAHHAHAHAHA!!!! You are having a fucking laugh!
Seriously, have you ever thought of going into stand up? My own mortgage company was raked over the coals for losing a laptop with customer data on it. IIRC the fine wasn't huge by mortgage company standards - around £500,000. It got in the news all right - it was still one of the biggest fines that had been levied at the time. They're not a bank, they're a building society. I don't know if these things exist in the US, but essentially it's a money-lending institution owned by its customers.
They wrote me (along with, I imagine, all their other customers) a letter.
It was a couple of years ago and I can't remember the exact wording, but broadly speaking they said:
"As you may be aware, we have been fined for losing all this customer data. We don't think it's fair to take it out of the chairman's bonus, so instead we're passing it on to you lot. Thank you for being a customer".
Re: (Score:3)
Re: (Score:2)
Sounds like everything worked out exactly as it should: The company misbehaved, got fined, and the owners of the company (i.e. you) paid the fine. If you don't like the way management is taking care of business, you and the other owners get together and sack the bastards.
Re: (Score:3)
Re: (Score:3)
$50 per card? what planet are you on?
they are glorified, oversized SIM cards...lol
most banks don't charge for a replacement card here in the UK however those that do only charge a mere £5 which is pretty FAR from $50
Re: (Score:2)
Same for Germany and Austria. 5 bucks replacement fee for the whole procedure, including the two letters which will get you the new card and the new PIN.
Re: (Score:2)
You make it sound so sleazy.
The speed with which you can get a credit card canceled and a new one issued by US banks after a loss or theft probably DOES make it cheaper to simply pay off the losses rather than us an expensive (and flawed) chip & pin system.
Plus, there is no evidence c&p was a regulatory mandate. And if it turns out that it was a regulatory mandate it was still defective.
Nor is there any evidence c&p has lead to lower credit card fees.
This has nothing to do with regulations. It
Re: (Score:3)
It's a case of the market finding the lowest cost solution that still protects the banks from CC fraud.
ftfy
Re: (Score:2)
Around here the best you can hope for is a minor slap on the wrist.
A slap on the wrist? A SLAP ON THE WRIST??? We can't go around slapping bankers on the wrist! Capitalism will die, the economy will collapse, and we'll all decline into socialism(*)! Then, the gulags and death camps will open! Stalin will rise from the grave with Hitler and have a coffee klatch! There is no Dana, only Zuul!
Re:Good. (Score:5, Funny)
Ideally this streisand effect multiplier will force them to change, and that will be good, but how is it in this day and age that large institutions are still trying to suppress news stories? It implies that not only did they totally miss one of the big lessons of wikileaks, they didn't see "Serenity" either ("you can't stop the signal") and that's just sad.
What was going on in the board room or exec room when that decision was made? "Well, gee, this is bad. Our strategy guy and media guy are both out on holidays, but I think our action is pretty clear: murder the guy. Oh, we don't have an assassin on retainer? Well, lets get on that and in the meantime we'll just try to keep it from press. That will probably work, no harm there."
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
BANKER: I want that students paper rated EC-10 and BURNED!
ASSISTANT: For the last time sir, Equilibrium was not a documentary...
Fix the weakest link first (Score:2)
Who cares? EMV is FAR more secure than the other methods of CC payments, most notably buying online with nothing more than the information displayed on the card in full view of the customers (or hidden cameras) next to you. For this exploit to work in the real world, the criminals must already have the card. If they already have the card they can easily withdraw money in other methods.
So EMV is flawed? It is by no means the weakest link. If EMV was 100% secure, CCs would still be just as insecure as they ar
That's not a demand. It's a request. (Score:2)
Albeit a foolish one.
Re: (Score:3)
That's important to note. However, they're taking their fucking time fixing it (it's been a year since the first notification) - only Barclays' system has been fixed so far - so they aren't really justified in making such a request.
Re: (Score:2)
Re: (Score:2)
It isn't a security vulnerability if you trust the terminals. They trust the terminals. Thus, asserting there's some hole is false in their minds. Someone is spreading false information that harms their business, so they want that informati
Re: (Score:2)
It's not false information. The system has become more open to fraud, and very few people who own these cards has been told about it.
Isn't it totally disingenuous to act like nothing's changed, when in fact owning these cards has become more risky? Isn't it even more of a dick move to ask that all information regarding it be censored?
Re: (Score:3)
Well, I admit my assumptions are:
1. Barclays is a big bank (or banking syndicate, or whatever).
2. There aren't massive differences between big banks as far as the extent of chip and pin services or the ability to roll out updates to them are concerned.
->
What the hell are they (except Barclays) doing? They've got enough money to pay themselves big fat bonuses in a depression - how come they haven't got enough to repair a widely-used system in order to protect their customers from fraud? It's almost as if
Re: (Score:2)
When a large, powerful corporate organization sends a "request" like that, it's a demand. If someone puts a gun to your head and says, "I'd like to request your wallet now," do you think you're not being mugged?
Amusing to read (Score:5, Interesting)
The university's response completely owns the bank.
"1. Why don't you have the balls to complain to the guy who actually published it? 2. Why do you suddenly object to research based on something that was already published, like, years ago, and which we warned you about before? 3. Why are you defrauding your customers by pretending your shitty system is secure, and on what grounds do you demand our help with that? 4. Fuck you this is a anteater^W university."
Re: (Score:2)
It's nice. I wish academics more often had the balls to call these crooks out. Maybe it will serve as a memo to more people that there's a greater sense to be had. I mean, it's not gonna fix the world's problems, but at least it will stop peopel from worshipping the corporate machine (at least to the extent that they are so worshipped in the US).
Nice... (Score:5, Funny)
by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:
Re: (Score:2)
by linking to the pdf of the thesis, Slashdot is effectively publishing said thesis D:
And I suppose you're also going to tell us that by listing a book's author, publisher and ISDN [wikipedia.org], a library or bookseller's catalog is also "publishing" the book.
Both are equally nonsense. Publishing is done by the publisher (the university in this case), not by someone who merely tells you where to find the publication.
This would be simple silliness if it weren't for the fact that organizations (companies and governments) have been known to file charges against web sites that merely link to some infringing material. Google and other search sites have been hit with this, and it's the basis of the bogus charges against piratebay. So we should be objecting publicly to the attempts to blur the distinction between actually publishing something and merely telling people where the publishers or distributors can be found.
Re: (Score:2)
Re: (Score:2)
To be f
There are ways around their attacks (Score:4, Insightful)
Institute checks at the acquiring or issuing bank that make sure the card and the terminal agree that it was a PIN transaction, that would seem to be an obvious one. And comparatively easy.
Failing that, remove the signature verification auth method from cards, can be done via an update delivered during any transaction.
Or make all PIN transactions over the floor limit the 'online PIN verification' type.
EMV has problems by the looks of it, if you have a sophisticated MITM machine, but it wouldn't take much to fix the problem with this attack.
That said, the banks still shouldn't be suppressing the research.
Well done, Cambridge. (Score:2)
There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.
Of course the bankers would just rather be lazy and not have to fix their shit system.
Re: (Score:2)
and that last line sums all rent based businesses...
Banks (Score:4, Insightful)
They just got used to be douchebags and unpunished. Until the guillottine starts chopping some heads again, it won't get any better.
Yes, I'm bitter and a bit hopeless.
Do they have anything like the 1st over there? (Score:2)
Do they have anything like the 1st over there?
whistle blower laws?
Comment removed (Score:5, Insightful)
Re:Better idea (Score:5, Insightful)
Because they are corrupt. If they incorporate this research, their friends who own the chip and pin companies may not be capable of fulfilling the concomitant contracts that would derive from increased rigor. They consider security to be a cost center.
Re: (Score:3)
What's sad is the assumption that the "bad guys" don't know about this already. This is one of those stupid "What I don't know, can't hurt me" craps. God forbid someone points out that the emperor has no clothes.
It's something I have observed in many businesses. Unknown risk can't be quantified, and thus doesn't get a dollar cost or reported in figures. It's unknown. Known risk gets reported, tracked, quantified, and requires expenditure of resources to mitigate. Unfortunately, failure to do so of the
Re: (Score:2)
Curiosity is an exercise done in a dark closet, alone.
That sounded dirtier than I meant it to be.
Re: (Score:2)
In the wonderful world of corporations, you take a perfectly working (to them) system and leave it be. Doesn't matter if .0001% of transactions are fraudulent. It's cheaper for them to let it be until market forces (increasing fraud, legislation, etc) make them shell out the money to upgrade the system. Doesn't matter who gets screwed in the process as long as it isn't them. Publishing this research is basically taking the inevitable (widespread fraud) and moving that a bit closer.
The way the legal syst
Advice to Bankers (Score:5, Insightful)
The BBC Newsnight program on the issue (from last February) explains the issue pretty well. Watch it [bbc.co.uk].
The funny/disturbing thing is why did it take 10 months! for some official at the UK banking industry association to have a revelation/panic and issue such a stupid letter. The professor's response to them is pretty effing on! [cam.ac.uk]
I think he should've said quite blunty: " listen, our students figured this weakness in your system during their free time, using our shoe string budget". Do you really think high tech criminals and criminal organizations with millions or even more at their disposal won't reproduce this? All you need to do is read the bloody manual! "
If I was a banker/bank/building society I would seriously consider funding research into this instead of whining about it. I mean those students don't have what the criminals can easily get with just money. At least buy them the latest oscilloscope/logic analyser for god sake! - its a miniscule fraction of the profits the banks make - or even what they stand to loose from such weaknesses...
Shopping list for Bankers (Score:2)
In fact work at a lab, and I say this was a major missed opportunity...
What they should've said is:
" Listen, your whole system is flawed and full of holes like a tennis racket made of swiss cheese.
For a start immediately buy our university department the following:
- One of each on their catalog [agilent.com]...
- And their [ni.com]...
- And their [fluke.com]...
...that should cost you only 50-100 million (you might get a discount). Budget it as a long term investment into transaction systems."
At least such a scenario is a recurr
Re: (Score:2)
Thanks for linking to that letter! (mod parent up - Informative) I am eager to see the follow-up to this letter, by "UK Cards Association". Probably none, though, as they were thoroughly shown their place by Prof. Anderson.
Re: (Score:2)
I am baffled as to the mental model people have of academic research. This was a grad student working in a research lab dedicated to software and chip security. You honestly think he didn't have access to a logic analyzer if he needed one?
Well done Ross Anderson (Score:5, Insightful)
Ross Anderson does great work in this field, and has done for decades. The banks are happy to put out a flawed system, and hope that people don't notice they are getting ripped off by criminals. Those that actually do notice get reimbursed if they fight hard enough and manage to win their court case (the banks often falsely convince the judge their system is infallible), and then this simply gets shifted back onto the customers through increased bank charges.
If you look at his February post [lightbluetouchpaper.org] after they broadcast the problem on Newsnight (major UK political television programme), a large number of the commenters appear to be victims.
The message is clear: if you take your credit or debit card out with you, or use it online, there is a good chance money will easily be stolen from your account. If somebody swipes and clones your card, they do not need to know your PIN number to extract money from it. The safest way to pay is currently with cash.
Phillip.
Re:Well done Ross Anderson (Score:5, Insightful)
he does great work in this area but often gets quite a bit of it wrong. I used to work on the other side (i.e. for the banks) and have designed one of the largest CAP 2FA systems in the UK. (which hasn't been broken (yet)). I was never a fan of the retail "chip and PIN" (not the same as CAP, which is Chip Authentication programme) because it trained our customers to type their PIN into any old device which could quite easily be skimming details. (there are lots of cases of this from fake chip and PIN readers to hacked petrol pumps)
The piggy back method is quite clever - but also well known and has been done before with other ship technologies and the video on TFA was the first time I'd actually seen it working with EMV. It plays on some social hacking because UK customers are being trained to keep hold of their card and not hand over to the checkout person (although, some supermarkets do breach the merchant acquirer principles by "taking a swipe" -- which I personally hate)
the problem as I see it is that the card should have been sending back a message containing an encoded card counter and other information instead of a binary YES/NO "PIN OK" but the problem has always been that a large proportion of the transactions are under the floor limit or large shops batch up transactions to save on processing fees to the merchant acquirer.
Re: (Score:2)
he does great work in this area but often gets quite a bit of it wrong.
Example?
Re: (Score:3)
sure, this paper "Optimised to Fail: Card Readers for Online Banking" [cam.ac.uk]
Whilst section 2 "protocol description" is fairly good at the logical description of the process - after that they get it wrong; especially the section around the "bit filter" and the way the various card schemes make use of this feature. e.g. they pick up that bank CAP cards have a different bit filter but not "why" and why that makes a card scheme implementation better or worse. Obviously I can't quite remember the exact maths behind th
Why does it always happen this way..... (Score:2)
Some of us would have NEVER KNOWN about this if they did nothing.
This crap spreads a lot slower if they leave it alone.
The problem with the internet is once you post it.. it's there forever.
Drawing attention to it makes it a LOT worse.
Now there are torrents being made and mirroring is being done so any chance in hell of it being removed or kept quiet just went to -zero-
How many more years will it take before these corporate idiots realize that once it hits the net it's out there?
Please RTFA (Score:2, Insightful)
...as it is absolutely epic. I adore the parting shot:
Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased that the industry has been finally been able to deal with this security issue, albeit some considerable time after the original disclosure back in 2009.
OWNED!
Why the fuck does a PIN pad get the bank details? (Score:5, Insightful)
They implement Chip and PIN with the chip being a mini flash drive with all your shit on it ready to steal and a PIN authenticator that basically says "this PIN is correct, scout's honour, you can use the banking details!"
I was expecting it to be implemented a'la GSM with the PIN waking up the crypto-processor, submitting the transaction to the crypto-processor, signing the transaction with the card's details and the PIN pad merely passing along the signed transaction and submitting it to the issuing bank.
Chip and PIN is the most retarded use of two factor authentication I have ever seen.
Re:Why the fuck does a PIN pad get the bank detail (Score:5, Interesting)
Chip and PIN is the most retarded use of two factor authentication I have ever seen.
Certainly the UK version is. Read pages 16 and 17 of the thesis.
What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.
The way this is done right is that the bank and merchant send the transaction details to the device, where the user checks them and signs the transaction using their PIN and crypto within the device. The bank and merchant confirm that the transaction is signed properly and the bank confirms the account information. The merchant system never sees the PIN or the customer's private key.
Of course, the problem with doing it right is that to do a true mutually mistrustful system, the customer has to have a device with a keyboard and display, plus some CPU power. If the merchant owns the PIN pad, that's a vulnerability. That's usually a phone, not a dedicated device, which opens up a new range of vulnerabilities.
Re: (Score:2)
What's so lame about this is that it's a reasonably recent system design. How to do this right has been understood since the 1980s, and getting enough CPU power into the card to do an encryption isn't that big a deal.
The really impressive bit is that the cards do have enough CPU power to do encryption. (I think they may even be able to do hardware accelerated public-key encryption.) It's just that whoever designed the system completely and utterly failed make use of this correctly.
Re: (Score:2)
The hand of a famous smart card hacker behind this (Score:5, Interesting)
Not THE Markus Kuhn for whom many of us have to thank for Season 7, the Sky smartcard emulator and a kickstart into the world of hardware hacking? (in the nicest sense of the word).
We are not worthy. Omar, you walk in the footprints of a giant.
Geez, stop SHOVING you bankers (Score:3, Insightful)
I just hate those pushy bankers. Why can't they just keep their place in line behind lawyers for who is going to get it when the revolution comes? Are they afraid we are going to run out of bullets or something?
Okay, so the line is lawyers, bankers, politicians, republicans. NO pushing ahead. We probably run out of bullets before we got to republicans but we can just have them watch Fox showing a video of a gun firing and they will drop dead from fright.
Re: (Score:2)
I designed ... (Score:5, Informative)
I designed the CAP/EMV check system employed by one of the UK banks eBanking system. These are the little battery operated units that offer 3 types of 'authentication' that can be typed into an ebanking website after inserting a debit card and performing a PIN entry etc. Some debit cards simply have another couple of programs on the chip on the card that can do simple challenge/response type algorithms to encode input data along with the cards cert to produce a 6 to 8 digit number that the user then types into an ebanking website etc.
I was wondering how long it would take for the retail chip and pin system to be broken. the core difference between retail units and the ebanking system is that the user returns an encrypted block (inside 6 to 8 digits) containing the card counter (which you can determine by pressing the menu button on any hand held CAP disconnected 2FA reader). If the card counter is out by a **censored** number then the transaction is stopped and a fraud warning is placed on the card.
Clearly, people can increase their card counter by buggering around putting the card in an out of card readers without doing a transaction and so the odd person gets their card locked down and they just have to ring in for a new one. n (I actually did this by mistake with my own debit card).
the disconnected CAP 2FA systems were a good few years later than "Chip and PIN" and so had the benefit of a bit better understanding. It should be noted that a large UK bank does not do this with their eBanking system and was nearly picked up on an earlier light-blue touchpaper paper but they didn't quite get that far so i think there are some problems looming for some of the handheld 2 factor authentication units as well. we'll wait and see.
Re: (Score:2)
it's no wonder that your report was mis-interpreted; there are so many companies involved from the acquirers, merchant tech firms, reader firms, APACS, the banks, scheme networks, the merchants themselves.
the banking system has more than it's fair share of black magic fairy dust holding it together.
Not a "take-down notice". (Score:3)
They did not send a "take-down notice", at least in the way the term is usually used. It normally is used to mean a notice under the DMCA to a service provider that something must be taken down, or more loosely a notice warning that something is in violation of law.
What was actually sent was simply a request, with no claim of legal authority behind it, asking that the material be removed.
Misuse of the Irrebuttable Presumption (Score:2)
In the law, you can't have a tie. Otherwise, you'd have babies split down the middle all over the place, and that would be awful.
There needs to be a rule to break the tie. In baseball, I was taught, the runner gets the tie. That means that the presumption is that the runner is not out at first base. In other words, if the umpire can't make up her mind, then the runner wins.
These presumptions are necessary--and quite useful. Such presumptions are REBUTTABLE presumptions. In other words the default is "
Re: (Score:2)
Re: (Score:2)
It's a few years since I worked with EMV, but IIRC the terminal and the card send a cryptogram to the bank on transactions over the floor limit. These should contain the methods that each think was used for authorisation. Sounds like the banks don't check for irt being consistent, at present.
Re: (Score:3, Insightful)
And what exactly would they sue him for?
Re: (Score:2)
Re: (Score:3)
Except in the UK they will lose, and lose big. Frivolous lawsuits are looked down upon.
Taking on one of the largest universities in the world, with alumni who are incredibly powerful, is not a good idea.
Re: (Score:2)
Re:The article title is inaccurate and inflammator (Score:5, Informative)
Um, did you read the same letters I did? The Cards Association's letter was exactly a take-down notice ("Our key concern is that this type of research was ever considered suitable for publication by the University ... we would ask that this research be removed from public access immediately") and the reason it doesn't mention the DMCA is because, you know, it's in the UK. And the only reason it's not David-and-Goliath is because Cambridge is Cambridge, a huge and ancient university with one of the best academic reputations in the world, which is ready, willing, and able to fight for academic freedom, as the response letter shows. Your criticism of Slashdot for daring to present the story accurately is bizarre; I honestly have to wonder if you're being paid, or if you're just so blindly faithful to the Golden Rule ("he who has the gold makes the rules") that you can't properly interpret what's right in front of your face.
Re: (Score:2, Insightful)
Is there no difference between the interrogative ("..we would ask...") and the imperative (for example, "...we demand that you remove...")?
If we're going to call this a "take-down notice," what will we call it when Cards actually notifies Cambridge that they are demanding that Cambridge remove some other content and that Cards believes they have the legal force of law to require it? Will that be a "take-down sexual assault?"
Simply put, there can be letters that are not take-down notices. This is one of the
Re: (Score:3)
This looks more like the opening volley in a lawsuit than a polite request. It details that the student built a device (or designed it), that the police know he falsified a transaction in a shop, and claims that publication is a hazard to people's money. That the language is polite is irrelevant: it's notification of a cause for action that can be referred to later and it demands ('requests') that the paper be removed from public access.
As for being prostrate before moneyed interests, i don't understand it
Re: (Score:3)
Is there no difference between the interrogative ("..we would ask...") and the imperative (for example, "...we demand that you remove...")?
When the person asking has infinite money and infinite lawyers... no.
Re: (Score:2)
Cambridge is Cambridge, a huge and ancient university with one of the best academic reputations in the world, which is ready, willing, and able to fight for academic freedom
That gives me this mental image of Stephen Hawking wearing one of those old WW1 British "pie-pan" helmets while chasing scantily-clad female soldiers in his trademark powered wheelchair which has had all manner of huge guns, rockets, etc bolted to it such that it suddenly over-balances and falls over on its' side in typical "Monty Python"/"Benny Hill" style ("Yakkety Sax" theme music optional).
Strat
Re: (Score:2)
It is regrettable both that ./ has descended to this kind of pandering in order to attract readership and that, judging by most comments in here, they have consequently succeeded in attracting an audience that doesn't take the minimal time necessary to examine the source material provided and come to a conclusion on the actual merits.
/. has descended to not RTFA'ing? For Zombie Jesus' sake, it's a sport here with its own acronym. Ever since, well, day 1. Even a 7-digit UID should know that.
Re: (Score:2)
IANAL, but I am a speaker of the English language.
You don't say.
Please do tell us what the name of this fancy "UK DMCA" law is called. What's that, you're an authoritarian who wants the world to live by the USA's laws? I couldn't quite hear you, that's all I could make out.
Oh right, you're actually referring to the "other style notification." What form would this take, exactly, in order to be legally defensible? In the UK? Maybe "state secrets," eh?
Re:The article title is inaccurate and inflammator (Score:5, Informative)
Re: (Score:2)
Been a /. watcher for years, but only now thought I'd participate :)
Welcome! : ) And happy holidays.
Re: (Score:2)
Re: (Score:2)
In other words, people don't RTFA.
In other news: water is wet, the sun it bright, the moon is round and sarcasm is the lowest form of wit.
Re: (Score:2)
To the banks it doesn't matter if a device or procedure is secure it's what the perception is...
This behavior is not just limited to banks. Any institution behaves in a similar fashion.