Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses

from the that'll-work dept

The chip and PIN system that is used for financial transactions throughout large parts of Europe and Canada (still surprised that it hasn’t really come to the US…) has numerous vulnerabilities that have been detailed over the years. In the past year alone, there have been a number of problems and weaknesses highlighted with the system. Apparently, the financial industry isn’t happy about this, but rather than fixing the problems it’s reacting in the usual way: going after the messenger. Slashdot points us to the news that the UK Cards Association — a trade group representing banks and credit card companies — has asked Cambridge researchers to remove a thesis which highlights some of the vulnerabilities.

You can see the demand letter embedded below, but it’s fairly amusing. The letter claims that the publication (which you can read about on the author’s (Omar Choudary) website, where he describes a device for intercepting, monitoring and modifying such data) “oversteps the boundaries of what constitutes responsible disclosure.” In other words, they’re not happy about it, so Cambridge should force the student to shut up. Of course, what’s amusing is that after chiding Cambridge University for such irresponsible publishing, the Association then tries to downplay the significance of the whole thing anyway:

Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry’s fraud prevention systems would be able to detect when such an attack had happened.

So why take it down?

Nevertheless, publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them and/or give organised crime access to material they might be able to develop further.

This, of course, is the very definition of an organization that thinks security through obscurity works. The thing is, if these students figured out these problems, it’s pretty damn likely that organized crime already had figured out the same thing and probably have already developed the idea much further. Pretending otherwise is simply naive.

The UK Cards Association then goes on to lecture Cambridge University on its standards of what should be considered publishable, and worries about “future research.” The response from Ross Anderson at Cambridge (linked above) is pretty straightforward, basically saying, yes, you absolutely should be worried about it:

The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

A note to the financial industry: perhaps instead of worrying about student papers, you should worry about a system that is vulnerable to so many problems.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses”

Subscribe: RSS Leave a comment
Designerfx (profile) says:

more to it

note that the article points out that the publication they’re asking them to remove has been available on the web for over 9 months. original link:

this is well beyond trying to put the cat back in the bag, and just straight up ignorance. they asked the school to censor themselves and the school rightfully refused.

Maybe you should have quoted the school’s reply? It’s appropriate:

“Second, you seem to think that we might censor a student?s thesis, which is lawful and already in the
public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception
of what universities are and how we work. Cambridge is the University of Erasmus, of Newton,
and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even
though the decision to put the thesis online was Omar?s, we have no choice but to back him. That would
hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as
a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will
ensure that its presence on our web site is permanent.”

Designerfx (profile) says:

oh, and the best part

I forgot the last part of their PDF’s reply:

“Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased
that the industry has been finally been able to deal with this security issue, albeit some considerable time
after the original disclosure back in 2009.” Guess that means 2 years ago, not 9 months ago.

Anonymous Coward says:

oh, and the best part

i like how the student was able to pull off a fraudulent transaction; yet if [in the unlikely event] it did happen, the system would catch it..

this broad is so full of shit.

2 years later (after responsible disclosure) and it’s still not fixed… who’s being irresponsible.

way to put some of that spin on it, melanie

Anonymous Coward says:

oh, and the best part

This sort of behavior is typical. I believe D-Link had a security vulnerability at one time in their routers. Someone reported it to D-Link and D-Link didn’t fix the problem. Nine months later, the person who found the vulnerability released info on it to the net and then, after huge backlash, D-Link fixed the security vulnerability on their next firmware release.

ltlw0lf (profile) says:

Maybe they already know...

Maybe the fix would be more than they’re losing.

Sadly, I think you are right about this. It is likely the same reason why they haven’t done anything about rampant identity theft (because their costs are externalized on their customers,) and credit card fraud in general. They could fix the problem but right now the fix is more expensive than their cost of the problem. They could stop sending out personalized forms for credit cards through the mail (which often get intercepted and then used for identity theft,) and some sort of single-use system for credit cards, but both would get in the way of them making the most money (legitimately or otherwise.)

ltlw0lf (profile) says:

oh, and the best part

This sort of behavior is typical.

Or a far more personal example…in 2002, I released a vulnerability report on a particular printer manufacturer who routinely put unauthenticated back-doors in their products. I made sure to communicate with them ahead of time, notifying them that the organization I worked for was very upset with the vulnerability and wanted it fixed, and I was willing to work with them to make sure that a firmware update would be made available to fix the problem. They never responded, even though I sent the email directly to their support folks.

Three weeks later, I released the report, and within six months they were asking my employer to fire me and were asking for my head on a platter. Yet, they did nothing to fix the problem, and introduced new problems in newer versions of their printers. I discovered these newer problems, and contacted them directly, but received no response. I released another report on the newer problems, and they again were asking for my head on a platter. My boss at the time was quite pleased with me, and no one in the organization complied. They tried to buy me off to keep me quiet, but that didn’t work either.

Finally, in another line of printers, I discovered the mother of all unauthenticated back-doors, which allowed direct access to the printer’s memory, and allowed the attacker to read from and inject into the printer’s memory directly. I again contacted them directly. This time, they decided to work with us instead of freaking out and shooting the messenger. They released a technote telling their customers to disable the web server and put all printers behind a firewall which limited access to the web server.

Unfortunately, they haven’t fixed the problem, only covered it up since even their newest printers have the same flaw.

Anonymous Coward says:

Business Ethics

Techdirt has pointed out numerous times that there is a real issue with companies that release products with security vulnerabilities. From something as simple as a printer back door to something as important as a hacked voting machine it appears that companies are universally unwilling to deal with the issue whatever it may be.

Many of these companies have great control in their respective markets and competition just isn’t around. It seems to me that the natural forces of the market just aren’t there to punish these companies blatant ethical incompetence.

What does it say about doing business in the world when it appears integrity and honesty has become something of a inside joke?

Richard (profile) says:

Security Maxims

They should read the Argonne security maxims .

Particularly this one:

# Feynman?s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
# Comment: An entertaining example of this common phenomenon can be found in ?Surely You are Joking, Mr. Feynman!?, published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...