Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses
from the that'll-work dept
The chip and PIN system that is used for financial transactions throughout large parts of Europe and Canada (still surprised that it hasn’t really come to the US…) has numerous vulnerabilities that have been detailed over the years. In the past year alone, there have been a number of problems and weaknesses highlighted with the system. Apparently, the financial industry isn’t happy about this, but rather than fixing the problems it’s reacting in the usual way: going after the messenger. Slashdot points us to the news that the UK Cards Association — a trade group representing banks and credit card companies — has asked Cambridge researchers to remove a thesis which highlights some of the vulnerabilities.
You can see the demand letter embedded below, but it’s fairly amusing. The letter claims that the publication (which you can read about on the author’s (Omar Choudary) website, where he describes a device for intercepting, monitoring and modifying such data) “oversteps the boundaries of what constitutes responsible disclosure.” In other words, they’re not happy about it, so Cambridge should force the student to shut up. Of course, what’s amusing is that after chiding Cambridge University for such irresponsible publishing, the Association then tries to downplay the significance of the whole thing anyway:
Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry’s fraud prevention systems would be able to detect when such an attack had happened.
So why take it down?
Nevertheless, publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them and/or give organised crime access to material they might be able to develop further.
This, of course, is the very definition of an organization that thinks security through obscurity works. The thing is, if these students figured out these problems, it’s pretty damn likely that organized crime already had figured out the same thing and probably have already developed the idea much further. Pretending otherwise is simply naive.
The UK Cards Association then goes on to lecture Cambridge University on its standards of what should be considered publishable, and worries about “future research.” The response from Ross Anderson at Cambridge (linked above) is pretty straightforward, basically saying, yes, you absolutely should be worried about it:
The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!
A note to the financial industry: perhaps instead of worrying about student papers, you should worry about a system that is vulnerable to so many problems.