Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses

from the that'll-work dept

The chip and PIN system that is used for financial transactions throughout large parts of Europe and Canada (still surprised that it hasn't really come to the US...) has numerous vulnerabilities that have been detailed over the years. In the past year alone, there have been a number of problems and weaknesses highlighted with the system. Apparently, the financial industry isn't happy about this, but rather than fixing the problems it's reacting in the usual way: going after the messenger. Slashdot points us to the news that the UK Cards Association -- a trade group representing banks and credit card companies -- has asked Cambridge researchers to remove a thesis which highlights some of the vulnerabilities.

You can see the demand letter embedded below, but it's fairly amusing. The letter claims that the publication (which you can read about on the author's (Omar Choudary) website, where he describes a device for intercepting, monitoring and modifying such data) "oversteps the boundaries of what constitutes responsible disclosure." In other words, they're not happy about it, so Cambridge should force the student to shut up. Of course, what's amusing is that after chiding Cambridge University for such irresponsible publishing, the Association then tries to downplay the significance of the whole thing anyway:
Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry's fraud prevention systems would be able to detect when such an attack had happened.
So why take it down?
Nevertheless, publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them and/or give organised crime access to material they might be able to develop further.
This, of course, is the very definition of an organization that thinks security through obscurity works. The thing is, if these students figured out these problems, it's pretty damn likely that organized crime already had figured out the same thing and probably have already developed the idea much further. Pretending otherwise is simply naive.

The UK Cards Association then goes on to lecture Cambridge University on its standards of what should be considered publishable, and worries about "future research." The response from Ross Anderson at Cambridge (linked above) is pretty straightforward, basically saying, yes, you absolutely should be worried about it:
The bankers also fret that "future research, which may potentially be more damaging, may also be published in this level of detail". Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that's been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!
A note to the financial industry: perhaps instead of worrying about student papers, you should worry about a system that is vulnerable to so many problems.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Designerfx (profile), Dec 27th, 2010 @ 9:51am

    more to it

    note that the article points out that the publication they're asking them to remove has been available on the web for over 9 months. original link: http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

    this is well beyond trying to put the cat back in the bag, and just straight up ignorance. they asked the school to censor themselves and the school rightfully refused.

    Maybe you should have quoted the school's reply? It's appropriate:

    "Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the
    public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception
    of what universities are and how we work. Cambridge is the University of Erasmus, of Newton,
    and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even
    though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would
    hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as
    a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will
    ensure that its presence on our web site is permanent."

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Designerfx (profile), Dec 27th, 2010 @ 9:53am

    oh, and the best part

    I forgot the last part of their PDF's reply:

    "Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased
    that the industry has been finally been able to deal with this security issue, albeit some considerable time
    after the original disclosure back in 2009." Guess that means 2 years ago, not 9 months ago.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Dec 27th, 2010 @ 10:04am

    Re: oh, and the best part

    It's like these people want a backdoor, that no one else knows about, to exist so that they personally can exploit it.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    ChurchHatesTucker (profile), Dec 27th, 2010 @ 10:05am

    Priorities

    The 'funny' part is that these banks hire the hell out of mathematicians and whatnot. Pity they're more interested in putting them to work in creating tranches that nobody else can understand than in, y'know, coming up with rudimentary security.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Dec 27th, 2010 @ 10:06am

    Re: oh, and the best part

    i like how the student was able to pull off a fraudulent transaction; yet if [in the unlikely event] it did happen, the system would catch it..

    this broad is so full of shit.

    2 years later (after responsible disclosure) and it's still not fixed... who's being irresponsible.


    way to put some of that spin on it, melanie

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Dec 27th, 2010 @ 10:19am

    Re: Re: oh, and the best part

    This sort of behavior is typical. I believe D-Link had a security vulnerability at one time in their routers. Someone reported it to D-Link and D-Link didn't fix the problem. Nine months later, the person who found the vulnerability released info on it to the net and then, after huge backlash, D-Link fixed the security vulnerability on their next firmware release.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Tara Li, Dec 27th, 2010 @ 10:29am

    Maybe they already know...

    Maybe the financial institutions already know organized crime is using this and other similar attacks, but as they can quantify it and just charge it as an expense, they don't want to bother actually fixing it. Maybe the fix would be more than they're losing.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Dec 27th, 2010 @ 10:41am

    Re: more to it

    "[C]ensoring writings that offend the powerful is offensive to our deepest values."

    That is a beautiful quote.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    ltlw0lf (profile), Dec 27th, 2010 @ 10:45am

    Re: Maybe they already know...

    Maybe the fix would be more than they're losing.

    Sadly, I think you are right about this. It is likely the same reason why they haven't done anything about rampant identity theft (because their costs are externalized on their customers,) and credit card fraud in general. They could fix the problem but right now the fix is more expensive than their cost of the problem. They could stop sending out personalized forms for credit cards through the mail (which often get intercepted and then used for identity theft,) and some sort of single-use system for credit cards, but both would get in the way of them making the most money (legitimately or otherwise.)

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    ltlw0lf (profile), Dec 27th, 2010 @ 11:16am

    Re: Re: Re: oh, and the best part

    This sort of behavior is typical.

    Or a far more personal example...in 2002, I released a vulnerability report on a particular printer manufacturer who routinely put unauthenticated back-doors in their products. I made sure to communicate with them ahead of time, notifying them that the organization I worked for was very upset with the vulnerability and wanted it fixed, and I was willing to work with them to make sure that a firmware update would be made available to fix the problem. They never responded, even though I sent the email directly to their support folks.

    Three weeks later, I released the report, and within six months they were asking my employer to fire me and were asking for my head on a platter. Yet, they did nothing to fix the problem, and introduced new problems in newer versions of their printers. I discovered these newer problems, and contacted them directly, but received no response. I released another report on the newer problems, and they again were asking for my head on a platter. My boss at the time was quite pleased with me, and no one in the organization complied. They tried to buy me off to keep me quiet, but that didn't work either.

    Finally, in another line of printers, I discovered the mother of all unauthenticated back-doors, which allowed direct access to the printer's memory, and allowed the attacker to read from and inject into the printer's memory directly. I again contacted them directly. This time, they decided to work with us instead of freaking out and shooting the messenger. They released a technote telling their customers to disable the web server and put all printers behind a firewall which limited access to the web server.

    Unfortunately, they haven't fixed the problem, only covered it up since even their newest printers have the same flaw.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    chris (profile), Dec 27th, 2010 @ 1:00pm

    Re: Re: oh, and the best part



    never attribute to malice that which can also be explained by stupidity.

    i think this is probably honest to god ignorance. i see the same reaction all the time when people haven't thought a security issue all the way through.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    The eejit (profile), Dec 27th, 2010 @ 1:05pm

    Re: Maybe they already know...

    They knew years ago that chip-n-PIN could be skimmed. IT's just a little harder than skimming a normal magatrip card.

    I should know, I did it on my own Debit Card in 2006 as part of a CompSci project. they don't really care who uses your card, so long as the fees gat paid.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Dec 27th, 2010 @ 1:06pm

    Re: Re: Maybe they already know... Yep, they do!

    This is the real secret of big business nowadays. By externalizing costs they can ignore the fact that they are practicing bad business. It is a problem with business ethics that still hasn't been addressed seriously by anyone in the US.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Dec 27th, 2010 @ 1:24pm

    Business Ethics

    Techdirt has pointed out numerous times that there is a real issue with companies that release products with security vulnerabilities. From something as simple as a printer back door to something as important as a hacked voting machine it appears that companies are universally unwilling to deal with the issue whatever it may be.

    Many of these companies have great control in their respective markets and competition just isn't around. It seems to me that the natural forces of the market just aren't there to punish these companies blatant ethical incompetence.

    What does it say about doing business in the world when it appears integrity and honesty has become something of a inside joke?

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Richard (profile), Dec 27th, 2010 @ 1:53pm

    Security Maxims

    They should read the Argonne security maxims .

    Particularly this one:

    # Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
    # Comment: An entertaining example of this common phenomenon can be found in “Surely You are Joking, Mr. Feynman!”, published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy).

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Dec 27th, 2010 @ 4:11pm

    Fixing things require companies to spend money for things that they think don't bring money in.

    And people don't wont to regulate banks that is just absurd because a) they are powerful and will fight for their interests and b) Without regulation they will just screw people over.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    btr1701 (profile), Dec 28th, 2010 @ 11:48am

    Re: Re: Re: Maybe they already know... Yep, they do!

    > It is a problem with business ethics that still
    > hasn't been addressed seriously by anyone in
    > the US.

    Or in the UK, either, since this is, after all, a UK banking association we're talking about.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This