Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses
from the that'll-work dept
The chip and PIN system that is used for financial transactions throughout large parts of Europe and Canada (still surprised that it hasn’t really come to the US…) has numerous vulnerabilities that have been detailed over the years. In the past year alone, there have been a number of problems and weaknesses highlighted with the system. Apparently, the financial industry isn’t happy about this, but rather than fixing the problems it’s reacting in the usual way: going after the messenger. Slashdot points us to the news that the UK Cards Association — a trade group representing banks and credit card companies — has asked Cambridge researchers to remove a thesis which highlights some of the vulnerabilities.
You can see the demand letter embedded below, but it’s fairly amusing. The letter claims that the publication (which you can read about on the author’s (Omar Choudary) website, where he describes a device for intercepting, monitoring and modifying such data) “oversteps the boundaries of what constitutes responsible disclosure.” In other words, they’re not happy about it, so Cambridge should force the student to shut up. Of course, what’s amusing is that after chiding Cambridge University for such irresponsible publishing, the Association then tries to downplay the significance of the whole thing anyway:
Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry’s fraud prevention systems would be able to detect when such an attack had happened.
So why take it down?
Nevertheless, publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them and/or give organised crime access to material they might be able to develop further.
This, of course, is the very definition of an organization that thinks security through obscurity works. The thing is, if these students figured out these problems, it’s pretty damn likely that organized crime already had figured out the same thing and probably have already developed the idea much further. Pretending otherwise is simply naive.
The UK Cards Association then goes on to lecture Cambridge University on its standards of what should be considered publishable, and worries about “future research.” The response from Ross Anderson at Cambridge (linked above) is pretty straightforward, basically saying, yes, you absolutely should be worried about it:
The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!
A note to the financial industry: perhaps instead of worrying about student papers, you should worry about a system that is vulnerable to so many problems.
Filed Under: banks, cambridge, chip and pin, credit cards, obscurity, security, uk
Comments on “Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses”
more to it
note that the article points out that the publication they’re asking them to remove has been available on the web for over 9 months. original link: http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/
this is well beyond trying to put the cat back in the bag, and just straight up ignorance. they asked the school to censor themselves and the school rightfully refused.
Maybe you should have quoted the school’s reply? It’s appropriate:
“Second, you seem to think that we might censor a student?s thesis, which is lawful and already in the
public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception
of what universities are and how we work. Cambridge is the University of Erasmus, of Newton,
and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even
though the decision to put the thesis online was Omar?s, we have no choice but to back him. That would
hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as
a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will
ensure that its presence on our web site is permanent.”
oh, and the best part
I forgot the last part of their PDF’s reply:
“Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased
that the industry has been finally been able to deal with this security issue, albeit some considerable time
after the original disclosure back in 2009.” Guess that means 2 years ago, not 9 months ago.
oh, and the best part
It’s like these people want a backdoor, that no one else knows about, to exist so that they personally can exploit it.
Priorities
The ‘funny’ part is that these banks hire the hell out of mathematicians and whatnot. Pity they’re more interested in putting them to work in creating tranches that nobody else can understand than in, y’know, coming up with rudimentary security.
oh, and the best part
i like how the student was able to pull off a fraudulent transaction; yet if [in the unlikely event] it did happen, the system would catch it..
this broad is so full of shit.
2 years later (after responsible disclosure) and it’s still not fixed… who’s being irresponsible.
way to put some of that spin on it, melanie
oh, and the best part
This sort of behavior is typical. I believe D-Link had a security vulnerability at one time in their routers. Someone reported it to D-Link and D-Link didn’t fix the problem. Nine months later, the person who found the vulnerability released info on it to the net and then, after huge backlash, D-Link fixed the security vulnerability on their next firmware release.
Maybe they already know...
Maybe the financial institutions already know organized crime is using this and other similar attacks, but as they can quantify it and just charge it as an expense, they don’t want to bother actually fixing it. Maybe the fix would be more than they’re losing.
more to it
“[C]ensoring writings that offend the powerful is offensive to our deepest values.”
That is a beautiful quote.
Maybe they already know...
Maybe the fix would be more than they’re losing.
Sadly, I think you are right about this. It is likely the same reason why they haven’t done anything about rampant identity theft (because their costs are externalized on their customers,) and credit card fraud in general. They could fix the problem but right now the fix is more expensive than their cost of the problem. They could stop sending out personalized forms for credit cards through the mail (which often get intercepted and then used for identity theft,) and some sort of single-use system for credit cards, but both would get in the way of them making the most money (legitimately or otherwise.)
oh, and the best part
This sort of behavior is typical.
Or a far more personal example…in 2002, I released a vulnerability report on a particular printer manufacturer who routinely put unauthenticated back-doors in their products. I made sure to communicate with them ahead of time, notifying them that the organization I worked for was very upset with the vulnerability and wanted it fixed, and I was willing to work with them to make sure that a firmware update would be made available to fix the problem. They never responded, even though I sent the email directly to their support folks.
Three weeks later, I released the report, and within six months they were asking my employer to fire me and were asking for my head on a platter. Yet, they did nothing to fix the problem, and introduced new problems in newer versions of their printers. I discovered these newer problems, and contacted them directly, but received no response. I released another report on the newer problems, and they again were asking for my head on a platter. My boss at the time was quite pleased with me, and no one in the organization complied. They tried to buy me off to keep me quiet, but that didn’t work either.
Finally, in another line of printers, I discovered the mother of all unauthenticated back-doors, which allowed direct access to the printer’s memory, and allowed the attacker to read from and inject into the printer’s memory directly. I again contacted them directly. This time, they decided to work with us instead of freaking out and shooting the messenger. They released a technote telling their customers to disable the web server and put all printers behind a firewall which limited access to the web server.
Unfortunately, they haven’t fixed the problem, only covered it up since even their newest printers have the same flaw.
oh, and the best part
never attribute to malice that which can also be explained by stupidity.
i think this is probably honest to god ignorance. i see the same reaction all the time when people haven’t thought a security issue all the way through.
Maybe they already know...
They knew years ago that chip-n-PIN could be skimmed. IT’s just a little harder than skimming a normal magatrip card.
I should know, I did it on my own Debit Card in 2006 as part of a CompSci project. they don’t really care who uses your card, so long as the fees gat paid.
Maybe they already know... Yep, they do!
This is the real secret of big business nowadays. By externalizing costs they can ignore the fact that they are practicing bad business. It is a problem with business ethics that still hasn’t been addressed seriously by anyone in the US.
Business Ethics
Techdirt has pointed out numerous times that there is a real issue with companies that release products with security vulnerabilities. From something as simple as a printer back door to something as important as a hacked voting machine it appears that companies are universally unwilling to deal with the issue whatever it may be.
Many of these companies have great control in their respective markets and competition just isn’t around. It seems to me that the natural forces of the market just aren’t there to punish these companies blatant ethical incompetence.
What does it say about doing business in the world when it appears integrity and honesty has become something of a inside joke?
Security Maxims
They should read the Argonne security maxims .
Particularly this one:
# Feynman?s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
# Comment: An entertaining example of this common phenomenon can be found in ?Surely You are Joking, Mr. Feynman!?, published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy).
Fixing things require companies to spend money for things that they think don’t bring money in.
And people don’t wont to regulate banks that is just absurd because a) they are powerful and will fight for their interests and b) Without regulation they will just screw people over.
Maybe they already know... Yep, they do!
> It is a problem with business ethics that still
> hasn’t been addressed seriously by anyone in
> the US.
Or in the UK, either, since this is, after all, a UK banking association we’re talking about.