Anonymous comments dissing Cambridge University computer scientists for their research into security weaknesses with Chip and PIN have been traced back to a banking industry group worker who acted without the permission of his bosses. A commentard using the handle Scrutineer tore into research that demonstrated how it might be …
Let us know what they really think, then be ``forced'' to distance themselves from the more unreasonable sounding parts, and get some extra radio time in which to repeat, sounding perfectly reasonable this time, that they think everybody is perfectly safe because they don't accept the research findings. If only the laws of physics would listen to bankers' opinions, we'd surely have ubiqutous flying cars by now.
This, however, is not how science works. For their objections to be credible they have to show the research wrong, like by being methodically flawed, or to be showing results caused by some other factor. Which they can't, because it isn't.
What's so wrong?
Personally, I welcome blog comments from people at the sharp end - informed debated is good, even if the original comments were a bit on the vitriolic side.
Astroturfing? I don't think so. The commenter clearly couldn't identify him/herself as being from the Card Association, because that would then have been seen as an official statement (and it was against the company rules to comment).
So all that's happened is that an insider who was willing to get involved in informal robust debate has been coshed, leaving us with official PR platitudes instead. I can absolutely why the guys running the Cambridge Uni blog were interested in the commenter's IP address and I have no problem with them posting that the commenter "has an IP address coming from a UK banking institution" but enabling the guy to get smacked-down does rather seem to be an unfortunate, rather than fortunate outcome.
/From my residential NTL IP address in boring old East London
"stroturfing? I don't think so. The commenter clearly couldn't identify him/herself as being from the Card Association, because that would then have been seen as an official statement (and it was against the company rules to comment)."
That's exactly what astroturfing is. Some big corporate wants to get something out in the public domain, but they know that if it comes from them people will start using words and phrases like "bias" and "vested interest", so they sneak it out anonymously in the hopes that nobody will trace the comments back to them. It's been going on for centuries, but it didn't have a name until recently.
I know what astroturfing is. All astroturfing comes from company insiders. But not all posts by a company insider is an astroturfing attempt. Amazing as it may seem some company insiders are actually passionate about their stuff and reply individually - not as part of a campaign.
"I pity the fool who doesn’t value vulnerability research"
our mystery blogger is none other than... Mr T of A-Team fame!
Smell the desperation...
So someone posted something negative as a comment on a blog. Fine. What happened next. Did the Uni / blog editor post the details of the poster, or was he asked to do so and complied?
TBH both of these seem a bit twatish things to do as far as I can see, but the first in particular looks particularly malicious.
He made a valid comment...
...and it deserved a valid reply not an attack. It was not astro turfing.
Yes the card would have been flagged stolen, but when? I had a card stolen, I did not know it was stolen until the next day when I could not find it. In the day it was away it was used to buy petrol in Switzerland, and for toll roads in Italy.
Ergo saying that the card would have been flagged stolen misses that there is the gap between a card being stolen and noticed and reported during which this attack works. Hence his comment is correct, yet misses a case where the attack works.
As for the Cambridge Researchers being over-sensitive to his "first year electronic engineering student" comments. They are little crie-y babies and need to grow up!
HE believed he had pointed to a flaw in their thinking and merely chided them, THEY could have pointed out why their thinking is correct and thus proved themselves to be grown-up. Instead they did the little cry baby thing of name calling.
As for Astro turf, well surf Youtube on anything critical of Israel, and note the contrived comments and -6 score for any comment critical of Israel, e.g. :
i.e a team of 6 astro turfers working there, or 1 turfer with 6 youtube accounts.
If I were that employee, and I knew this incident could get me fired, I would ask for the chore of being the one to prove the research wrong and show my comment was fair.
He deserved smacking down for the childish 1st post
...which was, AFAICS, technically inaccurate. It was certainly insulting and that has no place in such discussions.
'The statement goes on to say "neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks".'
a) That doesn't mean they're not happening.
b) Nor does it mean they won't once criminals - some of whom seem to be better funded & more tech savvy than the police these days - work out how to make good use of the exploit.
a) That doesn't mean they're not happening.
It does mean they are not happening. Read the research paper, it says that the banks will be able to see if this attack happened by looking in their transaction records.
If he deserved smacking down because of the style and content then that should have been addressed in a response.
Responding by publicising his IP is morally dubious and intellectually bankrupt. There are several times in the reg Blogs where a commenter imparts some interesting inside information. If it's false information then this should be addressed, debated.
If the reg started publicising IP addresses of posters that disagreed with the editorial line the site would be f'ked.
"...which was, AFAICS, technically inaccurate. It was certainly insulting and that has no place in such discussions."
If you start banning comments based on whether they insult or not, then there would be no elReg, no Andrew Orlowski, and certainly no me.
All you'd have on the internet is a bunch of turfers trying to suppress discussion by pretending to be offended by the remark.
These students will grow thicker skins and this criticism (although badly founded) helps them grow those callouses.
PR gone bad
Some PR or tech monkey was given the task to post a rebuttal and failed miserably.
Also his comments about APACS believing that being able to hack CnP cards is something a first year engineering student could do flies in the face of thier "chip and pin is secure" mantra.
I think anyone who has had to fight to recoup money stolen via CnP should find this plonker and call him as a witness :-)
I work for a UK bank, I regularly post on the reg. I do not do so with approval from my boss, I do not make comments on behalf of my employer, but I do comment on banking related articles.
This guy posted his own opinion, what's the problem?
Anon, for obvious reasons...
He should sue
The bloke from APACS is correct. There is nothing in this attack that an average first year electronics student could not do himself. The research paper itself states that the application (VIS) in the card returns sufficient information to the bank to show that this very attack took place and that they have this information in their records. If the card was reported stolen the bank would then examine its records and see that the transaction was fraudulent.
The real story here is that an engineer posts an critical anonymous post a Cambridge University website so the researchers then decide to go after him forcing him to either be fired or his career ruined. I think he should sue.
Call me simple minded but claiming this attack is so easy a 1st year student could do it tells me Chip&Pin is easy to break. The idiot couldn't even astroturf right, deserves sacking for undermining his employers denials, even if he wasn't caught publicly.
If anonymous comments can seriously undermine your companies position on a subject, then perhaps your company should have a more robust position.
"neither the banking industry nor the police have any evidence"
Neither the banking industry nor the police knew this was possible, and they don't subsequently seem to be interested in doing much about it. The easy way of having no evidence is to sit on your arse with your eyes closed singing "I can't hear you, I can't hear you".
Bankers are good people
Are you sure that the banking industry did not know this was possible? Visa added a field in their application (VIS) that covers this attack.
EMV is just a specification that allows interoperability between many countries and parties different terminals and cards with different security levels. Regardless of their size Visa and Mastercard cannot force individual banks to choose a particular payment method they can only encourage them, flexibility is paramount for an international payment system to work. Contrary to what the researchers say in their paper EMV has always been an open specification and wide consultation of it took place during its development (just because the researchers were still in primary school 15 years ago it does not mean it did not happen) EMV is a brilliant specification, it solves a complex issue in a simple manner and it does its job wonderfully. I can see why the engineer at APACS was pissed off about the researchers' arrogantly and untruthful comments rubbishing the specification.
"they don't subsequently seem to be interested in doing much about it." Of course they don't, there may be a quiet hive of activity investigating this issue, but the banks are not going to start shouting "PANIC PANIC". Most security issues discovered in the banking industry are fixed quietly and the public never get to hear about them or the engineers who discover and solve them.
Time will tell
"neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks".
That's because they aportion the blame onto the person who's card it is! So if someone used this attack the bank simply turns around and says "But our system is entirely secure. Your pin was used with YOUR card therefore no matter what you say we believe it to be the case that it was you who made the transaction" end of.
What can a person do when they are in this situation? Catch 22.
So yeah they probably would say that they have no evidence simply because they don't want to admit liability.
The ombudsman should really take a close look at this but they are all paid off yes men.
The burden of proof was legally moved to the banks last year, and I don't know of any credible cases prior to that where the banks didn't repay where fraud was suspected.
You have outlined precisely why I refuse to use Chip & PIN in any retail transaction.
When the law is changed to force banks and merchants to accept the same liabilities as if a cheque had been used, then I will reconsider my stance. But not until.
"The industry strongly refutes the allegation"
No, it just *denies* it. What is this, proof by vehement assertion?
Storm, meet tea cup
Firstly, to declare my interests. I work in information security at a bank and I know the people at UK Payments (APACS).
Although I do not know who wrote the response, it was obviously from pure personal frustration at a rather improbable hack.
The thing to remember is that if you can physically break into and control a machine you can do all sorts of things.
Here's an exercise for the student: imagine a scenario in which this hack could be used. Whatever scenario you imagined, you can almost certainly think of an easier and more profitable exploit in those circumstances. (In this case the question is where is the shopkeeper? Where is the fraudster? If the shopkeeper is missing, and the fraudster is in the shop, it might be easier just to leg it with the goods).
Many people in the banking security industry do the kind of analysis which Prof Anderson's team publish - although sadly we don't often get a change to build the toys themselves and we don't get PhDs out of it ;-) But you have to keep in mind the misuse case, the scenarios you are protecting against. This is the key to staying sane, staying focused on the important risks, and not obsessing over the wrong details.
Prof Anderson has an honorable record in defending innocent customers against the banks' technological conceits, and I expect this is part of that continuing battle. But this one is a storm in a tea cup.
It wasn't tested against something stolen? BFD.
Regular old PIN cards in the US don't work after being reported stolen either. No fancy additional smartcard tech needed at all.
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL
- Google chief Larry Page gives Sundar Pichai keys to the kingdom
- Lollipop unwrapped: Chromium WebView will update via Google Play