Feeds

back to article Cambridge boffins rebuff banking industry take down request

Computer scientists from Cambridge University have rebuffed attempts by a banking association to persuade them to take down a thesis covering the shortcomings of Chip-and-PIN as a payment verification method. Omar Choudary's masters thesis contains too much information about how it might be possible to fool a retailing terminal …

COMMENTS

This topic is closed for new posts.

Page:

Joke

Result

At last! A way to own an iPad.

3
0
Silver badge

Sir

Would varnishing the metal chip contacts have the same effect?

0
0
Thumb Up

Get out of jail free card revoked.

They aren't worried about people using this information to circumvent the technology.

They're worried that people might use it as evidence that they were actually scammed. This will mean that the banks have lost their get out of jail free card and wont be able to just blame the card holder for any loses.

They're crapping themselves that they might actually have to compensate customers.

41
1
Anonymous Coward

Sigh...

Banks have to show that a customer was the cause of the fraud, not vice versa. The burden of proof lies upon the bank, they have to prove the customer was in the wrong. This was even written into law over a year ago.

I've lost count of how may times I've said this, it still comes up again and again by those who find it fashionable to slag off the banks because, they're like "the man" dude.

0
2
Silver badge

This is almost correct...

....banks have to show that the customer is the cause of fraud - true

How is this proved? If a PIN is used. The customer must have disclosed (by some means) their PIN.

Ergo, if it's a chip+PIN either it is a valid transaction or the customer is at fault. Either way, the bank does not care and the law is useless (the transaction was authorised by the PIN and that should only be known to the customer).

The banks are not "the man", they simply own "the man".

3
0
Anonymous Coward

@Big Yin

Wrong... because the PIN could have been stolen, so PIN auth isn't proof that the customer has authed the transaction.

0
2
Silver badge

You're still not getting it

*IF* the PIN was stolen, the PIN was written down.

If the PIN was written down, the customer was negligent.

As there is no way (according to the banks) for the PIN refactored ar machines compromised, the customer *MUST* have been at fault if they ever query a transaction where the PIN was used.

It really is that simple.

1
0

how about

instead of demanding it be taken down, more banks give us the super secure method of payment they promised us with Chip and PIN!

Having said that, it's still more secure than the previous method. I remember the times cashiers actually checked the signature on the card and slip as being the exception.

9
0
FAIL

Check please!

Indeed. Just before the introduction of Chip and Pin my gf had broke her leg so when we went out socialising together I would go to the bar when it was her round and pay with her card. I always signed my own name and NEVER had any problems. Even the ~50% of times the person processing the transaction would go through the appropriate hand and eye motions to 'check' the signatures matched.

1
1
FAIL

No action

Having just read the thesis, I think it's disturbing that no action is seemingly being taken by the banks. The banks seem to be assuming (at least publicly) that fraudsters are too stupid to exploit this, a policy that I think is a little on the, well, naive side.

But also quite disturbing to me is the fact that this flaw doesn't seem to be reported more widely. It was published at the beginning of the year but I only heard about it today! Surely the Daily Mail and the like should be screaming loudly about our insecure debit cards by now, forcing the banks into action?

Fail because the whole thing smells pretty badly. Kudos to Cambridge for sticking up for its' researchers though.

16
0
Anonymous Coward

A couple of things...

1) Banks don't tend to tell everyone the updates they've made to their systems, so contrary to what Prof Anderson says, we don't know the status of the roll out of the fix, except for on PEDs his guys have tested.

2) The complexity of carrying out a firmware upgrade to a couple of hundred thousand devices is massive, especially in a (rightfully) change averse environment such as financial services IT. It takes a long time to plan, check, recheck and slowly roll out. You never do this sort of thing in a single big bang for fear of taking out sizable chunks of the country's payment infrastructure.

3) Banking IT is classified as critical national infrastructure, if someone or something takes out a large chunk of it very serious questions are asked at very senior levels of government. I wouldn't like to be the CEO getting an arse kicking from the PM because I tried to roll out a firmware upgrade for a problem which isn't being exploited.

1
0
FAIL

Banks fail. Again.

You'd have thought the banks would be keen to avoid yet more bad publicity. Can there be an institution so shameless?

10
1
Silver badge

They are trying to avoid bad publicity

By sweeping it all under the carpet.

1
0
Unhappy

Perhaps the real reason for the take down request

is that the banks often claim that they have absolute proof that a card was legitimately used when the card's owner is adamant that they didn't use it. They then refuse to disclose how they "know" this, on the grounds that it would compromise security.

The user can't report it to the [UK] police as the law now says that the police can only get involved if the bank reports the fraudulent transaction to them, which of course the bank won't do, as it suits them to refuse to acknowledge that it was fraudulent and thus they can make the customer pay the bill instead of taking a loss.

Thus, anything which suggests that, in fact, it is possible that the card owner is telling the truth [because their system can be compromised] must be kept secret, as it contradicts the bank's public position that this sort of thing can't happen and that the customer is therefore responsible for the loss.

17
0
Grenade

This has happened before...

This has happened before, and Ross Anderson was involved then -- search for "Munden, Halifax, Anderson". (Munden reported phantom withdrawals from his Halifax account, Halifax had Munden charged with fraud (on the grounds that their systems could not have made a mistake), Anderson came on board as expert witness for the defence, Halifax backed down rather than let him examine their systems).

(I closed my Halifax account a while after hearing of this case, the final reminder to do so taking the form of my Halifax account statement arriving several months late and with someone else's statement stapled to the back of it --- further evidence of the level of perfection of Halifax's systems.)

6
0
Anonymous Coward

Well done barclays

for 'fixing' it.

Never thought i'd hear myself saying 'well done' to them

Oh, and apart from the free Kaspersky AV for on-line bankers

and the viaducts of couse!

apart from all that they're b'strds

0
0
Silver badge
Flame

But.... but...

... you *CAN'T* go around telling people that Chip and Pin isn't perfect and wonderful and absolutely impossible to fiddle or defraud as we've been lyin^H^H^H^H telling people for ages now!

If you did that, then everyone who's been scammed with a C&P card and been told "too bad, the technology is perfect, it must have been your fault!" might get the idea that they don't need to be fobbed off like this and *can* get their money back from us!

WON'T SOMEONE THINK OF OUR PROFITS!!

- SIgned: The banks.

7
0
Anonymous Coward

The very reason

Im removing Secur3d from my cards. Being able to change a password using only data from the card and one very easy to find extra info (date of birth - they have surname, initials and your approximate location via the sort code - how hard is it going to be...), and without having to respond to an email, visit a sepertae site, or even re-enter the details you have just changed is in no way, shape or form SECURE.

Its a get-out clause for the banks - pure and simple.

0
0
Unhappy

disgraceful

For institutions that have, over the years, made fortunes from a marginally secure process to complain in this way is pathetic.

'But we don't have the money to invest' (unless we raise our charges) will be the cry. "To do more at this time will impair our competitiveness" .... Enough!!!

Get a proper system, in place without further delay, that secures your customers funds and privacy or get out because you are incompetent. Do not pass Go, Do not collect a big fat golden goodbye!

If you are really as smart as you claim then your marketeers will be able to help you steal a march on your competitors by selling how good and secure your systems really are. A little bit of trust might be restored in the competence of the Banks.

6
0
FAIL

Banks are a joke

Having having f**ked up the country and wondering how to reward themselves with multi-million pound bonuses, I guess insecure Chip-and-Pin are the least of their worries.

Frankly the country would be a lot better off without the current banking institutions and structure. We need to get rid of a bunch of half-arses and I am pretty sure there are a load of competent wannabees who will step into their shoes for less than half the price.

9
2
Silver badge
Big Brother

Well, you know... Peel's Bank Act and all that.

...never trust an outfit that has state-mandated permission to hand out your hard-earned money that you put into their coffers to random people in return for interest. It's called misappropriation.

1
1
Anonymous Coward

@Mountford D

We all fucked up the country, banks yes, but everyone who had an inappropriate amount of credit, payed off credit with credit, had a cheapass mortgage, a 100%+ mortgage. Those who didn't say anything about the amount of credit available, we all fucked it up. Now we just expect to be able to pin the blame on the banks, because they gave us the credit we wanted without asking any particularly taxing questions.

Disclosure: I had a 102% mortgage and a credit card I couldn't hope to pay off, I shouldn't have had either. Through my own hard work I got a my credit debt level to be serviceable, and a job that can pay a proper mortgage. I'm not blaming the banks for my own stupidity.

5
0
FAIL

The simple fact

The simple fact of the matter is that the high street banks didn't bring in chip and PIN to make transactions more secure. They introduced it so that they could shift liability from the bank to the individual. The claim by the banks has always been that if you keep your PIN secure you cannot get scammed; therefore, if you are scammed it is your fault and the bank isn't liable. They want this taken down not to stop scamming, but because it would be strong evidence against them if a customer took them to court over the shift in liabilities. The British high street banks have always been very good at running this type of cartel. Look at what they did over unreasonable overdraft charges. The core problem in the UK is actually that the banks have had an effective monopoly position. Until recently, research has shown that people are more likely to get divorced or move house than change current account. Things are improving, but it will take at least another 10-20 years before the cartel is actually broken. Not really different to the length of time the BT monopoly is taking to break down.

12
0
Silver badge

So what you're saying is...

"The core problem in the UK is actually that the banks have had an effective monopoly position. Until recently, research has shown that people are more likely to get divorced or move house than change current account. Things are improving, but it will take at least another 10-20 years before the cartel is actually broken."

So what you're saying is customers are stupid and deserve all they get for being so damn lazy? It is very easy to move accounts in the UK, having done it twice myself, by asking for the direct debit/standing order form that they have to give you. Pass this on to your new bank and they can take over the transactions. SImple. When it's this easy if you don't move you deserve to get screwed.

0
3

Banks are like any other stupid corporate

@The FunkeyGibbon - unfortunately banks are a bit like most corporates. They spend a fortune on PR and still make an unholy mess of PR due to letting the legal dept. do things without first consulting marketting.

In relation to this, I saw on Yahoo a claim that UK card fraud had dropped by 20% from 2009 to 2010, but that does beg the question - was this due to chip n pin and if so, are the banks just getting more stubborn about refunding customers? This is before someone starts using this new system.

From what I've seen of the technical details however, it would be a bit tricky to do without arousing suspicion of the person at the till, unless of course this is being done with their help a bit like those petrol stations which were using cloned card machines.

1
0
Silver badge
Unhappy

Inaction by banks deserves exposure

Whilst Barclays is to be congratulated in closing this particular loophole, the bank cards association had plenty of time to remedy the defect yet all they wanted to do was to shut the info source down.

Lucky he didn't have Plod breathing down his neck, too.

Since the introduction of Pin and Chip the banks have adopted a harder attitude towards complaints of customers accounts being plundered, claiming that their new system prevents fraud when in actual fact it doesn't

This means they are defrauding / misleading / lying to the public whilst some parts of the banks know there are weaknesses. THIS is what is so DESPICABLE about the whole matter.

I never withdraw round amounts from ATM's (490 instead of 500) and I always scan those receipts that fade (so quickly) so in case of dispute I have all the records.

4
0
Thumb Up

Brilliant Response

Prof Anderson's response is brilliant. Read it here...

http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf

17
1
Thumb Up

titular amusement

Nice rebuttal letter :)

I particularly liked this paragraph :-

"Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent."

Kudos to Prof. Anderson, beautifully put!

8
0
Silver badge
Happy

Epic Win!

"Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report."

If ever there was an academic bitchslapping a corporation, this delightful response shall surely set a standard.

6
0

title

This information has been in the public domain for a year. Plenty of time for the banks to act on it, plenty of time to block the process.

So why are they squealing, almost as if they've done nothing?

Oh, I see............

4
0
Flame

Verified By Visa / Mastercard SecureCode

Another pair of "Security Enhancements" that do nothing of the sort.

You have to choose a password that is between 5 and 10 characters that CANNOT CONTAIN NON-NUMERICAL CHARACTERS (!!!!!!)

So 2 of the 3 major Password Complexity rules already broken then - well done.

Also if you forget your password, you can simply reset it, with those incredibly secret pieces of information, your Date Of Birth and Postcode - like they're tough to get hold of.

So, someone nicks or copies your card - not hard, uses the UK Info Disk or similar to get your DOB and address (and postcode) then goes online and spends to their hearts content - really fucking secure that.

It's all as others have said, just a method of the banks getting out of paying disputes, because if the transaction was 'Verified by Visa' then it must have been you, or you gave out your password to someone.

The banks are nothing but a bunch of fucking lying thieving teflon-coated-shouldered arseholes. And that's me toning it down.

5
0

title

"CANNOT CONTAIN NON-NUMERICAL CHARACTERS"

Mine does.

1
0
Anonymous Coward

err...

CANNOT CONTAIN NON-NUMERICAL CHARACTERS - yes it can.

And, upvoters, maybe check the facts in what you upvote before you do so?

1
1
Troll

Re: Err

Really?

I have (or had) accounts with HSBC, Capital One, MBNA, Alliance & Leicester and Halifax - none of them allowed non-alphanum characters in their VbV or MSC implementations. I think that's a pretty decent spread across the UK banking spectrum.

Granted I haven't used a couple of these for a while so they may have changed recently.

However this doesn't detract from the central premise of my comment - that these are not security improvements - they're methods of shifting blame from the banks to the consumers.

I presume that the upvoters were agreeing with this fact rather than what you obviously did and just reading the first paragraph and finding something to complain about.

The poster above replied in a decent manner - HIS implementation allowed non-alphanum - that's great. Your reply was just plain wrong.

Begone troll.

0
0
FAIL

If the info...

has been public for that long, it's a bit of a lame research thesis, isn't it?

0
2

Not lame, not a research thesis

It was for a masters degree, not a doctorate. Such documents are not generally expected to contain significant amounts of original research, rather they collate the current state of knowledge in the field, possibly applying it to unconsidered areas.

1
0

eh?

"This information has been in the public domain for a year. Plenty of time for the banks to act on it, plenty of time to block the process."

Have you seen the Change Process hoops you have to jump through to get a change approved in a financial institution!

I'm amazed Barclays managed it!

0
0
Anonymous Coward

FUD alert

Once CDA is implemented this will method of "attack" will be blocked, if you can even call it that because you need the dummy card you use in the terminal to be attached to a device that is capable of performing the attach. Just as the original EMV cards were SDA then moved to DDA so as soon as one form of attack is found so the organisations will move to block it.

Most forms of fraud are commited using mag stripe, not chip and pin. All of the info on how the PIN and PAN entry are collected and sent in the clearing/auth messages. I would hazard a guess that 100% of POS frauds are mag stripe but consumers don't have the knowledge to understand what has happened and are simply fobbed off by a banks call centre. They simply see a chip and assume the transaction MUST have been chip and pin.

In fact if you want to be really secure we would move 100% away from mag stripe and just have chip and pin.

Using my own statistics I would say that 99.999999999999% of people don't understand how mag stripe, chip and pin works, EMV or the authorisation/clearing messages either.

Now...if someone found a way of extracting the keys from an ICC THEN I would be impressed.

Keep the FUD rolling.

0
2
Silver badge
FAIL

Except.....

"as soon as one form of attack is found so the organisations will move to block it."

Except, of course, they've known about this for ages and done....hmmmm....fuck all. Barclays are the only ones to have fixed it.

Just because you can't think of a non-obvious of exploiting the weakness in the wild doesn't mean that no-one can. We can't expect 100% secure, but surely we have a right to expect the banks to get their act together and fix weaknesses as their found?

2
0
FAIL

"Your own statistics"

Hmmm - "99.999999999999% of people don't understand how mag stripe, chip and pin works..." Or equivalently, 0.000000000001% of people do so understand, which works out to somewhat less than 1% of a single person.

1
0
Gold badge
Thumb Up

But UK banks are *too* big to fail

The UK Govt *says* so.*

* And they've handed them a *big* bag of cash to prove it.

Seriously what would be the *real* impact of UK high street bank failure.

Some top bankers *might* not get their last bonus.

Disarray as the loan and mortgage books get sold off and it's worked out who people should be making their payments to.

a bunch of bankers get shown up as f**k witted managers.

I'd call those *acceptable* losses.

thumbs up for the backbone in not giving in to these people who *still* have mostly appear to have done f**k all about it.

1
0
FAIL

The BBC have censored the story.

Despite having surfaced at least 3 days ago (http://bit.ly/hc2ex3), there is still no mention of this story on the BBC news site.

Not that they're biased or anything. /sarcasm off

Someone has certainly complied with the censorship request...

1
0
Anonymous Coward

The BBC have censored the story.

It was discussed extensively on 5live yesterday morning. The idiot Nolan was presenting, so most people had probably tuned into something else. I know I would have, given the choice.

0
0
WTF?

The BBC have censored the story.

It was discussed extensively on 5live yesterday morning. The idiot Nolan was presenting, so most people had probably tuned into something else. I know I would have, given the choice.

0
0
Paris Hilton

Obvious answer?

Clearly the banks are uncomfortable with truth.

It is far better to live in a sublimely rich (and wealthy) fantasy world if the wealth created in that virtual & fantasy world eventually makes its way into the real world (and, of course, bankers' pockets (Q: do bankers use banks? If not why not?)).

Maybe this PIN thing is just what the banking industry needs to create next profits & bonuses in about 10 years time?

0
0
Pint

Readers may also wish to have a read of

Professor Anderson's work relating to "smart" meters.

Start at http://www.cl.cam.ac.uk/~rja14/ and follow the smart meter links. Or indeed any of his other excellent stuff that catches your eye.

Seasons greetings.

2
0
Anonymous Coward

Err...

I have read it (a while back) and if I recall correctly it reads like a 1st year paper, full of nothingness other than warnings that something bad might happen, if the network a network which doesn't exist isn't designed properly when it is designed some time in the future.

0
1
Thumb Down

Another year another 'spectacular'

Here we go another brilliant PhD Researcher at this backwater of Cambridge University undermines the whole Security of the World Banking System by pulling a little stunt. I wish these guys would give it a break and concentrate on something else, they are as annoying as your average OCD afflicted Penetration Tester.

If you wish to expose the insecurity in Retail Banking it is easy, Banks leak information every day, they break their own Security Policies hundreds of times a day, Rules are broken as a matter of routine and members of IT teams, especially unvetted external contractors, have access rights which would make you faint.

Why you would bother to stick an electrical gadget up your sleeve with a wire connecting it to the terminal for a couple of cans of White Lightening is beyond me.

If you want to trash the Chip and PIN system, just move your Lab to Liverpool and set a few of the locals the challenge

How much Tax Payers money is being wasted on this 'Lab'?

0
10

BBC censored it?

At AC who claims the BBC censored the story

They reported the flaws back in February

http://news.bbc.co.uk/1/hi/sci/tech/8511710.stm

They might not have thought the current story worth reporting, but they have covered the issues, lovely last comment by the reporter as well.

0
0
FAIL

@Mr Templedene - BBC censored it?

Sorry but you're wrong. They may have have reported the flaws earlier in the year, but that wasn't the point. They STILL haven't reported the attempted censorship of Omar Choudary's paper by the ex minister Melanie Johnson at UKCA. See:

http://www.bbc.co.uk/search/news/?q=%22Omar%20Choudary%22

http://preview.tinyurl.com/22vguhd

1
0

Page:

This topic is closed for new posts.