back to article Cambridge boffins rebuff banking industry take down request

Computer scientists from Cambridge University have rebuffed attempts by a banking association to persuade them to take down a thesis covering the shortcomings of Chip-and-PIN as a payment verification method. Omar Choudary's masters thesis contains too much information about how it might be possible to fool a retailing …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Joke

    Result

    At last! A way to own an iPad.

  2. Sir Runcible Spoon

    Sir

    Would varnishing the metal chip contacts have the same effect?

  3. Anonymous Coward
    Thumb Up

    Get out of jail free card revoked.

    They aren't worried about people using this information to circumvent the technology.

    They're worried that people might use it as evidence that they were actually scammed. This will mean that the banks have lost their get out of jail free card and wont be able to just blame the card holder for any loses.

    They're crapping themselves that they might actually have to compensate customers.

    1. Anonymous Coward
      Anonymous Coward

      Sigh...

      Banks have to show that a customer was the cause of the fraud, not vice versa. The burden of proof lies upon the bank, they have to prove the customer was in the wrong. This was even written into law over a year ago.

      I've lost count of how may times I've said this, it still comes up again and again by those who find it fashionable to slag off the banks because, they're like "the man" dude.

      1. The BigYin

        This is almost correct...

        ....banks have to show that the customer is the cause of fraud - true

        How is this proved? If a PIN is used. The customer must have disclosed (by some means) their PIN.

        Ergo, if it's a chip+PIN either it is a valid transaction or the customer is at fault. Either way, the bank does not care and the law is useless (the transaction was authorised by the PIN and that should only be known to the customer).

        The banks are not "the man", they simply own "the man".

        1. Anonymous Coward
          Anonymous Coward

          @Big Yin

          Wrong... because the PIN could have been stolen, so PIN auth isn't proof that the customer has authed the transaction.

          1. The BigYin

            You're still not getting it

            *IF* the PIN was stolen, the PIN was written down.

            If the PIN was written down, the customer was negligent.

            As there is no way (according to the banks) for the PIN refactored ar machines compromised, the customer *MUST* have been at fault if they ever query a transaction where the PIN was used.

            It really is that simple.

  4. Lottie

    how about

    instead of demanding it be taken down, more banks give us the super secure method of payment they promised us with Chip and PIN!

    Having said that, it's still more secure than the previous method. I remember the times cashiers actually checked the signature on the card and slip as being the exception.

    1. AlexH
      FAIL

      Check please!

      Indeed. Just before the introduction of Chip and Pin my gf had broke her leg so when we went out socialising together I would go to the bar when it was her round and pay with her card. I always signed my own name and NEVER had any problems. Even the ~50% of times the person processing the transaction would go through the appropriate hand and eye motions to 'check' the signatures matched.

  5. dotdavid
    FAIL

    No action

    Having just read the thesis, I think it's disturbing that no action is seemingly being taken by the banks. The banks seem to be assuming (at least publicly) that fraudsters are too stupid to exploit this, a policy that I think is a little on the, well, naive side.

    But also quite disturbing to me is the fact that this flaw doesn't seem to be reported more widely. It was published at the beginning of the year but I only heard about it today! Surely the Daily Mail and the like should be screaming loudly about our insecure debit cards by now, forcing the banks into action?

    Fail because the whole thing smells pretty badly. Kudos to Cambridge for sticking up for its' researchers though.

    1. Anonymous Coward
      Anonymous Coward

      A couple of things...

      1) Banks don't tend to tell everyone the updates they've made to their systems, so contrary to what Prof Anderson says, we don't know the status of the roll out of the fix, except for on PEDs his guys have tested.

      2) The complexity of carrying out a firmware upgrade to a couple of hundred thousand devices is massive, especially in a (rightfully) change averse environment such as financial services IT. It takes a long time to plan, check, recheck and slowly roll out. You never do this sort of thing in a single big bang for fear of taking out sizable chunks of the country's payment infrastructure.

      3) Banking IT is classified as critical national infrastructure, if someone or something takes out a large chunk of it very serious questions are asked at very senior levels of government. I wouldn't like to be the CEO getting an arse kicking from the PM because I tried to roll out a firmware upgrade for a problem which isn't being exploited.

  6. The FunkeyGibbon
    FAIL

    Banks fail. Again.

    You'd have thought the banks would be keen to avoid yet more bad publicity. Can there be an institution so shameless?

    1. Tom 35

      They are trying to avoid bad publicity

      By sweeping it all under the carpet.

  7. Anonymous Coward
    Unhappy

    Perhaps the real reason for the take down request

    is that the banks often claim that they have absolute proof that a card was legitimately used when the card's owner is adamant that they didn't use it. They then refuse to disclose how they "know" this, on the grounds that it would compromise security.

    The user can't report it to the [UK] police as the law now says that the police can only get involved if the bank reports the fraudulent transaction to them, which of course the bank won't do, as it suits them to refuse to acknowledge that it was fraudulent and thus they can make the customer pay the bill instead of taking a loss.

    Thus, anything which suggests that, in fact, it is possible that the card owner is telling the truth [because their system can be compromised] must be kept secret, as it contradicts the bank's public position that this sort of thing can't happen and that the customer is therefore responsible for the loss.

    1. John Sturdy
      Grenade

      This has happened before...

      This has happened before, and Ross Anderson was involved then -- search for "Munden, Halifax, Anderson". (Munden reported phantom withdrawals from his Halifax account, Halifax had Munden charged with fraud (on the grounds that their systems could not have made a mistake), Anderson came on board as expert witness for the defence, Halifax backed down rather than let him examine their systems).

      (I closed my Halifax account a while after hearing of this case, the final reminder to do so taking the form of my Halifax account statement arriving several months late and with someone else's statement stapled to the back of it --- further evidence of the level of perfection of Halifax's systems.)

  8. Anonymous Coward
    Anonymous Coward

    Well done barclays

    for 'fixing' it.

    Never thought i'd hear myself saying 'well done' to them

    Oh, and apart from the free Kaspersky AV for on-line bankers

    and the viaducts of couse!

    apart from all that they're b'strds

  9. Graham Marsden
    Flame

    But.... but...

    ... you *CAN'T* go around telling people that Chip and Pin isn't perfect and wonderful and absolutely impossible to fiddle or defraud as we've been lyin^H^H^H^H telling people for ages now!

    If you did that, then everyone who's been scammed with a C&P card and been told "too bad, the technology is perfect, it must have been your fault!" might get the idea that they don't need to be fobbed off like this and *can* get their money back from us!

    WON'T SOMEONE THINK OF OUR PROFITS!!

    - SIgned: The banks.

    1. Anonymous Coward
      Anonymous Coward

      The very reason

      Im removing Secur3d from my cards. Being able to change a password using only data from the card and one very easy to find extra info (date of birth - they have surname, initials and your approximate location via the sort code - how hard is it going to be...), and without having to respond to an email, visit a sepertae site, or even re-enter the details you have just changed is in no way, shape or form SECURE.

      Its a get-out clause for the banks - pure and simple.

  10. Maurice Shakeshaft
    Unhappy

    disgraceful

    For institutions that have, over the years, made fortunes from a marginally secure process to complain in this way is pathetic.

    'But we don't have the money to invest' (unless we raise our charges) will be the cry. "To do more at this time will impair our competitiveness" .... Enough!!!

    Get a proper system, in place without further delay, that secures your customers funds and privacy or get out because you are incompetent. Do not pass Go, Do not collect a big fat golden goodbye!

    If you are really as smart as you claim then your marketeers will be able to help you steal a march on your competitors by selling how good and secure your systems really are. A little bit of trust might be restored in the competence of the Banks.

  11. Mountford D
    FAIL

    Banks are a joke

    Having having f**ked up the country and wondering how to reward themselves with multi-million pound bonuses, I guess insecure Chip-and-Pin are the least of their worries.

    Frankly the country would be a lot better off without the current banking institutions and structure. We need to get rid of a bunch of half-arses and I am pretty sure there are a load of competent wannabees who will step into their shoes for less than half the price.

    1. Destroy All Monsters Silver badge
      Big Brother

      Well, you know... Peel's Bank Act and all that.

      ...never trust an outfit that has state-mandated permission to hand out your hard-earned money that you put into their coffers to random people in return for interest. It's called misappropriation.

    2. Anonymous Coward
      Anonymous Coward

      @Mountford D

      We all fucked up the country, banks yes, but everyone who had an inappropriate amount of credit, payed off credit with credit, had a cheapass mortgage, a 100%+ mortgage. Those who didn't say anything about the amount of credit available, we all fucked it up. Now we just expect to be able to pin the blame on the banks, because they gave us the credit we wanted without asking any particularly taxing questions.

      Disclosure: I had a 102% mortgage and a credit card I couldn't hope to pay off, I shouldn't have had either. Through my own hard work I got a my credit debt level to be serviceable, and a job that can pay a proper mortgage. I'm not blaming the banks for my own stupidity.

  12. Anonymous Coward
    FAIL

    The simple fact

    The simple fact of the matter is that the high street banks didn't bring in chip and PIN to make transactions more secure. They introduced it so that they could shift liability from the bank to the individual. The claim by the banks has always been that if you keep your PIN secure you cannot get scammed; therefore, if you are scammed it is your fault and the bank isn't liable. They want this taken down not to stop scamming, but because it would be strong evidence against them if a customer took them to court over the shift in liabilities. The British high street banks have always been very good at running this type of cartel. Look at what they did over unreasonable overdraft charges. The core problem in the UK is actually that the banks have had an effective monopoly position. Until recently, research has shown that people are more likely to get divorced or move house than change current account. Things are improving, but it will take at least another 10-20 years before the cartel is actually broken. Not really different to the length of time the BT monopoly is taking to break down.

    1. Mark 65

      So what you're saying is...

      "The core problem in the UK is actually that the banks have had an effective monopoly position. Until recently, research has shown that people are more likely to get divorced or move house than change current account. Things are improving, but it will take at least another 10-20 years before the cartel is actually broken."

      So what you're saying is customers are stupid and deserve all they get for being so damn lazy? It is very easy to move accounts in the UK, having done it twice myself, by asking for the direct debit/standing order form that they have to give you. Pass this on to your new bank and they can take over the transactions. SImple. When it's this easy if you don't move you deserve to get screwed.

  13. Trev 2

    Banks are like any other stupid corporate

    @The FunkeyGibbon - unfortunately banks are a bit like most corporates. They spend a fortune on PR and still make an unholy mess of PR due to letting the legal dept. do things without first consulting marketting.

    In relation to this, I saw on Yahoo a claim that UK card fraud had dropped by 20% from 2009 to 2010, but that does beg the question - was this due to chip n pin and if so, are the banks just getting more stubborn about refunding customers? This is before someone starts using this new system.

    From what I've seen of the technical details however, it would be a bit tricky to do without arousing suspicion of the person at the till, unless of course this is being done with their help a bit like those petrol stations which were using cloned card machines.

  14. JaitcH
    Unhappy

    Inaction by banks deserves exposure

    Whilst Barclays is to be congratulated in closing this particular loophole, the bank cards association had plenty of time to remedy the defect yet all they wanted to do was to shut the info source down.

    Lucky he didn't have Plod breathing down his neck, too.

    Since the introduction of Pin and Chip the banks have adopted a harder attitude towards complaints of customers accounts being plundered, claiming that their new system prevents fraud when in actual fact it doesn't

    This means they are defrauding / misleading / lying to the public whilst some parts of the banks know there are weaknesses. THIS is what is so DESPICABLE about the whole matter.

    I never withdraw round amounts from ATM's (490 instead of 500) and I always scan those receipts that fade (so quickly) so in case of dispute I have all the records.

  15. Anonymous Coward
    Thumb Up

    Brilliant Response

    Prof Anderson's response is brilliant. Read it here...

    http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf

    1. lpopman
      Thumb Up

      titular amusement

      Nice rebuttal letter :)

      I particularly liked this paragraph :-

      "Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent."

      Kudos to Prof. Anderson, beautifully put!

    2. heyrick Silver badge
      Happy

      Epic Win!

      "Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report."

      If ever there was an academic bitchslapping a corporation, this delightful response shall surely set a standard.

  16. Stratman

    title

    This information has been in the public domain for a year. Plenty of time for the banks to act on it, plenty of time to block the process.

    So why are they squealing, almost as if they've done nothing?

    Oh, I see............

  17. DRendar
    Flame

    Verified By Visa / Mastercard SecureCode

    Another pair of "Security Enhancements" that do nothing of the sort.

    You have to choose a password that is between 5 and 10 characters that CANNOT CONTAIN NON-NUMERICAL CHARACTERS (!!!!!!)

    So 2 of the 3 major Password Complexity rules already broken then - well done.

    Also if you forget your password, you can simply reset it, with those incredibly secret pieces of information, your Date Of Birth and Postcode - like they're tough to get hold of.

    So, someone nicks or copies your card - not hard, uses the UK Info Disk or similar to get your DOB and address (and postcode) then goes online and spends to their hearts content - really fucking secure that.

    It's all as others have said, just a method of the banks getting out of paying disputes, because if the transaction was 'Verified by Visa' then it must have been you, or you gave out your password to someone.

    The banks are nothing but a bunch of fucking lying thieving teflon-coated-shouldered arseholes. And that's me toning it down.

    1. Stratman

      title

      "CANNOT CONTAIN NON-NUMERICAL CHARACTERS"

      Mine does.

    2. Anonymous Coward
      Anonymous Coward

      err...

      CANNOT CONTAIN NON-NUMERICAL CHARACTERS - yes it can.

      And, upvoters, maybe check the facts in what you upvote before you do so?

      1. DRendar
        Troll

        Re: Err

        Really?

        I have (or had) accounts with HSBC, Capital One, MBNA, Alliance & Leicester and Halifax - none of them allowed non-alphanum characters in their VbV or MSC implementations. I think that's a pretty decent spread across the UK banking spectrum.

        Granted I haven't used a couple of these for a while so they may have changed recently.

        However this doesn't detract from the central premise of my comment - that these are not security improvements - they're methods of shifting blame from the banks to the consumers.

        I presume that the upvoters were agreeing with this fact rather than what you obviously did and just reading the first paragraph and finding something to complain about.

        The poster above replied in a decent manner - HIS implementation allowed non-alphanum - that's great. Your reply was just plain wrong.

        Begone troll.

  18. Anonymous Coward
    FAIL

    If the info...

    has been public for that long, it's a bit of a lame research thesis, isn't it?

    1. shadowphiar

      Not lame, not a research thesis

      It was for a masters degree, not a doctorate. Such documents are not generally expected to contain significant amounts of original research, rather they collate the current state of knowledge in the field, possibly applying it to unconsidered areas.

  19. Stuart Ball

    eh?

    "This information has been in the public domain for a year. Plenty of time for the banks to act on it, plenty of time to block the process."

    Have you seen the Change Process hoops you have to jump through to get a change approved in a financial institution!

    I'm amazed Barclays managed it!

  20. Anonymous Coward
    Anonymous Coward

    FUD alert

    Once CDA is implemented this will method of "attack" will be blocked, if you can even call it that because you need the dummy card you use in the terminal to be attached to a device that is capable of performing the attach. Just as the original EMV cards were SDA then moved to DDA so as soon as one form of attack is found so the organisations will move to block it.

    Most forms of fraud are commited using mag stripe, not chip and pin. All of the info on how the PIN and PAN entry are collected and sent in the clearing/auth messages. I would hazard a guess that 100% of POS frauds are mag stripe but consumers don't have the knowledge to understand what has happened and are simply fobbed off by a banks call centre. They simply see a chip and assume the transaction MUST have been chip and pin.

    In fact if you want to be really secure we would move 100% away from mag stripe and just have chip and pin.

    Using my own statistics I would say that 99.999999999999% of people don't understand how mag stripe, chip and pin works, EMV or the authorisation/clearing messages either.

    Now...if someone found a way of extracting the keys from an ICC THEN I would be impressed.

    Keep the FUD rolling.

    1. Ben Tasker
      FAIL

      Except.....

      "as soon as one form of attack is found so the organisations will move to block it."

      Except, of course, they've known about this for ages and done....hmmmm....fuck all. Barclays are the only ones to have fixed it.

      Just because you can't think of a non-obvious of exploiting the weakness in the wild doesn't mean that no-one can. We can't expect 100% secure, but surely we have a right to expect the banks to get their act together and fix weaknesses as their found?

    2. Anonymous Coward
      FAIL

      "Your own statistics"

      Hmmm - "99.999999999999% of people don't understand how mag stripe, chip and pin works..." Or equivalently, 0.000000000001% of people do so understand, which works out to somewhat less than 1% of a single person.

  21. John Smith 19 Gold badge
    Thumb Up

    But UK banks are *too* big to fail

    The UK Govt *says* so.*

    * And they've handed them a *big* bag of cash to prove it.

    Seriously what would be the *real* impact of UK high street bank failure.

    Some top bankers *might* not get their last bonus.

    Disarray as the loan and mortgage books get sold off and it's worked out who people should be making their payments to.

    a bunch of bankers get shown up as f**k witted managers.

    I'd call those *acceptable* losses.

    thumbs up for the backbone in not giving in to these people who *still* have mostly appear to have done f**k all about it.

  22. Anonymous Coward
    FAIL

    The BBC have censored the story.

    Despite having surfaced at least 3 days ago (http://bit.ly/hc2ex3), there is still no mention of this story on the BBC news site.

    Not that they're biased or anything. /sarcasm off

    Someone has certainly complied with the censorship request...

    1. Anonymous Coward
      Anonymous Coward

      The BBC have censored the story.

      It was discussed extensively on 5live yesterday morning. The idiot Nolan was presenting, so most people had probably tuned into something else. I know I would have, given the choice.

    2. Anonymous Coward
      WTF?

      The BBC have censored the story.

      It was discussed extensively on 5live yesterday morning. The idiot Nolan was presenting, so most people had probably tuned into something else. I know I would have, given the choice.

  23. Anonymous Coward
    Paris Hilton

    Obvious answer?

    Clearly the banks are uncomfortable with truth.

    It is far better to live in a sublimely rich (and wealthy) fantasy world if the wealth created in that virtual & fantasy world eventually makes its way into the real world (and, of course, bankers' pockets (Q: do bankers use banks? If not why not?)).

    Maybe this PIN thing is just what the banking industry needs to create next profits & bonuses in about 10 years time?

  24. Anonymous Coward
    Pint

    Readers may also wish to have a read of

    Professor Anderson's work relating to "smart" meters.

    Start at http://www.cl.cam.ac.uk/~rja14/ and follow the smart meter links. Or indeed any of his other excellent stuff that catches your eye.

    Seasons greetings.

    1. Anonymous Coward
      Anonymous Coward

      Err...

      I have read it (a while back) and if I recall correctly it reads like a 1st year paper, full of nothingness other than warnings that something bad might happen, if the network a network which doesn't exist isn't designed properly when it is designed some time in the future.

  25. Anonymous Coward
    Thumb Down

    Another year another 'spectacular'

    Here we go another brilliant PhD Researcher at this backwater of Cambridge University undermines the whole Security of the World Banking System by pulling a little stunt. I wish these guys would give it a break and concentrate on something else, they are as annoying as your average OCD afflicted Penetration Tester.

    If you wish to expose the insecurity in Retail Banking it is easy, Banks leak information every day, they break their own Security Policies hundreds of times a day, Rules are broken as a matter of routine and members of IT teams, especially unvetted external contractors, have access rights which would make you faint.

    Why you would bother to stick an electrical gadget up your sleeve with a wire connecting it to the terminal for a couple of cans of White Lightening is beyond me.

    If you want to trash the Chip and PIN system, just move your Lab to Liverpool and set a few of the locals the challenge

    How much Tax Payers money is being wasted on this 'Lab'?

  26. Mr Templedene

    BBC censored it?

    At AC who claims the BBC censored the story

    They reported the flaws back in February

    http://news.bbc.co.uk/1/hi/sci/tech/8511710.stm

    They might not have thought the current story worth reporting, but they have covered the issues, lovely last comment by the reporter as well.

    1. Anonymous Coward
      FAIL

      @Mr Templedene - BBC censored it?

      Sorry but you're wrong. They may have have reported the flaws earlier in the year, but that wasn't the point. They STILL haven't reported the attempted censorship of Omar Choudary's paper by the ex minister Melanie Johnson at UKCA. See:

      http://www.bbc.co.uk/search/news/?q=%22Omar%20Choudary%22

      http://preview.tinyurl.com/22vguhd

  27. Trollslayer
    Grenade

    As usual

    The banks did nothing until they were forced to.

    Have PIN transmissions been encrypted yet by the way?

  28. Jason Sheldon
    Thumb Down

    Secure?

    If the banks are that worried about fraud, why do they produce 'contactless' debit cards now, where you only have to swipe and don't even NEED a pin number!?

    Ok, you can only do small transactions - but you can still work up quite a spend in a day....

    1. /dev/rant
      Stop

      Re:Secure?

      If you read the blurb that comes with the contactless debit cards, you would know that at random you will be challenged to enter your pin, but I am guessing you do not have a contactless card nor you have bothered to read up on it as to how it works prior to opinionate.

  29. Anonymous Coward
    Anonymous Coward

    Its the banks

    As expected, everyone expects the banks to act but this is an EMV issue NOT a bank issue.

    Barclays are the only ones REPORTED to have fixed the problem. No one knows if other bank cards are affected because the "attack" have only tested a Barclaycard at a BMS terminal. And Barclaycard are a Visa Customer. There are also lots of MasterCard cards out there as well.

    Kudos to Mr Choudary if he gets a masters degree out of copying Steven Murdochs paper and then building what is effectively a serial port sniffer/monitor (and the world certainly needs more of those... rolls eyes) good luck to him. There really is nothing new to see here.

    And if that is the best that the Cambridge university students can come up with then I have seriously overestimated the abilities of what I thought was one of the best universities in the world.

    There are much better ways of extracting pin numbers, using brute force against the face of person you are mugging is very effective but I don't think I am going to get a Masters proposing that in an academic paper :)

    1. Anonymous Coward
      Anonymous Coward

      dot dot dot

      Just like most of the stuff that comes out of Prof Andersons' dept, hyped far beyond what it actually shows. This is a shame because they will start to get a reputation for crying wolf and when they do come up with something serious the industry will be fed up with them.

      (I would admit that if I had to take on a bank in an IT security issue RA would be the first person I went to...)

      Oh and kudos for mentioning that banks aren't payment processors.

  30. Anonymous Coward
    Headmaster

    "banks aren't payment processors."

    Only in the most pedantic sense, where one wishes to distinguish between the organisation issuing the card (eg HSBC) and the (usually one of two) front organisations nominally processing the payments. (Readers may recollect the short-lived UK scam where some big UK retailers decided to nominally "in source" the "payment processing", with the sole purpose of dodging some of the VAT and keeping it for themselves. In a near-unique example of legal sensibleness this scam was ruled illegal. Please refer to Debenhams Retail plc vs HM Customs+Excise).

    Who owns and (and is therefore responsible for) VISA? VISA is a publically quoted company but would anyone be stupid enough to think that it isn't controlled by the relevant banks? Same goes for Mastercard, which started life as the "Interbank Card Association".

    UK banks seem to have had a collective falling out with Mastercard/Maestro. The alleged free market no longer provides a readily available debit card which will be widely acceptable in the countries where VISA Debit isn't (e.g. Germany prefers Maestro).

  31. John Smith 19 Gold badge
    Happy

    The Streisand effect at work.

    Attempt to get document censored.

    Gets it converted into official Technical Report issued by the University.

    Priceless.

This topic is closed for new posts.