Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses
from the that'll-work dept
The chip and PIN system that is used for financial transactions throughout large parts of Europe and Canada (still surprised that it hasn't really come to the US...) has numerous vulnerabilities that have been detailed over the years. In the past year alone, there have been a number of problems and weaknesses highlighted with the system. Apparently, the financial industry isn't happy about this, but rather than fixing the problems it's reacting in the usual way: going after the messenger. Slashdot points us to the news that the UK Cards Association -- a trade group representing banks and credit card companies -- has asked Cambridge researchers to remove a thesis which highlights some of the vulnerabilities.You can see the demand letter embedded below, but it's fairly amusing. The letter claims that the publication (which you can read about on the author's (Omar Choudary) website, where he describes a device for intercepting, monitoring and modifying such data) "oversteps the boundaries of what constitutes responsible disclosure." In other words, they're not happy about it, so Cambridge should force the student to shut up. Of course, what's amusing is that after chiding Cambridge University for such irresponsible publishing, the Association then tries to downplay the significance of the whole thing anyway:
Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry's fraud prevention systems would be able to detect when such an attack had happened.So why take it down?
Nevertheless, publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them and/or give organised crime access to material they might be able to develop further.This, of course, is the very definition of an organization that thinks security through obscurity works. The thing is, if these students figured out these problems, it's pretty damn likely that organized crime already had figured out the same thing and probably have already developed the idea much further. Pretending otherwise is simply naive.
The UK Cards Association then goes on to lecture Cambridge University on its standards of what should be considered publishable, and worries about "future research." The response from Ross Anderson at Cambridge (linked above) is pretty straightforward, basically saying, yes, you absolutely should be worried about it:
The bankers also fret that "future research, which may potentially be more damaging, may also be published in this level of detail". Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that's been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!A note to the financial industry: perhaps instead of worrying about student papers, you should worry about a system that is vulnerable to so many problems.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: banks, cambridge, chip and pin, credit cards, obscurity, security, uk
Reader Comments
Subscribe: RSS
View by: Time | Thread
more to it
this is well beyond trying to put the cat back in the bag, and just straight up ignorance. they asked the school to censor themselves and the school rightfully refused.
Maybe you should have quoted the school's reply? It's appropriate:
"Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the
public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception
of what universities are and how we work. Cambridge is the University of Erasmus, of Newton,
and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even
though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would
hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as
a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will
ensure that its presence on our web site is permanent."
[ link to this | view in thread ]
oh, and the best part
"Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased
that the industry has been finally been able to deal with this security issue, albeit some considerable time
after the original disclosure back in 2009." Guess that means 2 years ago, not 9 months ago.
[ link to this | view in thread ]
Re: oh, and the best part
[ link to this | view in thread ]
Priorities
[ link to this | view in thread ]
Re: oh, and the best part
this broad is so full of shit.
2 years later (after responsible disclosure) and it's still not fixed... who's being irresponsible.
way to put some of that spin on it, melanie
[ link to this | view in thread ]
Re: Re: oh, and the best part
[ link to this | view in thread ]
Maybe they already know...
[ link to this | view in thread ]
Re: more to it
That is a beautiful quote.
[ link to this | view in thread ]
Re: Maybe they already know...
Sadly, I think you are right about this. It is likely the same reason why they haven't done anything about rampant identity theft (because their costs are externalized on their customers,) and credit card fraud in general. They could fix the problem but right now the fix is more expensive than their cost of the problem. They could stop sending out personalized forms for credit cards through the mail (which often get intercepted and then used for identity theft,) and some sort of single-use system for credit cards, but both would get in the way of them making the most money (legitimately or otherwise.)
[ link to this | view in thread ]
Re: Re: Re: oh, and the best part
Or a far more personal example...in 2002, I released a vulnerability report on a particular printer manufacturer who routinely put unauthenticated back-doors in their products. I made sure to communicate with them ahead of time, notifying them that the organization I worked for was very upset with the vulnerability and wanted it fixed, and I was willing to work with them to make sure that a firmware update would be made available to fix the problem. They never responded, even though I sent the email directly to their support folks.
Three weeks later, I released the report, and within six months they were asking my employer to fire me and were asking for my head on a platter. Yet, they did nothing to fix the problem, and introduced new problems in newer versions of their printers. I discovered these newer problems, and contacted them directly, but received no response. I released another report on the newer problems, and they again were asking for my head on a platter. My boss at the time was quite pleased with me, and no one in the organization complied. They tried to buy me off to keep me quiet, but that didn't work either.
Finally, in another line of printers, I discovered the mother of all unauthenticated back-doors, which allowed direct access to the printer's memory, and allowed the attacker to read from and inject into the printer's memory directly. I again contacted them directly. This time, they decided to work with us instead of freaking out and shooting the messenger. They released a technote telling their customers to disable the web server and put all printers behind a firewall which limited access to the web server.
Unfortunately, they haven't fixed the problem, only covered it up since even their newest printers have the same flaw.
[ link to this | view in thread ]
Re: Re: oh, and the best part
never attribute to malice that which can also be explained by stupidity.
i think this is probably honest to god ignorance. i see the same reaction all the time when people haven't thought a security issue all the way through.
[ link to this | view in thread ]
Re: Maybe they already know...
I should know, I did it on my own Debit Card in 2006 as part of a CompSci project. they don't really care who uses your card, so long as the fees gat paid.
[ link to this | view in thread ]
Re: Re: Maybe they already know... Yep, they do!
[ link to this | view in thread ]
Business Ethics
Many of these companies have great control in their respective markets and competition just isn't around. It seems to me that the natural forces of the market just aren't there to punish these companies blatant ethical incompetence.
What does it say about doing business in the world when it appears integrity and honesty has become something of a inside joke?
[ link to this | view in thread ]
Security Maxims
Particularly this one:
# Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
# Comment: An entertaining example of this common phenomenon can be found in “Surely You are Joking, Mr. Feynman!”, published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy).
[ link to this | view in thread ]
And people don't wont to regulate banks that is just absurd because a) they are powerful and will fight for their interests and b) Without regulation they will just screw people over.
[ link to this | view in thread ]
Re: Re: Re: Maybe they already know... Yep, they do!
> hasn't been addressed seriously by anyone in
> the US.
Or in the UK, either, since this is, after all, a UK banking association we're talking about.
[ link to this | view in thread ]