Banking industry worker faces cosh over anonymous rant
Busted over Chip'n'PIN diatribe against Cambridge boffins
Anonymous comments dissing Cambridge University computer scientists for their research into security weaknesses with Chip and PIN have been traced back to a banking industry group worker who acted without the permission of his bosses.
A commentard using the handle Scrutineer tore into research that demonstrated how it might be possible to make a PIN authorised transaction using stolen plastic without actually knowing the PIN, providing the card has not already been cancelled. The man-in-the middle attack exploits security shortcomings in the (Eurocard Mastercard Visa) standard for smartcard payments, or not, according to the commentard.
The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.
As for the technology used. It isn’t big and it certainly isn’t clever. For Cambridge post graduates with doctorates one would have expected more than a first year electronic engineering student could achieve. Can we please have some meaningful security research rather than this alarmist opinion speak.
The comments on the Cambridge Uni Light Blue Touchpaper blog were quickly traced back to a machine using an IP address allocated to APACS, the UK banking industry association whose job in the area of card security became the work of the UK Cards Association last summer. Professor Anderson, leader of the Cambridge team, noted wryly that the person who made the comment was not very good at anonymity.
"The IP address used by Scrutineer to post is certainly registered to APACS (aka the UK Cards Association)," wrote Steve Murdoch, another member of the team. "I also know that APACS use a proxy for their internet access. So either the commenter just happened to select an open proxy owned by APACS or, more likely, he/she works for APACS."
Scrutineer responded to these gotcha posts with a more measured response, which sidestepped the issue of who he worked for, and praised the Cambridge team's work on the security shortcomings of EMV, a sentiment completely at odds with his initial rant.
My goal, which I probably failed, was to try to encourage a broader debate on the type of issues raised in this valuable research. Let me say again, however that this was valuable research because only fool doesn’t value vulnerability research. It is important and challenging, and I would suggest all the more valuable coming from where the researchers are. The point I was making in the debate is that we are all entitled to our differing assessments of the significance of the vulnerability findings.
Mark, the Reg reader who brought the issue to our attention, described it as apparent "astro-turfing", the practice of presenting a corporate opinion as a grassroots campaign. Put more charitably, the remarks amount to expressing a private opinion without disclosing an industry affiliation.
A spokeswoman for UK Card Association said the posts violated staff internet-use guidelines.
"We have a very clear policy on staff posting comments to blogs/newsgroups and as such this has now become a disciplinary issue," she said.
The UK Card Association's official line on the Cambridge research can be found here.
"The industry strongly refutes the allegation made on Newsnight and in the University of Cambridge’s paper 'Chip & PIN is Broken'," it said. "We do not accept the serious claim that the protocol behind one of the most successful anti-fraud initiatives is either broken or fatally flawed.
"Chip & PIN has been the main factor behind a 66 per cent drop in fraud at UK retail point of sale since 2004," it added.
The statement goes on to say "neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks". ®
Sponsored: Customer Identity and Access Management