Feeds

Banking industry worker faces cosh over anonymous rant

Busted over Chip'n'PIN diatribe against Cambridge boffins

Website security in corporate America

Anonymous comments dissing Cambridge University computer scientists for their research into security weaknesses with Chip and PIN have been traced back to a banking industry group worker who acted without the permission of his bosses.

A commentard using the handle Scrutineer tore into research that demonstrated how it might be possible to make a PIN authorised transaction using stolen plastic without actually knowing the PIN, providing the card has not already been cancelled. The man-in-the middle attack exploits security shortcomings in the (Eurocard Mastercard Visa) standard for smartcard payments, or not, according to the commentard.

The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.

As for the technology used. It isn’t big and it certainly isn’t clever. For Cambridge post graduates with doctorates one would have expected more than a first year electronic engineering student could achieve. Can we please have some meaningful security research rather than this alarmist opinion speak.

The comments on the Cambridge Uni Light Blue Touchpaper blog were quickly traced back to a machine using an IP address allocated to APACS, the UK banking industry association whose job in the area of card security became the work of the UK Cards Association last summer. Professor Anderson, leader of the Cambridge team, noted wryly that the person who made the comment was not very good at anonymity.

"The IP address used by Scrutineer to post is certainly registered to APACS (aka the UK Cards Association)," wrote Steve Murdoch, another member of the team. "I also know that APACS use a proxy for their internet access. So either the commenter just happened to select an open proxy owned by APACS or, more likely, he/she works for APACS."

Scrutineer responded to these gotcha posts with a more measured response, which sidestepped the issue of who he worked for, and praised the Cambridge team's work on the security shortcomings of EMV, a sentiment completely at odds with his initial rant.

My goal, which I probably failed, was to try to encourage a broader debate on the type of issues raised in this valuable research. Let me say again, however that this was valuable research because only fool doesn’t value vulnerability research. It is important and challenging, and I would suggest all the more valuable coming from where the researchers are. The point I was making in the debate is that we are all entitled to our differing assessments of the significance of the vulnerability findings.

Mark, the Reg reader who brought the issue to our attention, described it as apparent "astro-turfing", the practice of presenting a corporate opinion as a grassroots campaign. Put more charitably, the remarks amount to expressing a private opinion without disclosing an industry affiliation.

A spokeswoman for UK Card Association said the posts violated staff internet-use guidelines.

"We have a very clear policy on staff posting comments to blogs/newsgroups and as such this has now become a disciplinary issue," she said.

The UK Card Association's official line on the Cambridge research can be found here.

"The industry strongly refutes the allegation made on Newsnight and in the University of Cambridge’s paper 'Chip & PIN is Broken'," it said. "We do not accept the serious claim that the protocol behind one of the most successful anti-fraud initiatives is either broken or fatally flawed.

"Chip & PIN has been the main factor behind a 66 per cent drop in fraud at UK retail point of sale since 2004," it added.

The statement goes on to say "neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks". ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.