Feeds

Banking industry worker faces cosh over anonymous rant

Busted over Chip'n'PIN diatribe against Cambridge boffins

Top 5 reasons to deploy VMware with Tegile

Anonymous comments dissing Cambridge University computer scientists for their research into security weaknesses with Chip and PIN have been traced back to a banking industry group worker who acted without the permission of his bosses.

A commentard using the handle Scrutineer tore into research that demonstrated how it might be possible to make a PIN authorised transaction using stolen plastic without actually knowing the PIN, providing the card has not already been cancelled. The man-in-the middle attack exploits security shortcomings in the (Eurocard Mastercard Visa) standard for smartcard payments, or not, according to the commentard.

The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.

As for the technology used. It isn’t big and it certainly isn’t clever. For Cambridge post graduates with doctorates one would have expected more than a first year electronic engineering student could achieve. Can we please have some meaningful security research rather than this alarmist opinion speak.

The comments on the Cambridge Uni Light Blue Touchpaper blog were quickly traced back to a machine using an IP address allocated to APACS, the UK banking industry association whose job in the area of card security became the work of the UK Cards Association last summer. Professor Anderson, leader of the Cambridge team, noted wryly that the person who made the comment was not very good at anonymity.

"The IP address used by Scrutineer to post is certainly registered to APACS (aka the UK Cards Association)," wrote Steve Murdoch, another member of the team. "I also know that APACS use a proxy for their internet access. So either the commenter just happened to select an open proxy owned by APACS or, more likely, he/she works for APACS."

Scrutineer responded to these gotcha posts with a more measured response, which sidestepped the issue of who he worked for, and praised the Cambridge team's work on the security shortcomings of EMV, a sentiment completely at odds with his initial rant.

My goal, which I probably failed, was to try to encourage a broader debate on the type of issues raised in this valuable research. Let me say again, however that this was valuable research because only fool doesn’t value vulnerability research. It is important and challenging, and I would suggest all the more valuable coming from where the researchers are. The point I was making in the debate is that we are all entitled to our differing assessments of the significance of the vulnerability findings.

Mark, the Reg reader who brought the issue to our attention, described it as apparent "astro-turfing", the practice of presenting a corporate opinion as a grassroots campaign. Put more charitably, the remarks amount to expressing a private opinion without disclosing an industry affiliation.

A spokeswoman for UK Card Association said the posts violated staff internet-use guidelines.

"We have a very clear policy on staff posting comments to blogs/newsgroups and as such this has now become a disciplinary issue," she said.

The UK Card Association's official line on the Cambridge research can be found here.

"The industry strongly refutes the allegation made on Newsnight and in the University of Cambridge’s paper 'Chip & PIN is Broken'," it said. "We do not accept the serious claim that the protocol behind one of the most successful anti-fraud initiatives is either broken or fatally flawed.

"Chip & PIN has been the main factor behind a 66 per cent drop in fraud at UK retail point of sale since 2004," it added.

The statement goes on to say "neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks". ®

Beginner's guide to SSL certificates

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.