Feeds

Banking industry worker faces cosh over anonymous rant

Busted over Chip'n'PIN diatribe against Cambridge boffins

High performance access to file storage

Anonymous comments dissing Cambridge University computer scientists for their research into security weaknesses with Chip and PIN have been traced back to a banking industry group worker who acted without the permission of his bosses.

A commentard using the handle Scrutineer tore into research that demonstrated how it might be possible to make a PIN authorised transaction using stolen plastic without actually knowing the PIN, providing the card has not already been cancelled. The man-in-the middle attack exploits security shortcomings in the (Eurocard Mastercard Visa) standard for smartcard payments, or not, according to the commentard.

The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.

As for the technology used. It isn’t big and it certainly isn’t clever. For Cambridge post graduates with doctorates one would have expected more than a first year electronic engineering student could achieve. Can we please have some meaningful security research rather than this alarmist opinion speak.

The comments on the Cambridge Uni Light Blue Touchpaper blog were quickly traced back to a machine using an IP address allocated to APACS, the UK banking industry association whose job in the area of card security became the work of the UK Cards Association last summer. Professor Anderson, leader of the Cambridge team, noted wryly that the person who made the comment was not very good at anonymity.

"The IP address used by Scrutineer to post is certainly registered to APACS (aka the UK Cards Association)," wrote Steve Murdoch, another member of the team. "I also know that APACS use a proxy for their internet access. So either the commenter just happened to select an open proxy owned by APACS or, more likely, he/she works for APACS."

Scrutineer responded to these gotcha posts with a more measured response, which sidestepped the issue of who he worked for, and praised the Cambridge team's work on the security shortcomings of EMV, a sentiment completely at odds with his initial rant.

My goal, which I probably failed, was to try to encourage a broader debate on the type of issues raised in this valuable research. Let me say again, however that this was valuable research because only fool doesn’t value vulnerability research. It is important and challenging, and I would suggest all the more valuable coming from where the researchers are. The point I was making in the debate is that we are all entitled to our differing assessments of the significance of the vulnerability findings.

Mark, the Reg reader who brought the issue to our attention, described it as apparent "astro-turfing", the practice of presenting a corporate opinion as a grassroots campaign. Put more charitably, the remarks amount to expressing a private opinion without disclosing an industry affiliation.

A spokeswoman for UK Card Association said the posts violated staff internet-use guidelines.

"We have a very clear policy on staff posting comments to blogs/newsgroups and as such this has now become a disciplinary issue," she said.

The UK Card Association's official line on the Cambridge research can be found here.

"The industry strongly refutes the allegation made on Newsnight and in the University of Cambridge’s paper 'Chip & PIN is Broken'," it said. "We do not accept the serious claim that the protocol behind one of the most successful anti-fraud initiatives is either broken or fatally flawed.

"Chip & PIN has been the main factor behind a 66 per cent drop in fraud at UK retail point of sale since 2004," it added.

The statement goes on to say "neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks". ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.