Banking industry worker faces cosh over anonymous rant
Busted over Chip'n'PIN diatribe against Cambridge boffins
Anonymous comments dissing Cambridge University computer scientists for their research into security weaknesses with Chip and PIN have been traced back to a banking industry group worker who acted without the permission of his bosses.
A commentard using the handle Scrutineer tore into research that demonstrated how it might be possible to make a PIN authorised transaction using stolen plastic without actually knowing the PIN, providing the card has not already been cancelled. The man-in-the middle attack exploits security shortcomings in the (Eurocard Mastercard Visa) standard for smartcard payments, or not, according to the commentard.
The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.
As for the technology used. It isn’t big and it certainly isn’t clever. For Cambridge post graduates with doctorates one would have expected more than a first year electronic engineering student could achieve. Can we please have some meaningful security research rather than this alarmist opinion speak.
The comments on the Cambridge Uni Light Blue Touchpaper blog were quickly traced back to a machine using an IP address allocated to APACS, the UK banking industry association whose job in the area of card security became the work of the UK Cards Association last summer. Professor Anderson, leader of the Cambridge team, noted wryly that the person who made the comment was not very good at anonymity.
"The IP address used by Scrutineer to post is certainly registered to APACS (aka the UK Cards Association)," wrote Steve Murdoch, another member of the team. "I also know that APACS use a proxy for their internet access. So either the commenter just happened to select an open proxy owned by APACS or, more likely, he/she works for APACS."
Scrutineer responded to these gotcha posts with a more measured response, which sidestepped the issue of who he worked for, and praised the Cambridge team's work on the security shortcomings of EMV, a sentiment completely at odds with his initial rant.
My goal, which I probably failed, was to try to encourage a broader debate on the type of issues raised in this valuable research. Let me say again, however that this was valuable research because only fool doesn’t value vulnerability research. It is important and challenging, and I would suggest all the more valuable coming from where the researchers are. The point I was making in the debate is that we are all entitled to our differing assessments of the significance of the vulnerability findings.
Mark, the Reg reader who brought the issue to our attention, described it as apparent "astro-turfing", the practice of presenting a corporate opinion as a grassroots campaign. Put more charitably, the remarks amount to expressing a private opinion without disclosing an industry affiliation.
A spokeswoman for UK Card Association said the posts violated staff internet-use guidelines.
"We have a very clear policy on staff posting comments to blogs/newsgroups and as such this has now become a disciplinary issue," she said.
The UK Card Association's official line on the Cambridge research can be found here.
"The industry strongly refutes the allegation made on Newsnight and in the University of Cambridge’s paper 'Chip & PIN is Broken'," it said. "We do not accept the serious claim that the protocol behind one of the most successful anti-fraud initiatives is either broken or fatally flawed.
"Chip & PIN has been the main factor behind a 66 per cent drop in fraud at UK retail point of sale since 2004," it added.
The statement goes on to say "neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks". ®
If he deserved smacking down because of the style and content then that should have been addressed in a response.
Responding by publicising his IP is morally dubious and intellectually bankrupt. There are several times in the reg Blogs where a commenter imparts some interesting inside information. If it's false information then this should be addressed, debated.
If the reg started publicising IP addresses of posters that disagreed with the editorial line the site would be f'ked.
He made a valid comment...
...and it deserved a valid reply not an attack. It was not astro turfing.
Yes the card would have been flagged stolen, but when? I had a card stolen, I did not know it was stolen until the next day when I could not find it. In the day it was away it was used to buy petrol in Switzerland, and for toll roads in Italy.
Ergo saying that the card would have been flagged stolen misses that there is the gap between a card being stolen and noticed and reported during which this attack works. Hence his comment is correct, yet misses a case where the attack works.
As for the Cambridge Researchers being over-sensitive to his "first year electronic engineering student" comments. They are little crie-y babies and need to grow up!
HE believed he had pointed to a flaw in their thinking and merely chided them, THEY could have pointed out why their thinking is correct and thus proved themselves to be grown-up. Instead they did the little cry baby thing of name calling.
As for Astro turf, well surf Youtube on anything critical of Israel, and note the contrived comments and -6 score for any comment critical of Israel, e.g. :
i.e a team of 6 astro turfers working there, or 1 turfer with 6 youtube accounts.
Storm, meet tea cup
Firstly, to declare my interests. I work in information security at a bank and I know the people at UK Payments (APACS).
Although I do not know who wrote the response, it was obviously from pure personal frustration at a rather improbable hack.
The thing to remember is that if you can physically break into and control a machine you can do all sorts of things.
Here's an exercise for the student: imagine a scenario in which this hack could be used. Whatever scenario you imagined, you can almost certainly think of an easier and more profitable exploit in those circumstances. (In this case the question is where is the shopkeeper? Where is the fraudster? If the shopkeeper is missing, and the fraudster is in the shop, it might be easier just to leg it with the goods).
Many people in the banking security industry do the kind of analysis which Prof Anderson's team publish - although sadly we don't often get a change to build the toys themselves and we don't get PhDs out of it ;-) But you have to keep in mind the misuse case, the scenarios you are protecting against. This is the key to staying sane, staying focused on the important risks, and not obsessing over the wrong details.
Prof Anderson has an honorable record in defending innocent customers against the banks' technological conceits, and I expect this is part of that continuing battle. But this one is a storm in a tea cup.