A Merry Christmas to all Bankers

December 25th, 2010 at 10:27 UTC by Ross Anderson

The bankers’ trade association has written to Cambridge University asking for the MPhil thesis of one of our research students, Omar Choudary, to be taken offline. They complain it contains too much detail of our No-PIN attack on Chip-and-PIN and thus “breaches the boundary of responsible disclosure”; they also complain about Omar’s post on the subject to this blog.

Needless to say, we’re not very impressed by this, and I made this clear in my response to the bankers. (I am embarrassed to see I accidentally left Mike Bond off the list of authors of the No-PIN vulnerability. Sorry, Mike!) There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

Entry filed under: Academic papers, Banking security, Internet censorship, Legal issues, News coverage, Politics, Security engineering

108 comments Add your own

  • 1. Rob  |  December 25th, 2010 at 14:25 UTC

    An excellent response. Merry Christmas.

  • 2. Leon Derczynski  |  December 25th, 2010 at 15:38 UTC

    Wonderful, and quite right. I hope some of them turn up! Merry Christmas Ross.

  • 3. Daniel  |  December 25th, 2010 at 16:19 UTC

    Kudos for keeping the paper up.The banking industry can’t expect to bury their heads in the sand and hope nobody notices the flaws in their systems.

  • 4. Will Godfrey  |  December 25th, 2010 at 16:25 UTC

    Absolutely perfect response.

    Security in finance transactions needs a complete overhaul – by people that actually understand real security, not people doing the minimum, then passing responsibility on to users who have no possibility of controlling the situation.

  • 5. Don  |  December 25th, 2010 at 16:25 UTC

    Perhaps in future, they’ll spend more or security, and less on exorbitant bonuses for their execs.

  • 6. Ehud Gavron  |  December 25th, 2010 at 16:46 UTC

    Haha! Well-written and well-said indeed!


  • 7. adrien  |  December 25th, 2010 at 16:47 UTC

    haha… hopefully someone comes up quickly with a fix that doesn’t involves changing all the atms and card terminals in the world. hmh, maybe i should start paying with gold…

    +100karma for comments 4&5.

  • 8. igb  |  December 25th, 2010 at 16:47 UTC

    Arkell vs Pressdram, it would appear.

  • 9. Roger  |  December 25th, 2010 at 16:52 UTC

    This kind of disclosure is of vital necessity. It shows the banks that their product is bad, it tells the public to be a lot more careful and a lot less trusting of banks.

    Once a paper like this is published, and although [in this case] they apparently already knew about it for a year but didn’t fix it yet, they will now have to fix it or risk embarrassment and liable for damages if they don’t when it could be shown they knew of the problem but chose not to fix it.

    Bankers only care for their big bonus pay outs and they hate being inconvenienced. They owe it to their customers, whom they have shown no reluctance to fleece, to fix their problems.

    Thank you for your excellent work and your academic integrity. Bankers deserve no consideration because they are shown time and again to be bad actors when it comes to defending the needs of their customers. It’s not enough that they don’t care about the safety and security of the trust their customers place in them. Now they want to stifle academic research. It’s unconscionable that these people even have a job in this industry.

  • 10. Concernedresident  |  December 25th, 2010 at 16:59 UTC

    This response only adds to my respect for academia. The banker’s trade association response is akin to asking that no-one draw attention the door they’ve left unlocked for a year.

  • 11. anon  |  December 25th, 2010 at 17:00 UTC

    Brilliant answer, i just laughed my ass off. Merry Christmas.

  • 12. Fencible  |  December 25th, 2010 at 17:10 UTC

    Well said. One can’t help thinking the banks are motivated to conceal and obfuscate, such information just so they can drag their feet fixing this while reducing cost (to them not defrauded customers) by casting doubt upon any claims of unauthorized transactions.

  • 13. anon  |  December 25th, 2010 at 17:14 UTC

    Thanks for this great post, the (hidden) irony, and the great response:

    “The University of Cambridge is a self-governing commu-
    nity of scholars rather than a corporate hierarchy.”

    Indeed. That’s an important detail, a lot of institutions of higher education should keep in mind when dealing with industry and politicians.

    See you at FC2011.

  • 14. loocas  |  December 25th, 2010 at 17:17 UTC

    thank you! :) this made my day. happy holidays!

  • 15. Ransu  |  December 25th, 2010 at 17:39 UTC

    Read your response letter as I work at a lab too, I say this was a major missed opportunity.

    What you should’ve said: ” Listen, your whole system is flawed and full of holes like a tennis racket made of swiss cheese. So for a start immediately buy our university department the following:
    - One of each on their catalog [agilent.com]…
    - And their’s [ni.com]…
    - And their’s [fluke.com]…
    …we’ll send back the ones we don’t need. That should cost you only 50-100 million (you might get a discount). Budget it as a long term investment into transaction systems.”

    At least this is a recurring dream of mine. Oh well, back to the grind … calibrating old Tektronix oscilloscopes…

  • 16. Marc Ruef  |  December 25th, 2010 at 17:57 UTC


    Very nice response, indeed. But this kind of “frank” replies might get you into trouble if it gets to a legal dispute. Although I don’t see any evidence that you might have played to the advantage of the receiving end of your letter, this kind of matters are best handled with consultancy of a lawyer – As I’ve learned of my own ;(



  • 17. Martin Emmerich  |  December 25th, 2010 at 18:47 UTC

    Frohe Weihnachten (= Merry Christmas) as well from Germany!

    A very nice response indeed to a shiny but stinking business still believing in security by obscurity.
    Your letter had made my day on an ordinary day…

  • 18. Cassandra  |  December 25th, 2010 at 18:56 UTC

    I just came here from Boingboing, and that was a fantastic letter. I don’t see why they aren’t snapping up Omar’s devices by the dozen and hailing him as a scholar-citizen whose interest is in patching holes to keep the banks and their customers safer–their PR departments must be asleep not to grab at opportunities to say, “we’re making our system safer, and this scholar, who could be any one of you, is a hero!”

  • 19. Chris Walsh  |  December 25th, 2010 at 19:21 UTC

    “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

    Bravo, sir. Nice to see a Christmas Eve reminder that some things truly are sacred.

  • 20. GamlGandalf  |  December 25th, 2010 at 19:23 UTC

    Good job! Keep up the pace!

  • 21. Doug Smith  |  December 25th, 2010 at 19:24 UTC

    British scholars with guts to speak truth to power. The UK is not in decline after all. This Yank says well done!

  • 22. Thinker Tom  |  December 25th, 2010 at 19:32 UTC

    It takes academics to stand up to errant bankers. Powerful corporations don’t seem to have the needed courage.
    I fully expect them to first call up every single higher-up in the authority-chain in the University to try and pressure you to retract everything.
    Might not be a gag order, but a few phone calls. If you can show a real benefit of this like getting a good name for the Univ or getting a patent or some implementation, and so on, that should suffice to keep the bankers away from pestering Univ bosses.
    When they cannot do anything else – like suppressing media reports, writing false reports, etc, then they will hire someone or you to do the work.
    Seeing how they reacted to Wikileaks, there is no telling how irresponsibly financial institutions could behave, if they can get away with it.

  • 23. shark  |  December 25th, 2010 at 19:36 UTC

    I’d recommend the arkell v pressdram response…

  • 24. Nikos  |  December 25th, 2010 at 19:41 UTC

    Well put, what a relief that not everyone is willing to bend over backwards under the pressure of banks.

  • 25. Mark  |  December 25th, 2010 at 19:52 UTC

    Just read the Boing Boing article and to borrow from a phrase in common usage here in Indianapolis, dude, you totally rock.

  • 26. SkipM  |  December 25th, 2010 at 20:01 UTC

    After reading the letter from the banking card association, I wound up snickering, at the end of the letter is the *hint* and veiled accusation that a student did something illegal in the course of research, which can best be described as:

    Police Bait.

    And watch as they go to the Met or someone else and say : “See? Bad, bad, bad, lets’ shut down the school.”

    Make good products, you idiots. And let’s find the stupid CFO that said : “Nah, not worth fixing that, too much money.” and expose that.

    If the banking card association were smart, they’d form an association with these researchers, exchange information & technology, let the students beat up on it and fix the problems. I’m sure Cambridge would be OK with some arrangement like a student finds a defect, everyone works on it, does a paper, and then the information is released after the fix.

    This doesn’t happen now because the banks DO NOT LISTEN and wave lawyers around every time a university tries to be helpful. Idiots.

  • 27. James  |  December 25th, 2010 at 20:03 UTC

    Agree with 23.

  • 28. Russell Neches  |  December 25th, 2010 at 20:22 UTC

    Excellent. Most of the time, I find the pomp and ceremony of academia mildly annoying, but situations like this remind me what all those fancy robes are for. When you need to make a stand on the basis of integrity, it’s helpful to be able to root yourself in a thousand-year-old tradition, funny hats and all.

    This is a proud moment for Cambridge. Hopefully academic leaders elsewhere will take note.


  • 29. Anonymous  |  December 25th, 2010 at 20:44 UTC

    Paxman: What was the response to the Bankers’ Trade Association in 2010 when…

    Announcer: Cambridge, Anderson.

    Anderson: Fuck you!

  • 30. RoryCL  |  December 25th, 2010 at 21:09 UTC


  • 31. Stormy  |  December 25th, 2010 at 21:40 UTC

    Possibly the best thing I have read all Christmas. Bravo sir, bravo!

  • 32. Alan Henness  |  December 25th, 2010 at 21:52 UTC

    “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

    And on the birthday of Newton! Superb.

  • 33. Danny  |  December 25th, 2010 at 22:43 UTC

    Hats off and well said, Professor Anderson! :)

  • 34. John Thompson  |  December 25th, 2010 at 22:54 UTC

    Your defence of academic freedom is inspiring. Thank you.

  • 35. Cody Curry  |  December 25th, 2010 at 23:35 UTC

    I just wanted to say thank you for fighting censorship. This information deserves to be put out there, and corporations shouldn’t be able to bully their way out of a hole in their security. You have upheld academic integrity, and should be deserve to be commended for it.

  • 36. Douglas G Stetner  |  December 25th, 2010 at 23:43 UTC

    Thank you for re-affirming my faith in universities.

  • 37. monkkbfr  |  December 25th, 2010 at 23:55 UTC

    Just wanted to say: totally support you and your large set of balls. Reddit salutes you!

  • 38. Brandon Bloom  |  December 25th, 2010 at 23:58 UTC

    Rock on! Keep fighting the good fight.

  • 39. Padraic  |  December 26th, 2010 at 00:14 UTC

    Fair play!


  • 40. {aul  |  December 26th, 2010 at 00:24 UTC

    I salute you!

  • 41. Ally  |  December 26th, 2010 at 00:43 UTC

    Well done, thank you for doing this.

  • 42. Helgi Hrafn Gunnarsson  |  December 26th, 2010 at 00:44 UTC

    An absolutely wonderful response!

  • 43. Richard Henderson  |  December 26th, 2010 at 00:53 UTC

    I thoroughly enjoyed reading this.
    So refreshing to see an institution stand up to the blatant bullying of the big corporate machine.


  • 44. David Gilmour  |  December 26th, 2010 at 01:01 UTC

    At a time of so many organisations rolling over to powerful vested interests, this is heartening to read.

    Which may be potentially more damaging

    We’re not told what is being potentially damaged here. The action suggests that the image of banks is the real concern, not improving security, which benefits from open debate.

    This is evidence that banks continue to be dysfunctional, with an aversion to learning which could easily ensure nothing changes.

  • 45. eobet  |  December 26th, 2010 at 01:05 UTC

    Marvelous writing. Every word of it!

  • 46. Stephen Wilson  |  December 26th, 2010 at 01:09 UTC

    Will Godrey makes the mistake of underestimating the banks. They understand security. Passing risk onto consumers helps make banks secure. Risk “management” does not mean reduction necessarily; not when you can share it around! Sadly they know exactly what they’re doing.

  • 47. Dirk  |  December 26th, 2010 at 01:19 UTC

    Thank you for the letter. It can’t be emphasized often enough how doubtful banks are fulfilling their role in the electronic payment business.

  • 48. I'll get around to it  |  December 26th, 2010 at 01:22 UTC

    Read this on Reddit and just wanted to say thanks for sticking up for freedom of information.

  • 49. David Schwartz  |  December 26th, 2010 at 01:25 UTC

    Great (and all too well deserved) slap-down. The shame is that corporations are incapable of feeling shame.

  • 50. Peter Kootsookos  |  December 26th, 2010 at 02:06 UTC

    Fabulous letter in response! Good to see you backing a student and academic freedom to publish so forcefully.

  • 51. Yifan Lu  |  December 26th, 2010 at 03:22 UTC

    This is the example all organizations should follow.

  • 52. Avery  |  December 26th, 2010 at 03:25 UTC

    Hear, hear!

  • 53. Stephen  |  December 26th, 2010 at 03:42 UTC

    Thank you for holding true to institutional morality that is becoming a rarity. If you ever need support in any way, you have Reddit behind you.

  • 54. Heh  |  December 26th, 2010 at 04:30 UTC

    I wonder anyone you could hear my lulz all the way across the Atlantic?

  • 55. Tom  |  December 26th, 2010 at 04:37 UTC

    You’re a goddamn hero. I wish every researcher had a boss like you.

  • 56. Peter  |  December 26th, 2010 at 05:01 UTC

    Hat off to you! I hope that does its bit to break the herd-mentality of bankers that brought to mind the Hitchhiker’s Guide to the Galaxy description of the Bugblatter Beast of Traal “…The Ravenous Bugblatter Beast of Traal is a creature that hails from the planet of Traal, and will eat anything. The beasts are impossible to kill. To deal with a beast, one should wrap a towel around one’s own head. This creature is so mind-bogglingly stupid that it assumes that if someone cannot see it, then it cannot see the person…”

  • 57. Lane  |  December 26th, 2010 at 05:46 UTC

    Did you notice their “motto” at the bottom of their letter?


    So much for informing.

  • 58. Martin  |  December 26th, 2010 at 10:06 UTC

    Nice letter to the EX-MP for Welwyn Hatfield and Ex-Part of the Labour Administration.

  • 59. RoryAC  |  December 26th, 2010 at 10:32 UTC

    Congratulations! At a time when their casino cousins are reaping unearned benefits at all our expense, it’s great to see someone stick two fingers up at them.

  • 60. Nick Gay  |  December 26th, 2010 at 10:43 UTC

    It is indeed sad that Melanie Johnson should be reduced to being a stooge for a bankers lobby organization. She has strong connections with Cambridge and is a best mate of ex-MP Anne Campbell so should know better than this clumsy attempt at censorship.

  • 61. Mike  |  December 26th, 2010 at 12:57 UTC

    Excellent! I am so pleased that banks’ secrecy of security issues has been exposed in such a manner. I have long thought they are too sneaky and self serving to truly maintain our interests…this was confirmed earlier in the year when I was a victim of pin-number card fraud whilst travelling. (It took a months, numerous complaints and e-mails to convince them it was not my fault.) Furthermore, it is refreshing to be reminded of the professional and unwavering stance that all academic institutions should aspire.

  • 62. P. Fischer  |  December 26th, 2010 at 13:05 UTC

    Chapeau! for this brilliant answer.

    I wanted to write a tiny rant about how sad it is that big companies lost their mid-term and long-term steering capabilities and only seem live in 90 day intervals, but others have done this already in a more elaborate way.

    In fact, you should continue publishing security flaws if you find one *and* make know to the bankers that this will continue on and on, if they continue thinking that security is to be bought by pieces and eternally available afterwards.

    Instead, it is a process of continuously improving.
    At least it should be.

  • 63. S. Stewart  |  December 26th, 2010 at 13:31 UTC

    Read about this in Slashdot.org. Nice to see someone with backbone. Happy Boxing Day!

  • 64. S Davidian  |  December 26th, 2010 at 13:45 UTC

    Fantastic response, and responses. One more vote against bankers and secrets and FOR truth and open-ness.

  • 65. Wolfram Wadepohl  |  December 26th, 2010 at 14:15 UTC

    Excellent. Keep your independence as researchers and withstand any pressure from comercial associations.

  • 66. Chaotic Writer  |  December 26th, 2010 at 14:30 UTC

    Great reaction. That shows how serious is the University of Cambrigde. Please, keep the good work!!!

  • 67. Pazu Kong  |  December 26th, 2010 at 17:39 UTC

    I hope that all universities would do the same and ensure that authentic researches wouldn’t be jeopardized by some nonsense request by the powerful parties.

    Very good job, your students should be very proud of you. Thank you!

    Happy New Year!

  • 68. Gil Friend  |  December 26th, 2010 at 17:58 UTC

    Well done. It’s good to see some backbone being displayed. May more institutions follow your outstanding example of leadership.

  • 69. Martin Keegan  |  December 26th, 2010 at 18:00 UTC

    “It is indeed sad that Melanie Johnson should be reduced to being a stooge for a bankers lobby organization.” – oh come ON! She was undersecretary of state at the DTI when the Copyright Directive was being implemented, and therefore the source of some of the worst stonewalling letters to issue from a British Government.

    According to her letter, “Concern has been expressed to us by the police”. We’re not told if that concern was specifically elicited by the UK Cards Association, and what is the concern supposed to have been about? “Falsifying a transaction”. What does that *actually* mean? Does it actually involve some sort of criminal activity? No, it’s just a way of getting an insinuation of criminality into her letter. I hope the police are happy with the use of their good name in a scurrilous and censorious attempt to suppress commercially inconvenient research.

  • 70. Mike Clark  |  December 26th, 2010 at 18:19 UTC

    Recently academics in Cambridge fought off an attempt to reform Statute U, this is the statute that offers protection of academic freedoms. This example of an attempt by major corporations to gag academic publications because they find the content to be against their liking is precisely why we were right to defend our right to publish. Sadly other UK academic institutions were not so successful in fighting reforms to their own model statutes on academic freedoms so perhaps an attempt at censorship might have been more successful elsewhere in the UK.

    Well done Ross!

  • 71. David Richardson  |  December 26th, 2010 at 19:15 UTC

    Three points from across the pond:

    1: Thank you – All of this needed to be said.

    2: I appreciate that there is still a University in existence that has not been reduced to the status of complete corporate stooge. The U. S. has managed to destroy the integrity of all but a very few of our universities, and I am only giving those the benefit of the doubt until they prove their true colors.

    3: The U. S. already has a legal gag rule on this sort of thing called the DMCA – that is not the official name, but might as well be. Good luck with preventing the same sort of stupidity from killing you – the attempt has been made, and is continuing. I would expect that somebody is already making the case that you have violated the DMCA and should be extradited, or at least arrested should you ever make your way over here – we have already had some cases of this sort. You might want to think about this if you ever feel the need to travel this way.

    Very well done, and do keep up the good work.

  • 72. Brad  |  December 27th, 2010 at 03:03 UTC

    These institutions need to realise that research into the foibles of their products is beneficial. I’d imagine it saves them a lot of time and money having to do it themselves or find out the hard way after a large co-ordinated assault on their infrastructure.

  • 73. Jon O'Brien  |  December 27th, 2010 at 04:46 UTC

    While I wholeheartedly echo the sentiments of those who found the response to the UK Cards Association deeply satisfying, I fear that the many posters applauding what they see as a refusal to knuckle under to the demands of the financial sector have missed the point, clearly made in the response. Even had there been a willingness to sensor Omar Choudary’s work, it would not have been within the power of the University to do so for two reasons: 1) the University has no key to that particular stable door and 2) the horse had long ago bolted.

    For me, it’s these very points, which highlight the stupidity of the Association’s demands and its evident desire to find someone, anyone, to blame for a problem created by its own incompetence, which make the rational response to its foot-stamping all the more succulent. After all, there are few things more satisfying than watching pomposity skillfully, and with dignity, being deflated.

  • 74. Alex  |  December 27th, 2010 at 10:36 UTC

    Is that Melanie Johnson as in the MP and former junior minister?

  • 75. Ed  |  December 27th, 2010 at 11:37 UTC

    Well-said! Bankers control the governments – don’t let them control the academia too.

  • 76. guthrie  |  December 27th, 2010 at 11:53 UTC

    Ed #75 – I suspect the current governments policies will make it even easier for bankers to influence academia.

  • 77. MadMonkIvan  |  December 27th, 2010 at 12:21 UTC

    Marvellous, keep up the good work!

  • 78. lars houteghem  |  December 27th, 2010 at 12:36 UTC

    Trying to be funny defeats your ascertions,the bankers have a point and you would be wise to find a real way of forcing change other than helping script kiddies by boasting about your “finds”.

  • 79. Iain Harrison  |  December 27th, 2010 at 13:52 UTC

    Congratulations for a robust stance. If the bankers had their way, we may as well all give up and emigrate to the USA where corporate greed holds sway instead of an informed democracy

  • 80. Alex  |  December 27th, 2010 at 16:35 UTC

    Answering own question via TWFY and Wikipedia, yes.

  • 81. Metaforest  |  December 27th, 2010 at 17:37 UTC

    Thank you for wonderful belly laugh.

    It is my hope that the banking industry will learn the correct lesson from your reply. I doubt they will. Bravo…. well played.

  • 82. Ross Anderson  |  December 28th, 2010 at 11:40 UTC

    Coverage in the Indy today, following slashdot and others

  • 83. Alvaro Gallegos  |  December 28th, 2010 at 20:42 UTC

    Learning about this down here in Chile, there is one thing I need to say: MUCHAS GRACIAS.

    I would say, Professor Anderson, you are one of the indispensables Brecht was referring to.

    It is hard to believe that your answer could have ever been written in my country, where economic power reign is almost undisputable.

    You should get in touch with Lloyd Constantine, the antitrust lawyer of the 3 billion Merchant’s Case, he would enjoy your answer.

    I have been involved in payment cards system research and I

  • 84. Simon Griffiths  |  December 29th, 2010 at 01:26 UTC

    Thanks for letting everyone know about this.

    One thing that I can’t find in your work is that you mention Barclays have hardened themselves to this attack. How did they do that? Do you have any details anywhere?

    It would be great if you could post a solution for those banks overseas that have not heard about this before.

  • 85. Joost  |  December 29th, 2010 at 10:08 UTC

    Prof Anderson & Dr. Choudary – all I can say is: Keep Up the Good Work!

  • 86. John McHugh  |  December 29th, 2010 at 14:14 UTC

    Happy Happy – Joy! Joy!
    Thank you so much for delivering a such a potent rebuke. Like being kicked in the nuts with carpet slippers! as my old RAF boss used to say.

  • 87. John Collins  |  December 29th, 2010 at 20:04 UTC

    Melanie Johnson used to be Labour MP for Welwyn Garden City until 2 elections ago (the MP is now housing minister Grant Shapps).

    She showed how useless she was in my eyes by ignoring my letters suggesting that the “Millennium Bug” was massively overblown by launching a huge campaign about it in the constituency.

    To see her “defending” bankers like this is no surprise. Funny how “Labour” principles get ditched when a big paycheque is proffered.

  • 88. J  |  December 29th, 2010 at 23:34 UTC


    Well done Prof Anderson.I suspect that the bankers will
    still be (as people like that always are) as useless, thick
    and incompetent as possible on such matters.

    Douglas Adams suggested that all the stupid people
    (telephone sanitisers = bankers?) be sent off in a
    large spacecraft to stop them annoying the rest of us.


  • 89. Mridula  |  December 30th, 2010 at 05:15 UTC

    Hello from India, just to say it feels great to read this.

  • 90. Greg Pytel  |  December 30th, 2010 at 10:49 UTC

    @John Collins: Melanie Johnson’s case of a politician turned financial industry exec shows how City revolving doors work. This kind of closeness between the financial industry and the politicians (of whatever persuasion) is the major cause why bankers who engineered the current crisis will never face justice (or even be investigated in a way common criminals should be investigated).

    On that note, you may wish to read my article “The largest heist in history”

    which proves (using computational complexity approach) that the current financial crisis is a result of massive fraud engineered by the financial industry.

    This paper was accepted as evidence by House of Commons Treasury Committee as they investigated the causes of the current crisis.

    Any comments, especially critical exposing any flaws in my work, will be most welcome. Please send them to me via e-mail (g.pytel98@imperial.ac.uk) or publish them directly on my blog as a comment.

    A more formal article is here: “Computational complexity analysis of Credit Creation”

  • 91. Suzanne Rabey  |  December 30th, 2010 at 13:21 UTC

    This is absolutely brilliant!! A huge amount of respect to you – and thanks for keeping the sanity of well reasoned logic – as opposed to hysterical rhetoric – alive in the UK!

  • 92. Robert S.  |  December 30th, 2010 at 14:45 UTC

    I’m a little late getting to this article (Christmas and no InterWeb, another story) and upon reading it I see my initial thoughts were captured by Martin Emmerich. Martin highlights the false premise of “security by obscurity” or as I was taught in the early 80’s “no security simply by obscurity”.

    History is littered with examples of this fallacious argument. To me the best example was the American WWII Atomic Weapons Program where not event Vice President Truman knew of the weapons existence until he became President but Stalin was well informed and probably knew of the Manhattan Project before Truman. At the time the Americans believed that even if the Soviets knew of the atomic weapon they would not be cable of constructing one for at least a decade or more and they (the Americans) would have a decade or two to consolidate their hegemony. History says otherwise.

    Closer to home we can even measure how false this argument is in monetary terms. How much money would we (UK, http://www.gchq.gov.uk/history/pke.html) raise each year if we had patented asymmetric (Public-key) encryption and charge a penny per transaction instead of trying to keep its possibility a secret?

  • 93. Keith Tayler  |  December 30th, 2010 at 15:38 UTC

    If Omar had not put his MPhil online it would have ended up in the department’s library, the UL and perhaps BL. The bankers would know nothing about it. But a clever bad man into this type of stuff could make the odd visit to these libraries to see what is cutting edge technology. The rest is simple.

    Obviously Omar should put his research online if for no other reason than to protect the bankers. No point in him just sending them his MPhil because, as is clear from the UK Card Association letter, they would claim they have everything under control and do nothing.

    Well done and have a happy New Year.

  • 94. UK citizen  |  December 30th, 2010 at 16:13 UTC

    Absolutely chuffed beyond all previous bounds of chuffedness that you’re standing your ground for citizens who are beholden to the banking industry’s power over them, and for the proper values of education.

    More power to your elbows.

  • 95. queerdenker  |  December 30th, 2010 at 16:47 UTC

    nicely put, great stance. thank you for defending the independence of (true) academia. happy new year!

  • 96. A Reader  |  December 30th, 2010 at 17:18 UTC

    Cambridge and UKCA should/must work harder together on issues like this, disappointed on both of them …

  • 97. Rahere  |  December 30th, 2010 at 20:29 UTC

    Permit me to add another illustration.

    The IBAN code contains two check digits validating the rest according to a single-level algorithm. It’s supposed to make miskeying virtually impossible. Unfortunately any miskeying creates a random integer and one random integer in 97 passes the check digit test.

    Indeed, Intelligent Finance was so ignorant about the use of such techniques it simply assigned a constant to the field for all customers, issuing every one of its customers a completely incorrect IBAN.

    With banks like this, what hope have we?

  • 98. Crawford  |  December 31st, 2010 at 07:07 UTC

    Well done!! Stick to your guns (I’m sure you will anyway) Many people will be inspired by a good example of adherence to the principle of free speech and dissemination of information.

  • 99. David Gerard  |  December 31st, 2010 at 20:11 UTC

    Sir, I do not think that you will be wanting for a *pint* at any drinking establishment in reasonable range any time in the foreseeable future.

  • 100. Tim  |  January 1st, 2011 at 13:32 UTC

    After losing several thousand pounds before my new card was even “activated”, I salute you and your students. Facing foreclosure, I wad forced to pay up. What a discgraceful excuse for a “security” system.

  • 101. Patricia  |  January 1st, 2011 at 21:55 UTC

    I’m starting 2011 with a BIG smile. Well done Ross! This is the best f* u letter to the establishment anyone could think of :)

  • 102. John  |  January 3rd, 2011 at 21:30 UTC

    Well done Prof Anderson for your activities! This is the sort of thing that won the war! I try my hardest to refuse to use this abomination of technology but I can’t. Simply looking over customers shoulders is enough to crack their PIN in any supermarket. If I’m doing it without even thinking about it, surely there are more nefarious types doing it for criminal gain. A simple two man attack wouldn’t be difficult to organise; one with a mobile (cell) phone capturing the PIN, another in the car park with a baseball bat…

    Computer Science is hardcore stuff as the UKCA should know. 8 lines for a postal address is a bit long, don’t you think?

  • 103. Neil Bartlett  |  January 5th, 2011 at 13:12 UTC

    Hi Prof Anderson… I just listened to your interview on Radio 4 with Melanie Johnson and thought you did a great job.

    It’s a shame that you weren’t given the time to answer Ms Johnson’s fatuous closing remarks, but she didn’t do herself or her industry any favours by incessantly spinning and refusing to give a straight answer to any question. In fact, I thought she did a good impression of Michael Howard in the infamous Paxman interview.

    Thank you!

  • 104. Ross Anderson  |  January 5th, 2011 at 15:00 UTC

    What I didn’t get round to saying was that Melanie was the Treasury minister who pushed the Financial Services and Markets Act 2000 through Parliament. This not only damaged banking regulation, by splitting it between the Bank of England, the FSA and the Treasury, but established the dreadful Financial Ombudsman Service which seems rather ready to find for the bank and against the customer in disputes.

  • 105. Greg Pytel  |  January 5th, 2011 at 17:46 UTC

    Dear Professor Anderson

    I share completely your view on the Financial Ombudsman Service. As I researched their tactics to dismiss a valid customer complaint is as follows:

    1. Disregarding facts and points of complaint that would make it valid.
    2. Using fantasy to invent new “facts” that are not even included in the original complaint.

    Then dismiss such a distorted and ridiculous complaint (that has very little to do with the original one). It transpired from my research, that it looks quite likely that the FOS staff is trained with such crude and not entirely honest methodology.

    (Financial Services Authority is not any better in that respect.)

  • 106. David Pottage  |  January 10th, 2011 at 12:57 UTC

    Ars Technica have just picked up this story:

    The security gadget that UK bankers want squelched

  • 107. Trails  |  January 10th, 2011 at 14:54 UTC

    *standing ovation for reply*

    Love it. Please start exporting this attitude to the rest of the commonwealth.

  • 108. Ben Confino  |  January 11th, 2011 at 18:11 UTC

    I just got here from Ars Technica. I’m just here to join Trails’ standing ovation.

    Best wishes.

Leave a Comment


Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


December 2010
« Oct   Jan »