A Merry Christmas to all Bankers

The bankers’ trade association has written to Cambridge University asking for the MPhil thesis of one of our research students, Omar Choudary, to be taken offline. They complain it contains too much detail of our No-PIN attack on Chip-and-PIN and thus “breaches the boundary of responsible disclosure”; they also complain about Omar’s post on the subject to this blog.

Needless to say, we’re not very impressed by this, and I made this clear in my response to the bankers. (I am embarrassed to see I accidentally left Mike Bond off the list of authors of the No-PIN vulnerability. Sorry, Mike!) There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

108 thoughts on “A Merry Christmas to all Bankers

  1. Kudos for keeping the paper up.The banking industry can’t expect to bury their heads in the sand and hope nobody notices the flaws in their systems.

  2. Absolutely perfect response.

    Security in finance transactions needs a complete overhaul – by people that actually understand real security, not people doing the minimum, then passing responsibility on to users who have no possibility of controlling the situation.

  3. Perhaps in future, they’ll spend more or security, and less on exorbitant bonuses for their execs.

  4. haha… hopefully someone comes up quickly with a fix that doesn’t involves changing all the atms and card terminals in the world. hmh, maybe i should start paying with gold…

    +100karma for comments 4&5.

  5. This kind of disclosure is of vital necessity. It shows the banks that their product is bad, it tells the public to be a lot more careful and a lot less trusting of banks.

    Once a paper like this is published, and although [in this case] they apparently already knew about it for a year but didn’t fix it yet, they will now have to fix it or risk embarrassment and liable for damages if they don’t when it could be shown they knew of the problem but chose not to fix it.

    Bankers only care for their big bonus pay outs and they hate being inconvenienced. They owe it to their customers, whom they have shown no reluctance to fleece, to fix their problems.

    Thank you for your excellent work and your academic integrity. Bankers deserve no consideration because they are shown time and again to be bad actors when it comes to defending the needs of their customers. It’s not enough that they don’t care about the safety and security of the trust their customers place in them. Now they want to stifle academic research. It’s unconscionable that these people even have a job in this industry.

  6. This response only adds to my respect for academia. The banker’s trade association response is akin to asking that no-one draw attention the door they’ve left unlocked for a year.

  7. Well said. One can’t help thinking the banks are motivated to conceal and obfuscate, such information just so they can drag their feet fixing this while reducing cost (to them not defrauded customers) by casting doubt upon any claims of unauthorized transactions.

  8. Thanks for this great post, the (hidden) irony, and the great response:

    “The University of Cambridge is a self-governing commu-
    nity of scholars rather than a corporate hierarchy.”

    Indeed. That’s an important detail, a lot of institutions of higher education should keep in mind when dealing with industry and politicians.

    See you at FC2011.

  9. Read your response letter as I work at a lab too, I say this was a major missed opportunity.

    What you should’ve said: ” Listen, your whole system is flawed and full of holes like a tennis racket made of swiss cheese. So for a start immediately buy our university department the following:
    – One of each on their catalog [agilent.com]…
    – And their’s [ni.com]…
    – And their’s [fluke.com]…
    …we’ll send back the ones we don’t need. That should cost you only 50-100 million (you might get a discount). Budget it as a long term investment into transaction systems.”

    At least this is a recurring dream of mine. Oh well, back to the grind … calibrating old Tektronix oscilloscopes…

  10. Hello,

    Very nice response, indeed. But this kind of “frank” replies might get you into trouble if it gets to a legal dispute. Although I don’t see any evidence that you might have played to the advantage of the receiving end of your letter, this kind of matters are best handled with consultancy of a lawyer – As I’ve learned of my own ;(

    Regards,

    Marc

  11. Frohe Weihnachten (= Merry Christmas) as well from Germany!

    A very nice response indeed to a shiny but stinking business still believing in security by obscurity.
    Your letter had made my day on an ordinary day…

  12. I just came here from Boingboing, and that was a fantastic letter. I don’t see why they aren’t snapping up Omar’s devices by the dozen and hailing him as a scholar-citizen whose interest is in patching holes to keep the banks and their customers safer–their PR departments must be asleep not to grab at opportunities to say, “we’re making our system safer, and this scholar, who could be any one of you, is a hero!”

  13. “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

    Bravo, sir. Nice to see a Christmas Eve reminder that some things truly are sacred.

  14. British scholars with guts to speak truth to power. The UK is not in decline after all. This Yank says well done!

  15. It takes academics to stand up to errant bankers. Powerful corporations don’t seem to have the needed courage.
    I fully expect them to first call up every single higher-up in the authority-chain in the University to try and pressure you to retract everything.
    Might not be a gag order, but a few phone calls. If you can show a real benefit of this like getting a good name for the Univ or getting a patent or some implementation, and so on, that should suffice to keep the bankers away from pestering Univ bosses.
    When they cannot do anything else – like suppressing media reports, writing false reports, etc, then they will hire someone or you to do the work.
    Seeing how they reacted to Wikileaks, there is no telling how irresponsibly financial institutions could behave, if they can get away with it.

  16. Well put, what a relief that not everyone is willing to bend over backwards under the pressure of banks.

  17. Just read the Boing Boing article and to borrow from a phrase in common usage here in Indianapolis, dude, you totally rock.

  18. After reading the letter from the banking card association, I wound up snickering, at the end of the letter is the *hint* and veiled accusation that a student did something illegal in the course of research, which can best be described as:

    Police Bait.

    And watch as they go to the Met or someone else and say : “See? Bad, bad, bad, lets’ shut down the school.”

    Make good products, you idiots. And let’s find the stupid CFO that said : “Nah, not worth fixing that, too much money.” and expose that.

    If the banking card association were smart, they’d form an association with these researchers, exchange information & technology, let the students beat up on it and fix the problems. I’m sure Cambridge would be OK with some arrangement like a student finds a defect, everyone works on it, does a paper, and then the information is released after the fix.

    This doesn’t happen now because the banks DO NOT LISTEN and wave lawyers around every time a university tries to be helpful. Idiots.

  19. Excellent. Most of the time, I find the pomp and ceremony of academia mildly annoying, but situations like this remind me what all those fancy robes are for. When you need to make a stand on the basis of integrity, it’s helpful to be able to root yourself in a thousand-year-old tradition, funny hats and all.

    This is a proud moment for Cambridge. Hopefully academic leaders elsewhere will take note.

    Russell

  20. Paxman: What was the response to the Bankers’ Trade Association in 2010 when…

    BZZZT!
    Announcer: Cambridge, Anderson.

    Anderson: Fuck you!

  21. “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

    And on the birthday of Newton! Superb.

  22. I just wanted to say thank you for fighting censorship. This information deserves to be put out there, and corporations shouldn’t be able to bully their way out of a hole in their security. You have upheld academic integrity, and should be deserve to be commended for it.

  23. At a time of so many organisations rolling over to powerful vested interests, this is heartening to read.

    Which may be potentially more damaging

    We’re not told what is being potentially damaged here. The action suggests that the image of banks is the real concern, not improving security, which benefits from open debate.

    This is evidence that banks continue to be dysfunctional, with an aversion to learning which could easily ensure nothing changes.

  24. Will Godrey makes the mistake of underestimating the banks. They understand security. Passing risk onto consumers helps make banks secure. Risk “management” does not mean reduction necessarily; not when you can share it around! Sadly they know exactly what they’re doing.

  25. Thank you for the letter. It can’t be emphasized often enough how doubtful banks are fulfilling their role in the electronic payment business.

  26. Read this on Reddit and just wanted to say thanks for sticking up for freedom of information.

  27. Great (and all too well deserved) slap-down. The shame is that corporations are incapable of feeling shame.

  28. Thank you for holding true to institutional morality that is becoming a rarity. If you ever need support in any way, you have Reddit behind you.

  29. Hat off to you! I hope that does its bit to break the herd-mentality of bankers that brought to mind the Hitchhiker’s Guide to the Galaxy description of the Bugblatter Beast of Traal “…The Ravenous Bugblatter Beast of Traal is a creature that hails from the planet of Traal, and will eat anything. The beasts are impossible to kill. To deal with a beast, one should wrap a towel around one’s own head. This creature is so mind-bogglingly stupid that it assumes that if someone cannot see it, then it cannot see the person…”

  30. Did you notice their “motto” at the bottom of their letter?

    REPRESENTING, INFORMING, ADVANCING

    So much for informing.

  31. Congratulations! At a time when their casino cousins are reaping unearned benefits at all our expense, it’s great to see someone stick two fingers up at them.

  32. It is indeed sad that Melanie Johnson should be reduced to being a stooge for a bankers lobby organization. She has strong connections with Cambridge and is a best mate of ex-MP Anne Campbell so should know better than this clumsy attempt at censorship.

  33. Excellent! I am so pleased that banks’ secrecy of security issues has been exposed in such a manner. I have long thought they are too sneaky and self serving to truly maintain our interests…this was confirmed earlier in the year when I was a victim of pin-number card fraud whilst travelling. (It took a months, numerous complaints and e-mails to convince them it was not my fault.) Furthermore, it is refreshing to be reminded of the professional and unwavering stance that all academic institutions should aspire.

  34. Chapeau! for this brilliant answer.

    I wanted to write a tiny rant about how sad it is that big companies lost their mid-term and long-term steering capabilities and only seem live in 90 day intervals, but others have done this already in a more elaborate way.

    In fact, you should continue publishing security flaws if you find one *and* make know to the bankers that this will continue on and on, if they continue thinking that security is to be bought by pieces and eternally available afterwards.

    Instead, it is a process of continuously improving.
    At least it should be.

  35. Excellent. Keep your independence as researchers and withstand any pressure from comercial associations.

  36. I hope that all universities would do the same and ensure that authentic researches wouldn’t be jeopardized by some nonsense request by the powerful parties.

    Very good job, your students should be very proud of you. Thank you!

    Happy New Year!

  37. “It is indeed sad that Melanie Johnson should be reduced to being a stooge for a bankers lobby organization.” – oh come ON! She was undersecretary of state at the DTI when the Copyright Directive was being implemented, and therefore the source of some of the worst stonewalling letters to issue from a British Government.

    According to her letter, “Concern has been expressed to us by the police”. We’re not told if that concern was specifically elicited by the UK Cards Association, and what is the concern supposed to have been about? “Falsifying a transaction”. What does that *actually* mean? Does it actually involve some sort of criminal activity? No, it’s just a way of getting an insinuation of criminality into her letter. I hope the police are happy with the use of their good name in a scurrilous and censorious attempt to suppress commercially inconvenient research.

  38. Recently academics in Cambridge fought off an attempt to reform Statute U, this is the statute that offers protection of academic freedoms. This example of an attempt by major corporations to gag academic publications because they find the content to be against their liking is precisely why we were right to defend our right to publish. Sadly other UK academic institutions were not so successful in fighting reforms to their own model statutes on academic freedoms so perhaps an attempt at censorship might have been more successful elsewhere in the UK.

    Well done Ross!

  39. Three points from across the pond:

    1: Thank you – All of this needed to be said.

    2: I appreciate that there is still a University in existence that has not been reduced to the status of complete corporate stooge. The U. S. has managed to destroy the integrity of all but a very few of our universities, and I am only giving those the benefit of the doubt until they prove their true colors.

    3: The U. S. already has a legal gag rule on this sort of thing called the DMCA – that is not the official name, but might as well be. Good luck with preventing the same sort of stupidity from killing you – the attempt has been made, and is continuing. I would expect that somebody is already making the case that you have violated the DMCA and should be extradited, or at least arrested should you ever make your way over here – we have already had some cases of this sort. You might want to think about this if you ever feel the need to travel this way.

    Very well done, and do keep up the good work.

  40. These institutions need to realise that research into the foibles of their products is beneficial. I’d imagine it saves them a lot of time and money having to do it themselves or find out the hard way after a large co-ordinated assault on their infrastructure.

  41. While I wholeheartedly echo the sentiments of those who found the response to the UK Cards Association deeply satisfying, I fear that the many posters applauding what they see as a refusal to knuckle under to the demands of the financial sector have missed the point, clearly made in the response. Even had there been a willingness to sensor Omar Choudary’s work, it would not have been within the power of the University to do so for two reasons: 1) the University has no key to that particular stable door and 2) the horse had long ago bolted.

    For me, it’s these very points, which highlight the stupidity of the Association’s demands and its evident desire to find someone, anyone, to blame for a problem created by its own incompetence, which make the rational response to its foot-stamping all the more succulent. After all, there are few things more satisfying than watching pomposity skillfully, and with dignity, being deflated.

  42. Ed #75 – I suspect the current governments policies will make it even easier for bankers to influence academia.

  43. Trying to be funny defeats your ascertions,the bankers have a point and you would be wise to find a real way of forcing change other than helping script kiddies by boasting about your “finds”.

  44. Congratulations for a robust stance. If the bankers had their way, we may as well all give up and emigrate to the USA where corporate greed holds sway instead of an informed democracy

  45. Thank you for wonderful belly laugh.

    It is my hope that the banking industry will learn the correct lesson from your reply. I doubt they will. Bravo…. well played.

  46. Learning about this down here in Chile, there is one thing I need to say: MUCHAS GRACIAS.

    I would say, Professor Anderson, you are one of the indispensables Brecht was referring to.

    It is hard to believe that your answer could have ever been written in my country, where economic power reign is almost undisputable.

    You should get in touch with Lloyd Constantine, the antitrust lawyer of the 3 billion Merchant’s Case, he would enjoy your answer.

    I have been involved in payment cards system research and I

  47. Thanks for letting everyone know about this.

    One thing that I can’t find in your work is that you mention Barclays have hardened themselves to this attack. How did they do that? Do you have any details anywhere?

    It would be great if you could post a solution for those banks overseas that have not heard about this before.

  48. Happy Happy – Joy! Joy!
    Thank you so much for delivering a such a potent rebuke. Like being kicked in the nuts with carpet slippers! as my old RAF boss used to say.

  49. Melanie Johnson used to be Labour MP for Welwyn Garden City until 2 elections ago (the MP is now housing minister Grant Shapps).

    She showed how useless she was in my eyes by ignoring my letters suggesting that the “Millennium Bug” was massively overblown by launching a huge campaign about it in the constituency.

    To see her “defending” bankers like this is no surprise. Funny how “Labour” principles get ditched when a big paycheque is proffered.

  50. 🙂

    Well done Prof Anderson.I suspect that the bankers will
    still be (as people like that always are) as useless, thick
    and incompetent as possible on such matters.

    Douglas Adams suggested that all the stupid people
    (telephone sanitisers = bankers?) be sent off in a
    large spacecraft to stop them annoying the rest of us.

    J.

  51. @John Collins: Melanie Johnson’s case of a politician turned financial industry exec shows how City revolving doors work. This kind of closeness between the financial industry and the politicians (of whatever persuasion) is the major cause why bankers who engineered the current crisis will never face justice (or even be investigated in a way common criminals should be investigated).

    On that note, you may wish to read my article “The largest heist in history”

    which proves (using computational complexity approach) that the current financial crisis is a result of massive fraud engineered by the financial industry.

    This paper was accepted as evidence by House of Commons Treasury Committee as they investigated the causes of the current crisis.

    Any comments, especially critical exposing any flaws in my work, will be most welcome. Please send them to me via e-mail (g.pytel98@imperial.ac.uk) or publish them directly on my blog as a comment.

    A more formal article is here: “Computational complexity analysis of Credit Creation”

  52. This is absolutely brilliant!! A huge amount of respect to you – and thanks for keeping the sanity of well reasoned logic – as opposed to hysterical rhetoric – alive in the UK!

  53. I’m a little late getting to this article (Christmas and no InterWeb, another story) and upon reading it I see my initial thoughts were captured by Martin Emmerich. Martin highlights the false premise of “security by obscurity” or as I was taught in the early 80’s “no security simply by obscurity”.

    History is littered with examples of this fallacious argument. To me the best example was the American WWII Atomic Weapons Program where not event Vice President Truman knew of the weapons existence until he became President but Stalin was well informed and probably knew of the Manhattan Project before Truman. At the time the Americans believed that even if the Soviets knew of the atomic weapon they would not be cable of constructing one for at least a decade or more and they (the Americans) would have a decade or two to consolidate their hegemony. History says otherwise.

    Closer to home we can even measure how false this argument is in monetary terms. How much money would we (UK, http://www.gchq.gov.uk/history/pke.html) raise each year if we had patented asymmetric (Public-key) encryption and charge a penny per transaction instead of trying to keep its possibility a secret?

  54. If Omar had not put his MPhil online it would have ended up in the department’s library, the UL and perhaps BL. The bankers would know nothing about it. But a clever bad man into this type of stuff could make the odd visit to these libraries to see what is cutting edge technology. The rest is simple.

    Obviously Omar should put his research online if for no other reason than to protect the bankers. No point in him just sending them his MPhil because, as is clear from the UK Card Association letter, they would claim they have everything under control and do nothing.

    Well done and have a happy New Year.

  55. Absolutely chuffed beyond all previous bounds of chuffedness that you’re standing your ground for citizens who are beholden to the banking industry’s power over them, and for the proper values of education.

    More power to your elbows.

  56. nicely put, great stance. thank you for defending the independence of (true) academia. happy new year!

  57. Cambridge and UKCA should/must work harder together on issues like this, disappointed on both of them …

  58. Permit me to add another illustration.

    The IBAN code contains two check digits validating the rest according to a single-level algorithm. It’s supposed to make miskeying virtually impossible. Unfortunately any miskeying creates a random integer and one random integer in 97 passes the check digit test.

    Indeed, Intelligent Finance was so ignorant about the use of such techniques it simply assigned a constant to the field for all customers, issuing every one of its customers a completely incorrect IBAN.

    With banks like this, what hope have we?

  59. Well done!! Stick to your guns (I’m sure you will anyway) Many people will be inspired by a good example of adherence to the principle of free speech and dissemination of information.

  60. After losing several thousand pounds before my new card was even “activated”, I salute you and your students. Facing foreclosure, I wad forced to pay up. What a discgraceful excuse for a “security” system.

  61. I’m starting 2011 with a BIG smile. Well done Ross! This is the best f* u letter to the establishment anyone could think of 🙂

  62. Well done Prof Anderson for your activities! This is the sort of thing that won the war! I try my hardest to refuse to use this abomination of technology but I can’t. Simply looking over customers shoulders is enough to crack their PIN in any supermarket. If I’m doing it without even thinking about it, surely there are more nefarious types doing it for criminal gain. A simple two man attack wouldn’t be difficult to organise; one with a mobile (cell) phone capturing the PIN, another in the car park with a baseball bat…

    Computer Science is hardcore stuff as the UKCA should know. 8 lines for a postal address is a bit long, don’t you think?

  63. Hi Prof Anderson… I just listened to your interview on Radio 4 with Melanie Johnson and thought you did a great job.

    It’s a shame that you weren’t given the time to answer Ms Johnson’s fatuous closing remarks, but she didn’t do herself or her industry any favours by incessantly spinning and refusing to give a straight answer to any question. In fact, I thought she did a good impression of Michael Howard in the infamous Paxman interview.

    Thank you!

  64. What I didn’t get round to saying was that Melanie was the Treasury minister who pushed the Financial Services and Markets Act 2000 through Parliament. This not only damaged banking regulation, by splitting it between the Bank of England, the FSA and the Treasury, but established the dreadful Financial Ombudsman Service which seems rather ready to find for the bank and against the customer in disputes.

  65. Dear Professor Anderson

    I share completely your view on the Financial Ombudsman Service. As I researched their tactics to dismiss a valid customer complaint is as follows:

    1. Disregarding facts and points of complaint that would make it valid.
    2. Using fantasy to invent new “facts” that are not even included in the original complaint.

    Then dismiss such a distorted and ridiculous complaint (that has very little to do with the original one). It transpired from my research, that it looks quite likely that the FOS staff is trained with such crude and not entirely honest methodology.

    (Financial Services Authority is not any better in that respect.)

  66. *standing ovation for reply*

    Love it. Please start exporting this attitude to the rest of the commonwealth.

  67. I just got here from Ars Technica. I’m just here to join Trails’ standing ovation.

    Best wishes.

Leave a Reply to guthrie Cancel reply

Your email address will not be published. Required fields are marked *