A Merry Christmas to all Bankers

The bankers’ trade association has written to Cambridge University asking for the MPhil thesis of one of our research students, Omar Choudary, to be taken offline. They complain it contains too much detail of our No-PIN attack on Chip-and-PIN and thus “breaches the boundary of responsible disclosure”; they also complain about Omar’s post on the subject to this blog.

Needless to say, we’re not very impressed by this, and I made this clear in my response to the bankers. (I am embarrassed to see I accidentally left Mike Bond off the list of authors of the No-PIN vulnerability. Sorry, Mike!) There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

108 thoughts on “A Merry Christmas to all Bankers

  1. Kudos for keeping the paper up.The banking industry can’t expect to bury their heads in the sand and hope nobody notices the flaws in their systems.

  2. Absolutely perfect response.

    Security in finance transactions needs a complete overhaul – by people that actually understand real security, not people doing the minimum, then passing responsibility on to users who have no possibility of controlling the situation.

  3. haha… hopefully someone comes up quickly with a fix that doesn’t involves changing all the atms and card terminals in the world. hmh, maybe i should start paying with gold…

    +100karma for comments 4&5.

  4. This kind of disclosure is of vital necessity. It shows the banks that their product is bad, it tells the public to be a lot more careful and a lot less trusting of banks.

    Once a paper like this is published, and although [in this case] they apparently already knew about it for a year but didn’t fix it yet, they will now have to fix it or risk embarrassment and liable for damages if they don’t when it could be shown they knew of the problem but chose not to fix it.

    Bankers only care for their big bonus pay outs and they hate being inconvenienced. They owe it to their customers, whom they have shown no reluctance to fleece, to fix their problems.

    Thank you for your excellent work and your academic integrity. Bankers deserve no consideration because they are shown time and again to be bad actors when it comes to defending the needs of their customers. It’s not enough that they don’t care about the safety and security of the trust their customers place in them. Now they want to stifle academic research. It’s unconscionable that these people even have a job in this industry.

  5. This response only adds to my respect for academia. The banker’s trade association response is akin to asking that no-one draw attention the door they’ve left unlocked for a year.

  6. Well said. One can’t help thinking the banks are motivated to conceal and obfuscate, such information just so they can drag their feet fixing this while reducing cost (to them not defrauded customers) by casting doubt upon any claims of unauthorized transactions.

  7. Thanks for this great post, the (hidden) irony, and the great response:

    “The University of Cambridge is a self-governing commu-
    nity of scholars rather than a corporate hierarchy.”

    Indeed. That’s an important detail, a lot of institutions of higher education should keep in mind when dealing with industry and politicians.

    See you at FC2011.

  8. Read your response letter as I work at a lab too, I say this was a major missed opportunity.

    What you should’ve said: ” Listen, your whole system is flawed and full of holes like a tennis racket made of swiss cheese. So for a start immediately buy our university department the following:
    – One of each on their catalog [agilent.com]…
    – And their’s [ni.com]…
    – And their’s [fluke.com]…
    …we’ll send back the ones we don’t need. That should cost you only 50-100 million (you might get a discount). Budget it as a long term investment into transaction systems.”

    At least this is a recurring dream of mine. Oh well, back to the grind … calibrating old Tektronix oscilloscopes…