Home News UK & World News

Row over bank card loophole thesis

A Cambridge University professor has accused the bank cards industry of making a "very nasty attempt at censorship" over a flaw in chip and PIN technology.

The UK Cards Association (UKCA), which represents the country's biggest banks, wrote to the university to try to remove the online publication of research which shows how a £20 hand-held device could be used to buy goods without entering the correct PIN.

Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory, said: "This was absolutely unacceptable. It was a very, very nasty attempt at censorship."

Melanie Johnson, a former Labour Treasury minister who is now chair of the UKCA, wrote to the university's director of communications earlier this month saying the publication "oversteps the boundaries of what constitutes responsible disclosure".

She said the paper, The Smart Card Detective, by MPhil research student Omar Choudary, "places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN". She said the type of attack described was "difficult to undertake" and "unlikely to interest genuine fraudsters" but said the "level of detail" published was worrying and asked for the research to be removed and said police had expressed concern the student "was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant".

But Mr Anderson said exposing vulnerabilities in the system was an example of "responsible disclosure" and said the industry had been guilty of "sitting on their butts and doing nothing" since he and fellow scientists first revealed the flaw in late 2009.

In a response letter, he wrote: "You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values."

He continued: "You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it."

Prof Anderson said he had authorised the thesis to be issued as a Computer Laboratory technical report. He said there was no basis for police concern as there was no intent to commit fraud, as the card holder gave his consent and the merchant was paid. He added that Barclays Bank did appear to have closed the technological loophole although other banks were yet to fix the problem.

A UKCA spokeswoman said: "The UK Cards Association has written to Cambridge not to challenge the work of the university's security academics but only to challenge whether publishing explicit details of how to attempt a fraud - specifically one which there is no evidence of a fraudster yet undertaking - is necessary and serving the public's best interest. We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters - as unfortunately it is only the fraudsters who stand to gain from any lack of cooperation between us."