Banks attempt to suppress maths student’s exposé of chip and pin

Source: vigilantcitizen.com

Richard Garner
The Independant

Omar Choudary, a PhD student at the University of Cambridge; right, his supervisor, Professor Ross Anderson who researches glitches in chip-and-pin banking

Cambridge computer scientists have become embroiled in angry exchanges with Britain’s banks and credit card lenders, accusing them of bullying and trying to “censor” a PhD student who was exposing flaws in chip-and-pin machines.

A leading Cambridge academic has now written to bankers’ representatives demanding that they stop pressing for the removal of a student’s doctorate work from the web.

Professor Ross Anderson, from Cambridge University’s Computer Laboratory, has previously researched glitches in chip-and-pin banking that allow withdrawals to be made from accounts without needing to know the holder’s PIN. As part of his thesis work, one of his students, Omar Choudary, exposed how easy it was to make such a withdrawal.

Then the UK Cards Association, a trade body representing leading banking organisations, approached the university asking it to remove the thesis from his website, which is accessible through a university site.

Melanie Johnson, who chairs UKCA, argued that the web publication “oversteps the boundaries of what constitutes reasonable disclosure” by giving too much detail on how the chip-and-pin system could be breached.

Professor Anderson said her request “showed a misconception of what universities are and how we work… You seem to think that we might censor a student’s thesis – which is lawful and already in the public domain – simply because a powerful interest group finds it inconvenient,” he said.

“Cambridge is the university of Erasmus, of Newton and of Darwin. Censoring writings that offend the powerful is offensive to our deepest values.”

He added: “I have authorised the thesis to be issued as a computer laboratory technical report. This will make it easier for people to find and to cite, and will ensure that its presence on our website is permanent.” He rejected her allegation that the student was encouraging fraud by giving details of a blueprint for a device which is alleged to exploit a loophole in the security of chip-and-pin technology.

In her letter, which was sent to the university’s head of communications, Ms Johnson also claimed that the police had expressed concern that the student was “allowed to falsify a transaction … without first warning the merchant”.

Professor Anderson said the transaction had been carried out with the consent of the card owner, adding: “At no time was there any intent to commit fraud; the [card owner's] account was debited in due course … and the merchant [from whom he had purchased goods] was paid.”

He added: “You complain that the work may undermine public confidence in the payments system. What will support confidence in the payments system is evidence that the banks are frank and honest in admitting weaknesses when they are exposed, and diligent in affecting the necessary remedies.

“Your letter shows that … your member banks do their lamentable best to deprecate the work of those outside their cosy club and indeed to censor it.”

Professor Anderson told The Independent: “Everyone in the university is behind us on this one. The thesis was on Omar Choudary’s website and there is no way we can allow this to be censored.”

He added that only Barclays had taken action to rectify the problem since the potential for abuse was exposed by researchers on a BBC Newsnight programme several months ago.

No one was available for comment at the UK Cards Association yesterday. The organisation allows membership to anyone responsible for at least 5 per cent of credit transactions.

Source: vigilantcitizen.com

Read more at Vigilant Citizen