A powerful banking association tried — and failed — to censor a Cambridge University student’s thesis that exposed a flaw in electronic card security.
Chip and PIN is a smartcard payment system in the United Kingdom that requires customers to enter a personal identification number (PIN) when making a transaction. Secure as the industry would like this system to seem, it isn’t, as a lone student proved earlier this year with the construction of an inexpensive device that eliminates the PIN requirement.
A thesis describing how the device works and how it was created was published on the Cambridge website in June.
The UK Cards Association (UKCA) sent a letter to the university requesting they remove the thesis, which describes how a hand-held device could allow a thief to make transactions with a stolen bank card using any PIN.
Melanie Johnson, a former Labour Treasury minister who is now chair of the UKCA, wrote that the thesis “breaches the boundary of responsible disclosure” and “places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN.”
The thesis , written by Omar Choudary, a PhD student within the Security Group at the Computer Laboratory, is titled “The smart card detective: a handheld EMV interceptor.”
“During my MPhil within the Computer Lab I developed a card-sized device (named Smart Card Detective – in short SCD) that can monitor Chip and PIN transactions,” Omar wrote on his blog.
“The main goal of the SCD was to offer a trusted display for anyone using credit cards, to avoid scams such as tampered terminals which show an amount on their screen but debit the card another. However, the final result is a more general device, which can be used to analyse and modify any part of an EMV (protocol used by Chip and PIN cards) transaction.”
Johnson asked for the thesis to be removed from public access immediately and said she was concerned that “this type of research was ever considered suitable for publication.”
“You seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient,” Ross Anderson, professor of security engineering at the university’s Computer Laboratory, replied. “This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”
Anderson wrote that he and his colleagues had discovered the vulnerability in 2009 and disclosed the information to the banking industry at that time.
“You complain that our work may undermine public confidence in the payments system,” he continued. “What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.”