Bank lobby warns Cambridge over IT security thesis

Bank lobby group The UK Cards Association has written to Cambridge University requesting the censorship of a student thesis concerned with vulnerabilities in the "chip and pin" transaction card systems used by the majority of the world's banks.

The Association called for Cambridge University to remove from its web site a thesis by one Omar Choudary, which the banking sector considered a "blueprint for building a device... to exploit a loophole in the security of chip and pin."

Choudary's thesis, published in full online [PDF] and summarised on the Light Blue Touch Paper blog, continued the work of fellow Cambridge researchers which discovered flaws in the chip and pin system in 2009, publishing them in February 2010.

Melanie Johnson, chair of the Association, said in the letter [PDF] that Choudary's thesis "oversteps the boundaries of what constitutes responsible disclosure."

"Our key concern is that this type of research was ever considered suitable for publication by the University. It gives us cause to worry that future research, which may potentially be more damaging, may also be published in this level of detail," Johnson said.

Johnson's letter was met with a sharp rebuke [PDF] by Ross Anderson, Professor of Security Engineering at Cambridge University.

Anderson questioned whether the University had the right to "censor" a "lawful" student thesis already published "simply because a powerful interest finds it inconvenient."

"This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values," Anderson said.

"Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report," he said. "This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent."

Anderson noted that the February publication of the vulnerability had already motivated some banks to better secure their card payment systems. Barclays, he noted in a recent blog post, no longer appeared vulnerable.

"You complain that our work may undermine public confidence in the payments system," he told Johnson. "What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies.

"Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it."