iTnews

Bank lobby warns Cambridge over IT security thesis

By Brett Winterford on Dec 29, 2010 8:58AM
Bank lobby warns Cambridge over IT security thesis

Seeks censorship of student's work on chip and pin vulnerabilities.

Bank lobby group The UK Cards Association has written to Cambridge University requesting the censorship of a student thesis concerned with vulnerabilities in the "chip and pin" transaction card systems used by the majority of the world's banks.

The Association called for Cambridge University to remove from its web site a thesis by one Omar Choudary, which the banking sector considered a "blueprint for building a device... to exploit a loophole in the security of chip and pin."

Choudary's thesis, published in full online [PDF] and summarised on the Light Blue Touch Paper blog, continued the work of fellow Cambridge researchers which discovered flaws in the chip and pin system in 2009, publishing them in February 2010.

Melanie Johnson, chair of the Association, said in the letter [PDF] that Choudary's thesis "oversteps the boundaries of what constitutes responsible disclosure."

"Our key concern is that this type of research was ever considered suitable for publication by the University. It gives us cause to worry that future research, which may potentially be more damaging, may also be published in this level of detail," Johnson said.

Johnson's letter was met with a sharp rebuke [PDF] by Ross Anderson, Professor of Security Engineering at Cambridge University.

Anderson questioned whether the University had the right to "censor" a "lawful" student thesis already published "simply because a powerful interest finds it inconvenient."

"This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values," Anderson said.

"Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report," he said. "This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent."

Anderson noted that the February publication of the vulnerability had already motivated some banks to better secure their card payment systems. Barclays, he noted in a recent blog post, no longer appeared vulnerable.

"You complain that our work may undermine public confidence in the payments system," he told Johnson. "What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies.

"Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cambridgechip and pinlettersecuritythesisuk cards association

Partner Content

Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
DoT Victoria turns to Oracle to implement unified cloud-based platform
Promoted Content DoT Victoria turns to Oracle to implement unified cloud-based platform

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Brett Winterford
Dec 29 2010
8:58AM
0 Comments

Related Articles

  • Geolocation threats rise following demonstration of router hacking that can pinpoint a person's home
  • 5 essential digital transformation ideas
  • Gravatar profile add-on leaks data on millions of users
  • China spied on Russian defence research institutes
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Digital Nation

Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.