Bank censorship attempt rebuffed

A trade association of bankers attempted to get the University of Cambridge to withdraw a thesis by Omar Choudary on the No-PIN attack on Chip and Pin. Ross Anderson has told the UK Cards Association that the paper will not be taken offline in a robust response to that request. Anderson points out that the material on the No-PIN attack has already been published by himself and others on the Cambridge University web site.

Anderson also notes that "Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values" and that he has now authorized Choudry's thesis to be published as a "Computer Laboratory Technical Report" making it easier to cite and giving it a permanent presence on the web site.

The No-PIN attack was responsibly disclosed in 2009 and details of it were published in February 2010. It exploits a weakness in the EMV protocol by fooling the terminal into thinking that the card has accepted the PIN entered while the card thinks that the terminal is reset to use signature verification. This results in a transaction being recorded as authorized by PIN, when the correct PIN was not entered.

In a posting on his personal blog, Anderson reports that the No-PIN attack now no longer works against Barclays' cards at a Barclays' merchant, adding "So at least they’ve started to fix the bug – even if it’s taken them a year". Anderson also reveals a "Christmas present to the bankers": Choudry is one of the coauthors of a new Chip-and-PIN paper which has been accepted for Financial Cryptography 2011 in February. Anderson suggests that all bankers come to the conference "to hear what we have to say".

(djwm)