28 December 2010

Obscurity is not Security

But this isn't stopping banks from trying to suppress security research showing that their cards are insecure, as opposed to manning up and fixing the problem:
Cambridge computer scientists have become embroiled in angry exchanges with Britain's banks and credit card lenders, accusing them of bullying and trying to "censor" a PhD student who was exposing flaws in chip-and-pin machines.

A leading Cambridge academic has now written to bankers' representatives demanding that they stop pressing for the removal of a student's doctorate work from the web.

Professor Ross Anderson, from Cambridge University's Computer Laboratory, has previously researched glitches in chip-and-pin banking that allow withdrawals to be made from accounts without needing to know the holder's PIN. As part of his thesis work, one of his students, Omar Choudary, exposed how easy it was to make such a withdrawal.

Then the UK Cards Association, a trade body representing leading banking organisations, approached the university asking it to remove the thesis from his website, which is accessible through a university site.
So, the knowledge is out there, and it is public, it has actually been discussed on the BBC, and the banks want to pretend that it never happened.

This is why you cannot rely on market mechanisms for this kind of stuff.


Post a Comment