A stiff row has broken out between researchers in Cambridge University and banks in the UK over the publication of research that exposes certain fatal security and operational flaws in the UK's Chip and PIN card authentication system.
Earlier this year, research led by Professor of Security Engineering at Cambridge, Ross Anderson and his team had demonstrated a methodology by which the PIN of a card could be cracked after inserting the card into a retail terminal. Now, an MPhil thesis by computer science student Omar Choudary shows how a simple £20 device may be used by fraudsters to capitalize on that vulnerability. This could lead anyone to buy goods without entering a valid personal identification number (PIN). In an attempt to validate his findings, Choudary had reportedly even used this technology with success in a Cambridge shop.
The research, published online, has undoubtedly caused great embarrassment to banks and advocates of the system, who had previously argued that this could never be possible even after several allegations by users who pointed out that their stolen cards had been used.
The UK Cards Association, which represents the country's biggest banks, wrote a letter of complaint to the University, asking them to remove the findings of Choudary's research from public domain as the level of details in the thesis was worrying and constitutes a breach of the boundary of responsible disclosure.
Ex-Labour MP Melanie Johnson who now works as the Chairman of the UKCA even expressed worry in her letter over the fact that the device had been actually put to use.
However, Cambridge has taken strong exception to the establishment's attempts; Anderson, one of Choudary's advisors, lashes out at the Association in his blog and rejects the demand calling it absolutely unacceptable and a very, very nasty attempt at censorship.
In his response to the Association, he points out sharply that censoring valid and lawful research to suit the vested interests of a powerful group was entirely antithetical to the values of the University that has hosted research by the likes of Newton and Darwin. He also clarifies that Omar's thesis does not contain any new information on the No-PIN vulnerability. That had already been discovered by Steven Murdoch, Saar Drimer and Anderson himself in 2009, and disclosed responsibly to the industry and published in February this year.