Interesting People mailing list archives
Citibank tries to gag crypto bug disclosure
From: Dave Farber <dave () farber net>
Date: Thu, 20 Feb 2003 07:34:41 -0500
------ Forwarded Message From: Brian Randell <Brian.Randell () newcastle ac uk> Date: Thu, 20 Feb 2003 12:15:09 +0000 To: farber () cis upenn edu Subject: Fwd: [open-source] Citibank tries to gag crypto bug disclosure Dave: I assume you've seen this, but just in case ... cheers Brian PS I was at Monday's meeting at Microsoft research in Cambridge, in honour of Roger Needham, at which Ross Anderson gave an excellent about this work.
To: open-source () csl sri com
Subject: [open-source] Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:58:47 +0000
From: Ross Anderson <Ross.Anderson () cl cam ac uk>
X-Spam-Status: No, score=0.5 threshold=8.0
X-Spam-Level: x
Sender: open-source-owner () csl sri com
Reply-To: Ross Anderson <Ross.Anderson () cl cam ac uk>
X-Newcastle-MailScanner: Found to be clean
Citibank is trying to get an order in the High Court today gagging
public disclosure of crypto vulnerabilities:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
I have written to the judge opposing the order:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
The background is that my student Mike Bond has discovered some really
horrendous vulnerabilities in the cryptographic equipment commonly
used to protect the PINs used to identify customers to cash machines:
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
These vulnerabilities mean that bank insiders can almost trivially
find out the PINs of any or all customers. The discoveries happened
while Mike and I were working as expert witnesses on a `phantom
withdrawal' case.
The vulnerabilities are also scientifically interesting:
http://cryptome.org/pacc.htm
For the last couple of years or so there has been a rising tide of
phantoms. I get emails with increasing frequency from people all over
the world whose banks have debited them for ATM withdrawals that they
deny making. Banks in many countries simply claim that their systems
are secure and so the customers must be responsible. It now looks like
some of these vulnerabilities have also been discovered by the bad
guys. Our courts and regulators should make the banks fix their
systems, rather than just lying about security and dumping the costs
on the customers.
Curiously enough, Citi was also the bank in the case that set US law
on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
that's an omen, if not a precedent ...
Ross Anderson
-- School of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell () newcastle ac uk PHONE = +44 191 222 7923 FAX = +44 191 222 8232 URL = http://www.cs.ncl.ac.uk/~brian.randell/ ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Citibank tries to gag crypto bug disclosure Dave Farber (Feb 20)
