Chip and PIN is a credit security system which consists of an embedded microchip in a credit or debit card for payment authentication; while it’s had a hard time catching on in the United States, where magnetic stripes on cards remain the norm, chip and PIN is a major presence in the UK and Europe, and it recently gained a major toehold in Canada with Visa’s adoption of the system.
While chip and PIN is meant to correct security weaknesses inherent in the magnetic stripe system, it has flaws. A Cambridge computer science graduate student named Omar Choudary documented several of these flaws in an MPhil thesis and suggested improvements to the system. The response of the UK Cards Association, which describes itself as “the leading trade association for the cards industry in the UK”: Asking Cambridge to censor Choudary’s work on the grounds that it “breaches the boundary of responsible disclosure.” In the words of the Cards Association, “Our key concern … is that this type of research was ever considered suitable for publication by the University. It gives us cause to worry that future research, which may potentially be more damaging, may also be published in this level of detail.”
Cambridge professor and security theorist Ross Anderson didn’t see it that way: In a withering letter back to the trade group, he defended the publication of the thesis, saying that “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”
Anderson, writing on behalf of Cambridge: [PDF]
Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent.
Third, Omar’s thesis does not contain any new information on the No-PIN vulnerability. That was discovered by Steven Murdoch, Saar Drimer and me in 2009, disclosed responsibly to the industry, and published in February this year. It is not expected that an MPhil thesis contain novel scientiﬁc work. Omar’s work describes and publishes the design of a platform for investigating and testing EMV generally and its primary uses are defensive: ﬁrst, to enable customers to monitor transactions if they wish, and second to enable merchants and banks to test their own systems to see whether their system suppliers are telling the truth about security.
You complain that our work may undermine public conﬁdence in the payments system. What will support public conﬁdence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.
Would that more schools stuck up for students doing controversial but important work.
Have a tip we should know? [email protected]