Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Citibank tries to gag crypto bug disclosure

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 20 Feb 2003 18:38:41 -0500
From http://cryptome.org/pacc.htm


To: ukcrypto () chiark greenend org uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson () cl cam ac uk>

Citibank is trying to get an order in the High Court today gagging
public 
disclosure of crypto vulnerabilities:

  http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf

I have written to the judge opposing the order:

  http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf

The background is that my student Mike Bond has discovered some really 
horrendous vulnerabilities in the cryptographic equipment commonly used 
to protect the PINs used to identify customers to cash machines:

  http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf

These vulnerabilities mean that bank insiders can almost trivially find 
out the PINs of any or all customers. The discoveries happened while
Mike 
and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

  http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of
phantoms.
I get emails with increasing frequency from people all over the world
whose 
banks have debited them for ATM withdrawals that they deny making. Banks
in
many countries simply claim that their systems are secure and so the 
customers must be responsible. It now looks like some of these 
vulnerabilities have also been discovered by the bad guys. Our courts
and 
regulators should make the banks fix their systems, rather than just
lying 
about security and dumping the costs  on the customers.

Curiously enough, Citi was also the bank in the case that set US law on 
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
that's 
an omen, if not a precedent ...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: