Interesting People mailing list archives
Citibank tries to gag crypto bug disclosure
From: Dave Farber <dave () farber net>
Date: Thu, 20 Feb 2003 07:34:41 -0500
------ Forwarded Message From: Brian Randell <Brian.Randell () newcastle ac uk> Date: Thu, 20 Feb 2003 12:15:09 +0000 To: farber () cis upenn edu Subject: Fwd: [open-source] Citibank tries to gag crypto bug disclosure Dave: I assume you've seen this, but just in case ... cheers Brian PS I was at Monday's meeting at Microsoft research in Cambridge, in honour of Roger Needham, at which Ross Anderson gave an excellent about this work.
To: open-source () csl sri com Subject: [open-source] Citibank tries to gag crypto bug disclosure Date: Thu, 20 Feb 2003 09:58:47 +0000 From: Ross Anderson <Ross.Anderson () cl cam ac uk> X-Spam-Status: No, score=0.5 threshold=8.0 X-Spam-Level: x Sender: open-source-owner () csl sri com Reply-To: Ross Anderson <Ross.Anderson () cl cam ac uk> X-Newcastle-MailScanner: Found to be clean Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities: http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf I have written to the judge opposing the order: http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines: http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case. The vulnerabilities are also scientifically interesting: http://cryptome.org/pacc.htm For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers. Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ... Ross Anderson
-- School of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell () newcastle ac uk PHONE = +44 191 222 7923 FAX = +44 191 222 8232 URL = http://www.cs.ncl.ac.uk/~brian.randell/ ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Citibank tries to gag crypto bug disclosure Dave Farber (Feb 20)