[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009301c2d939$33069d70$6701a8c0@rms2>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: FW: Citibank tries to gag crypto bug disclosure
>From http://cryptome.org/pacc.htm
To: ukcrypto@...ark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@...cam.ac.uk>
Citibank is trying to get an order in the High Court today gagging
public
disclosure of crypto vulnerabilities:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
I have written to the judge opposing the order:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
The background is that my student Mike Bond has discovered some really
horrendous vulnerabilities in the cryptographic equipment commonly used
to protect the PINs used to identify customers to cash machines:
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
These vulnerabilities mean that bank insiders can almost trivially find
out the PINs of any or all customers. The discoveries happened while
Mike
and I were working as expert witnesses on a `phantom withdrawal' case.
The vulnerabilities are also scientifically interesting:
http://cryptome.org/pacc.htm
For the last couple of years or so there has been a rising tide of
phantoms.
I get emails with increasing frequency from people all over the world
whose
banks have debited them for ATM withdrawals that they deny making. Banks
in
many countries simply claim that their systems are secure and so the
customers must be responsible. It now looks like some of these
vulnerabilities have also been discovered by the bad guys. Our courts
and
regulators should make the banks fix their systems, rather than just
lying
about security and dumping the costs on the customers.
Curiously enough, Citi was also the bank in the case that set US law on
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
that's
an omen, if not a precedent ...
Powered by blists - more mailing lists