Joho the Blog » Something Else to Worry About
EverydayChaos
Everyday Chaos
Too Big to Know
Too Big to Know
Cluetrain 10th Anniversary edition
Cluetrain 10th Anniversary
Everything Is Miscellaneous
Everything Is Miscellaneous
Small Pieces cover
Small Pieces Loosely Joined
Cluetrain cover
Cluetrain Manifesto
My face
Speaker info
Who am I? (Blog Disclosure Form) Copy this link as RSS address Atom Feed

Something Else to Worry About

From Risk Digest, via a mailing list:

ATM vulnerabilities and citibank’s gag attempt

Ross Anderson
Thu, 20 Feb 2003 09:58:47 +0000

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal’ case.

The vulnerabilities are also scientifically interesting: http://cryptome.org/pacc.htm

Source URL: http://catless.ncl.ac.uk/go/risks/22/58/6

Previous: « || Next: »

Leave a Reply

Comments (RSS).  RSS icon