Something Else to Worry About
From Risk Digest, via a mailing list:
ATM vulnerabilities and citibank’s gag attempt
Ross Anderson
Thu, 20 Feb 2003 09:58:47 +0000Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
I have written to the judge opposing the order:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal’ case.
The vulnerabilities are also scientifically interesting: http://cryptome.org/pacc.htm
Source URL: http://catless.ncl.ac.uk/go/risks/22/58/6
Categories: Uncategorized dw