Bankers fail to censor thesis exposing loophole in bank card security

Thursday, 30 December 2010 11:11

A powerful bankers' association has failed in its attempt to censor a student thesis after complaining that it revealed a loophole in bank card security.

The UK Cards Association, which represents major UK banks and building societies, asked Cambridge University to remove the thesis from its website, but the request was met with a blunt refusal.

In a letter to university authorities, UKCA chair Melanie Johnson – a former Labour MP who was economic secretary to the Treasury in Tony Blair's government – demanded that the masters thesis be "removed from public access immediately".

The thesis by computer security student Omar Choudary, entitled "The smart card detective: a handheld EMV interceptor", described a flaw in the chip-and-pin (personal identification number) security system that allows criminals to make fraudulent transactions with a stolen bank card using any pin they care to choose.

"It is the publication of this level of detail which we believe breaches the boundary of responsible disclosure. Essentially, it places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN," the letter states.

But in a reply to the UKCA, Ross Anderson, professor of security engineering at the university's Computer Laboratory, refused to take down the thesis and said the loopholes had already been disclosed to bankers.

Full Article: Bankers fail to censor thesis exposing loophole in bank card security