TUCoPS :: Truly Miscellaneous :: sb6006.htm

Credit Cards security at risk
21th Feb 2003 [SBWID-6006]
COMMAND

	Credit Cards security at risk

SYSTEMS AFFECTED

	n/a

PROBLEM

	 Editor's note
	 =============
	
	It has been public knowledge for quite some time that the banking  cards
	security are at risk. To summarize :
	
	-> a French researcher had broken (and been comdemned for that) the  PKI
	bundled with some of those card to emulate copycats known as "Yes card"
	
	-> some thiefs stoled on repeated accounts  valid  credit  card  numbers
	and account holders details from various online shops, up  to  a  recent
	attack of a  few  millions  account  stolen  from  major  card  delivery
	services
	
	-> and now the whitepapers below shows  that  motivated  insiders  could
	easily build up scheme to steel millions in cash :
	
	 http://cryptome.org/pacc.htm
	 http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
	 http://research.microsoft.com/~aherbert/volume63.pdf 
	
	Ross Anderson points that in response, a bank tries to get an  order  in
	the   High   Court   today   gagging   public   disclosure   of   crypto
	vulnerabilities :
	
	To: ukcrypto@chiark.greenend.org.uk
	Subject: Citibank tries to gag crypto bug disclosure
	Date: Thu, 20 Feb 2003 09:57:34 +0000
	From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
	
	Citibank is trying to get an order in the High Court today gagging public 
	disclosure of crypto vulnerabilities:
	
	  http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
	
	I have written to the judge opposing the order:
	
	  http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
	
	The background is that my student Mike Bond has discovered some really 
	horrendous vulnerabilities in the cryptographic equipment commonly used 
	to protect the PINs used to identify customers to cash machines:
	
	  http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
	
	These vulnerabilities mean that bank insiders can almost trivially find 
	out the PINs of any or all customers. The discoveries happened while Mike 
	and I were working as expert witnesses on a `phantom withdrawal' case.
	
	The vulnerabilities are also scientifically interesting:
	
	  http://cryptome.org/pacc.htm
	
	For the last couple of years or so there has been a rising tide of phantoms.
	I get emails with increasing frequency from people all over the world whose 
	banks have debited them for ATM withdrawals that they deny making. Banks in
	many countries simply claim that their systems are secure and so the 
	customers must be responsible. It now looks like some of these 
	vulnerabilities have also been discovered by the bad guys. Our courts and 
	regulators should make the banks fix their systems, rather than just lying 
	about security and dumping the costs  on the customers.
	
	Curiously enough, Citi was also the bank in the case that set US law on 
	phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's 
	an omen, if not a precedent ...
	

SOLUTION

	n/a

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH