(via JOHO)

From Risk Digest, via a mailing list:

ATM vulnerabilities and citibank's gag attempt

Ross Anderson
Thu, 20 Feb 2003 09:58:47 +0000

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting: http://cryptome.org/pacc.htm

Source URL: http://catless.ncl.ac.uk/go/risks/22/58/6
- jim 2-25-2003 10:40 pm




add a comment to this page:

Your post will be captioned "posted by anonymous,"
or you may enter a guest username below:


Line breaks work. HTML tags will be stripped.