The UK banking trade association has attempted to have a Cambridge University student’s thesis censored because it documents a well-known flaw in the chip-and-pin system.
Melanie Johnson of the UK Cards Association wrote to the University complaining that Omar Choudary’s thesis, titled The Smart Card Detective:a hand-held EMV interceptor, gave away information about the ‘No-Pin’ vulnerability.
This is despite the fact that the flaw was discovered last year by other Cambridge scientists and published last February – and has in any case recently been fixed.
Johnson said that the association was worried that the department’s work could undermine public confidence in the chip-and-pin system – which couldn’t be allowed to pass, obviously.
And she was bothered by the way Choudary tested the vulnerability by making a transaction in a local shop: “Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant,” she wrote.
“Consequently, we would ask that this research be removed from public access immediately.”
Choudary had created a device called a Smart Card Detective designed to monitor chip-and-pin transactions. The main aim was to offer a trusted display for credit card users, helping them avoid scams such as tampered terminals.
However, the final result was a more general device, which could be used to analyse and modify any part of a transaction based on the EMV protocol. Choudary and a journalist did indeed test the device in a shop, but paid for their goods in full.
The letter was passed on to Ross Anderson of the university’s Computer Laboratory to deal with – and he’s refusing to take the association’s orders lying down.
After ticking off Johnson for failing to understand that the university is ‘a self-governing community of scholars rather than a corporate hierarchy’, he accuses the UK banks in a letter of trying to cover up their weaknesses.
“You seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work,” he wrote.
“Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”
Indeed, he says, he’s now authorised the thesis to be issued as a Computer Laboratory Technical Report. “This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent,” he explains brightly.