'

Researcher rejects chip-and-PIN flaw 'censorship'

A Cambridge University professor has accused the UK Cards Association of attempting to 'censor' a student's work that contains source code for cracking chip-and-PIN encryption

A Cambridge University professor has refused to "censor" materials relating to an attack on chip-and-PIN technology, calling the UK Cards Association's request for their removal "offensive".

Ross Anderson, a professor of security engineering at Cambridge University's Computer Laboratory, has responded to the UK Cards Association's (UKCA) request for the university to remove research by student Omar Choudary. Choudary's masters thesis — entitled The Smart Card Detective: a hand-held EMV interceptor (PDF) — includes details of security exploits within chip-and-PIN technology.

"Cambridge is the university of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values," Anderson wrote in his response on 24 December. "Thus, even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material."

On 1 December the UKCA wrote to Cambridge University's director of external affairs and communications to express concerns about the 19 October publication of hardware schematics and source code for a device that cracks the encryption used by credit card chip-and-PIN readers. The trade body represents a number of leading banking organisations, including Barclays, HSBC and American Express.

The UKCA letter said that the publication of Choudary's research, code and schematics breached the boundary of responsible disclosure. "Essentially, [the publication] places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN," the organisation said.

Anderson said the research contained no new information on the chip-and-PIN vulnerability, which had been first disclosed to the bank card industry by researchers — including Anderson — in 2009 and was published in February 2010.

Anderson said he authorised the thesis to be issued as a Computer Laboratory Technical Report. "This will make it easier for people to find and to cite, and will ensure that its presence on our website is permanent."

The original chip-and-PIN security exploit is no longer usable against Barclays' cards at Barclay's merchants, Anderson noted in a blog post on the Cambridge University Computer Laboratory's security research blog Light Blue Touchpaper.

In a statement to ZDNet UK on Wednesday, the UKCA said it had requested the material to be taken down "not to challenge the work of the university's security academics but only to challenge whether publishing explicit details of how to attempt a fraud... is necessary and serving the public's best interest".

"We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters — as unfortunately it is only the fraudsters who stand to gain from any lack of cooperation between us," it added.