Chip And PIN Security Hack Prompts Censorship Rebuke From Researchers
Cambridge University has refused to censor a masters student's thesis on the security flaws in the Chip and PIN security system, rebuking calls from the UK Cards Association trade body to bury the research after allegations that it "breaches the boundary of responsible disclosure." According to security group researcher Ross Anderson, not only is the paper both lawful and already in the public domain, it will soon be followed by a similarly-detailed paper also on the subject; he suggests to the Association that "your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it."
"You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient" Ross Anderson
The Association claims that the loophole utilized has already been fixed when using Barclays bank cards at a Barclays merchant, though that still leaves Chip and PIN systems managed by other banks. The research had led to the creation of a card-sized monitoring device that can track transactions and flag up – among other things – cases where illegally modified card-readers show one value on-screen and then charge a higher amount to the card.
[via BoingBoing]