Friday, February 21, 2003

Citibank trying to silence ATM PIN security research

Citibank is trying to prevent the disclosure of new scientific research that has apparently broken ATM PIN confidentiality protection wide-open. This is even in the face of "phantom" charges appearing on people's accounts that banks refuse to reverse, claiming that their system is so secure that users cannot repudiate such charges.

"The card's issuer says that's not possible, because their ATM network
is secure, and is suing the couple to recover the nearly $80,000 that
was charged against the card. "

The raw archived information:

Protocol Analysis, Composability and Computation

There is a slashdot discussion

There is an eWeek article too: Attack Exposes ATM Vulnerabilities

Well-known cryptographer Ross Anderson offered this testimony in the case:
""In addition to being published material, derived from open sources,
and of crucial importance to the defendants' case, the vulnerabilities
are likely to be crucially important in other cases brought in the
U.K. and elsewhere over disputed ATM transactions," Anderson wrote in
his letter. "Bond plans to incorporate much of this material into his
Ph.D. thesis. It is spectacularly unfair for the applicant to ask you,
in effect, to prohibit Bond from including in his thesis a scientific
discovery that he has already published.""

No comments:

Post a Comment