Citibank is trying to get an order gagging public disclosure of crypto vulnerabilities
Citibank is trying to get an order in the High Court today gagging public
disclosure of crypto vulnerabilities:
citibank_gag.pdfI have written to the judge opposing the order:
citibank_response.pdfThe background is that my student Mike Bond has discovered some really
horrendous vulnerabilities in the cryptographic equipment commonly used
to protect the PINs used to identify customers to cash machines:
UCAM-CL-TR-560.pdfThese vulnerabilities mean that bank insiders can almost trivially find
out the PINs of any or all customers. The discoveries happened while Mike
and I were working as expert witnesses on a `phantom withdrawal’ case.
The vulnerabilities are also scientifically interesting:
http://cryptome.org/pacc.htmFor the last couple of years or so there has been a rising tide of phantoms.
I get emails with increasing frequency from people all over the world whose
banks have debited them for ATM withdrawals that they deny making. Banks in
many countries simply claim that their systems are secure and so the
customers must be responsible. It now looks like some of these
vulnerabilities have also been discovered by the bad guys. Our courts and
regulators should make the banks fix their systems, rather than just lying
about security and dumping the costs on the customers.
Curiously enough, Citi was also the bank in the case that set US law on
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that’s
an omen, if not a precedent …
