Don’t fix it, censor it

The Security Research Computer Lab at Cambridge University posted an article about industry response to a fundamental flaw in the “chip and pin” system in February. The paper, by Omar Choudary (a PhD student), highlights a flaw in the standard that permits the use of any PIN number. The University passed it to industry two months before publishing.

Now, some eight months later, the only bank known to have addressed this is Barclays. Instead of addressing the issue, the bankers’ trade association feels the best course of action is to tell the University its being irresponsible [pdf] in publishing the information! Given the Streisand Effect, is that not trying to close the stable door after the horse has bolted? The University’s response is an emphatic no, at the moment.

It is interesting that the UK Cards Association feels an offence was committed in proving the vulnerability. I would have thought they’d welcome the information, given their front page statement:

We inform and engage with stakeholders to advance the industry for the ultimate benefit of our members’ consumer and retail customers. Our work includes preventing card fraud, contributing to legislative changes, collating industry statistics and developing industry standards and best practices.

This entry was posted in Rant and tagged , , . Bookmark the permalink.

3 Responses to Don’t fix it, censor it

  1. gail ruppert says:

    Thanks for that tip

    but not so surprised about those banksters, always the same story. Everyone knows that “censor it” is not possible in the real life. So what to do: drop that info on media for large diffusion and pointing shameness on those stupids.

  2. Mark says:

    Are you saying that I could in theory use 12345 as my pin, or that it could be assigned to me? Yikes!

Comments are closed.