Ross Anderson FRS FREng
Professor of Security Engineering
Melanie Johnson
UK Cards Association
2 Thomas Moore Square
London E1W 1YN
Computer Laboratory
December 24, 2010
Dear Ms Johnson,
Responsible disclosure and academic freedom
Your letter of December 1st to Stephen Jolly has only this week been passed to me to deal with. I’m afraid it contains a number of misconceptions and factual errors.
First, your letter was not correctly addressed. The University of Cambridge is a self-governing community of scholars rather than a corporate hierarchy. Mr Jolly is responsible for the university’s front page at
www.cam.ac.uk and for some of the pages in
www.admin.cam.ac.uk, but not for web pages in academic departments. Omar Choudary is responsible for his pages at
www.cl.cam.ac.uk/~osc22; I am responsible for my pages at
www.cl.cam.ac.uk/~rja14; and Steven Murdoch is responsible for his pages at
www.cl.cam.ac.uk/~sjm217 as well as being webmaster of
www.lightbluetouchpaper.org. Omar’s work was not ‘published by the university’ as you claim but by him. If you wanted him to take his thesis offline, you should have asked him.
However, given that the material on the No-PIN attack appears on my page as well as Omar’s and Steven’s, and given that Mr Jolly passed the matter to me to deal with, I expect that I can save us all a lot of time by answering directly.
Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent.
Third, Omar’s thesis does not contain any new information on the No-PIN vulnerability. That was
discovered by Steven Murdoch, Saar Drimer and me in 2009, disclosed responsibly to the industry, and published in February this year. It is not expected that an MPhil thesis contain novel scientific work. Omar’s work describes and publishes the design of a platform for investigating and testing EMV generally and its primary uses are defensive: first, to enable customers to monitor transactions if they wish, and second to enable merchants and banks to test their own systems to see whether their system suppliers are telling the truth about security. I note you have announced the purchase of a terminal communications monitor from Barnes International. Omar’s device, which I understand he also offers for sale to industry firms in a private capacity, is for just that – monitoring terminal communications.
Fourth, he did not make available the source code for the No-PIN attack. Steven Murdoch, Saar Drimer and I did that in our research paper earlier this year. Omar did not include that code in his thesis.
Fifth, you say ‘Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant’. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist’s consent and on camera. At no time was there any intent to commit fraud; the journalist’s account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense. I would not consider such an experiment to require a reference to our ethics committee. By that time the Newsnight programme had appeared and the No-PIN attack was entirely in the public domain. The French television programme was clearly in the public interest, as it made it more difficult for banks in France to defraud their customers by claiming that their systems were secure when they were not.
You complain that our work may undermine public confidence in the payments system. What will
support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.
Nonetheless, I am delighted to note your firm statement that the attack will no longer work and pleased that the industry has been finally been able to deal with this security issue, albeit some considerable time after the original disclosure back in 2009.
Yours sincerely,
Ross Anderson
