Bugtraq mailing list archives
[saag] Of potential interest -- Citibank tries to gag crypto bug disclosure (fwd)
From: Dave Ahmad <da () securityfocus com>
Date: Thu, 20 Feb 2003 16:13:57 -0700 (MST)
David Mirza Ahmad Symantec 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 ---------- Forwarded message ---------- Date: Thu, 20 Feb 2003 14:04:01 -0800 From: Robert Moskowitz <rgm-sec () htt-consult com> To: saag () mit edu Subject: [saag] Of potential interest -- Citibank tries to gag crypto bug disclosure
To: ukcrypto () chiark greenend org uk Subject: Citibank tries to gag crypto bug disclosure Date: Thu, 20 Feb 2003 09:57:34 +0000 From: Ross Anderson <Ross.Anderson () cl cam ac uk> Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities: http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf I have written to the judge opposing the order: http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines: http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case. The vulnerabilities are also scientifically interesting: http://cryptome.org/pacc.htm For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers. Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ... Ross Anderson
Robert Moskowitz TruSecure Corporation Security Interest EMail: rgm-sec () htt-consult com _______________________________________________ saag mailing list saag () mit edu https://jis.mit.edu/mailman/listinfo/saag
Current thread:
- [saag] Of potential interest -- Citibank tries to gag crypto bug disclosure (fwd) Dave Ahmad (Feb 20)