[saag] Of potential interest -- Citibank tries to gag crypto bug disclosure (fwd)

[Dave Ahmad <da () securityfocus com>]

David Mirza Ahmad
Symantec

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

---------- Forwarded message ----------
Date: Thu, 20 Feb 2003 14:04:01 -0800
From: Robert Moskowitz <rgm-sec () htt-consult com>
To: saag () mit edu
Subject: [saag]  Of potential interest -- Citibank tries to gag crypto bug
    disclosure

> To: ukcrypto () chiark greenend org uk
> Subject: Citibank tries to gag crypto bug disclosure
> Date: Thu, 20 Feb 2003 09:57:34 +0000
> From: Ross Anderson <Ross.Anderson () cl cam ac uk>
>
>
> Citibank is trying to get an order in the High Court today gagging
> public disclosure of crypto vulnerabilities:
>
>    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
>
> I have written to the judge opposing the order:
>
>    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
>
> The background is that my student Mike Bond has discovered some really
> horrendous vulnerabilities in the cryptographic equipment commonly
> used to protect the PINs used to identify customers to cash machines:
>
>    http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
>
> These vulnerabilities mean that bank insiders can almost trivially
> find out the PINs of any or all customers. The discoveries happened
> while Mike and I were working as expert witnesses on a `phantom
> withdrawal' case.
>
> The vulnerabilities are also scientifically interesting:
>
>    http://cryptome.org/pacc.htm
>
> For the last couple of years or so there has been a rising tide of
> phantoms. I get emails with increasing frequency from people all over
> the world whose banks have debited them for ATM withdrawals that they
> deny making. Banks in many countries simply claim that their systems
> are secure and so the customers must be responsible. It now looks like
> some of these vulnerabilities have also been discovered by the bad
> guys. Our courts and regulators should make the banks fix their
> systems, rather than just lying about security and dumping the costs
> on the customers.
>
> Curiously enough, Citi was also the bank in the case that set US law
> on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
> that's an omen, if not a precedent ...
>
> Ross Anderson
Robert Moskowitz
TruSecure Corporation
Security Interest EMail: rgm-sec () htt-consult com

_______________________________________________
saag mailing list
saag () mit edu
https://jis.mit.edu/mailman/listinfo/saag