[saag] Of potential interest -- Citibank tries to gag crypto bug disclosure (fwd)

Thu, 20 Feb 2003 15:31:44 -0800 


David Mirza Ahmad
Symantec

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

---------- Forwarded message ----------
Date: Thu, 20 Feb 2003 14:04:01 -0800
From: Robert Moskowitz <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [saag]  Of potential interest -- Citibank tries to gag crypto bug
    disclosure

 >To: [EMAIL PROTECTED]
 >Subject: Citibank tries to gag crypto bug disclosure
 >Date: Thu, 20 Feb 2003 09:57:34 +0000
 >From: Ross Anderson <[EMAIL PROTECTED]>
 >
 >
 >Citibank is trying to get an order in the High Court today gagging
 >public disclosure of crypto vulnerabilities:
 >
 >    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
 >
 >I have written to the judge opposing the order:
 >
 >    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
 >
 >The background is that my student Mike Bond has discovered some really
 >horrendous vulnerabilities in the cryptographic equipment commonly
 >used to protect the PINs used to identify customers to cash machines:
 >
 >    http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
 >
 >These vulnerabilities mean that bank insiders can almost trivially
 >find out the PINs of any or all customers. The discoveries happened
 >while Mike and I were working as expert witnesses on a `phantom
 >withdrawal' case.
 >
 >The vulnerabilities are also scientifically interesting:
 >
 >    http://cryptome.org/pacc.htm
 >
 >For the last couple of years or so there has been a rising tide of
 >phantoms. I get emails with increasing frequency from people all over
 >the world whose banks have debited them for ATM withdrawals that they
 >deny making. Banks in many countries simply claim that their systems
 >are secure and so the customers must be responsible. It now looks like
 >some of these vulnerabilities have also been discovered by the bad
 >guys. Our courts and regulators should make the banks fix their
 >systems, rather than just lying about security and dumping the costs
 >on the customers.
 >
 >Curiously enough, Citi was also the bank in the case that set US law
 >on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
 >that's an omen, if not a precedent ...
 >
 >Ross Anderson
Robert Moskowitz
TruSecure Corporation
Security Interest EMail: [EMAIL PROTECTED]

_______________________________________________
saag mailing list
[EMAIL PROTECTED]
https://jis.mit.edu/mailman/listinfo/saag

Reply via email to