Row grows over credit card chip & PIN security

6th January 2011  

An ex-labour MP and academics at Cambridge University are embroiled in a row over the release of research material which highlights a serious weakness in the security of the chip and PIN system now used on UK credit cards.

Ross Anderson, a Professor of Security Engineering at Cambridge University’s Computer Laboratory has confirmed that he has denied a request from the UK Card Association to remove information contained in the online thesis.

Cambridge Student Omar Choudary used his Masters in Philosophy project to reveal a flaw in the chip and PIN credit card security process, designing a £20 gadget that fools chip and PIN machines into accepting cards without the valid PIN. The cigarette packet-sized device can be concealed up the users sleeve while attached to a card.

Melanie Johnson, who lost her seat in the 2005 General Election, is now Chairman of the UK Card Association, a trade body that represents banks and other credit card issuers. Miss Johnson, who studied at post graduate level at Kings College Cambridge, wrote to the Cambridge Press Office at the beginning of December 2010 demanding that details of Mr Choudary’s device be deleted from the University’s website.

Miss Johnson said that publication on the internet ‘oversteps the boundaries of what constitutes reasonable disclosure’ and gave too much detail on how the Chip and PIN system could be overcome. Clearly the information in the wrong hands could assist criminals in perpetrating large scale fraud.

Professor Anderson however has been warmly praised by members of the public, and in the press, for his staunch defence of academic freedom.

Said to be “incandescent with rage” over Miss Johnson’s letter, Professor Anderson described the request as “a nasty piece of spin-doctoring” and “deeply offensive”. The Professor confirmed that Cambridge would continue to publish controversial research just as it had done with scientists such as Sir Isaac Newton and Charles Darwin, particularly when it was clearly in the public interest.

In his response the Professor said

“You seem to think that we might censor a student’s thesis which is lawful and already in the public domain – simply because a powerful interest group finds it inconvenient. Censoring writings that offend the powerful is offensive to our deepest values.”

The warring factions clashed again on the BBC’s ‘Face the Facts’ program on Radio 4 yesterday and Miss Johnson repeatedly side stepped the interviewers questioning on whether all the UK banks and card issuers have taken steps to close the security loophole.

Miss Johnson continued to labour the point that Chip and PIN technology has been the main factor behind a 66% drop in fraud at UK retail point of sale since 2004.

The general public smelt a cover up and the program was bombarded with angry card holders demanding to know if their credit cards were actually secure.

The program highlighted that some banks and card issuers are starting to shift the blame for fraud to cardholders when they believe the consumer has allowed their PIN to become misused. If for instance a suspected fraudulent transaction exists on a card holder’s account and the transaction was authorised and completed using the chip and PIN process, some card issuers are now saying that that transaction is the responsibility of the card holder.

Professor Anderson had gone on the record as early as December 2004 in another BBC interview, warning the credit card industry of the weaknesses in the chip and PIN technology. Scientists at Cambridge began to look for defects in the system after credit card users said their cards had been stolen and their PINs used – something the banks denied was happening.

He also pointed out that the technical details in the controversial thesis, and the potential security implications thereof, had been passed to the banking industry in early December 2009, giving it plenty of time to improve its security systems before the research was published online.

Barclays Bank is the only UK card issuer that Professor Anderson confirmed had taken action to rectify the problem.

Enjoyed this Post?

Subscribe to our daily post, Follow us on Twitter, Join us on Facebook

Follow us on TwitterJoin us on Facebook
Recommend this post

Simply give this post a vote on Google+, Facebook or Twitter to tell your friends

Follow us on FacebookFollow us on TwitterSubcribe to Compare credit cards feed
Subcribe to Cardchoices email alert