0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
---------- Forwarded message ----------
Date: Thu, 20 Feb 2003 14:04:01 -0800
From: Robert Moskowitz <rgm-sec (at) htt-consult (dot) com [email concealed]>
To: saag (at) mit (dot) edu [email concealed]
Subject: [saag] Of potential interest -- Citibank tries to gag crypto bug
disclosure
>To: ukcrypto (at) chiark.greenend.org (dot) uk [email concealed]
>Subject: Citibank tries to gag crypto bug disclosure
>Date: Thu, 20 Feb 2003 09:57:34 +0000
>From: Ross Anderson <Ross.Anderson (at) cl.cam.ac (dot) uk [email concealed]>
>
>
>Citibank is trying to get an order in the High Court today gagging
>public disclosure of crypto vulnerabilities:
>
> http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
>
>I have written to the judge opposing the order:
>
> http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
>
>The background is that my student Mike Bond has discovered some really
>horrendous vulnerabilities in the cryptographic equipment commonly
>used to protect the PINs used to identify customers to cash machines:
>
> http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
>
>These vulnerabilities mean that bank insiders can almost trivially
>find out the PINs of any or all customers. The discoveries happened
>while Mike and I were working as expert witnesses on a `phantom
>withdrawal' case.
>
>The vulnerabilities are also scientifically interesting:
>
> http://cryptome.org/pacc.htm
>
>For the last couple of years or so there has been a rising tide of
>phantoms. I get emails with increasing frequency from people all over
>the world whose banks have debited them for ATM withdrawals that they
>deny making. Banks in many countries simply claim that their systems
>are secure and so the customers must be responsible. It now looks like
>some of these vulnerabilities have also been discovered by the bad
>guys. Our courts and regulators should make the banks fix their
>systems, rather than just lying about security and dumping the costs
>on the customers.
>
>Curiously enough, Citi was also the bank in the case that set US law
>on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
>that's an omen, if not a precedent ...
>
>Ross Anderson
Robert Moskowitz
TruSecure Corporation
Security Interest EMail: rgm-sec (at) htt-consult (dot) com [email concealed]
_______________________________________________
saag mailing list
saag (at) mit (dot) edu [email concealed]
https://jis.mit.edu/mailman/listinfo/saag
David Mirza Ahmad
Symantec
0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
---------- Forwarded message ----------
Date: Thu, 20 Feb 2003 14:04:01 -0800
From: Robert Moskowitz <rgm-sec (at) htt-consult (dot) com [email concealed]>
To: saag (at) mit (dot) edu [email concealed]
Subject: [saag] Of potential interest -- Citibank tries to gag crypto bug
disclosure
>To: ukcrypto (at) chiark.greenend.org (dot) uk [email concealed]
>Subject: Citibank tries to gag crypto bug disclosure
>Date: Thu, 20 Feb 2003 09:57:34 +0000
>From: Ross Anderson <Ross.Anderson (at) cl.cam.ac (dot) uk [email concealed]>
>
>
>Citibank is trying to get an order in the High Court today gagging
>public disclosure of crypto vulnerabilities:
>
> http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
>
>I have written to the judge opposing the order:
>
> http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
>
>The background is that my student Mike Bond has discovered some really
>horrendous vulnerabilities in the cryptographic equipment commonly
>used to protect the PINs used to identify customers to cash machines:
>
> http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
>
>These vulnerabilities mean that bank insiders can almost trivially
>find out the PINs of any or all customers. The discoveries happened
>while Mike and I were working as expert witnesses on a `phantom
>withdrawal' case.
>
>The vulnerabilities are also scientifically interesting:
>
> http://cryptome.org/pacc.htm
>
>For the last couple of years or so there has been a rising tide of
>phantoms. I get emails with increasing frequency from people all over
>the world whose banks have debited them for ATM withdrawals that they
>deny making. Banks in many countries simply claim that their systems
>are secure and so the customers must be responsible. It now looks like
>some of these vulnerabilities have also been discovered by the bad
>guys. Our courts and regulators should make the banks fix their
>systems, rather than just lying about security and dumping the costs
>on the customers.
>
>Curiously enough, Citi was also the bank in the case that set US law
>on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
>that's an omen, if not a precedent ...
>
>Ross Anderson
Robert Moskowitz
TruSecure Corporation
Security Interest EMail: rgm-sec (at) htt-consult (dot) com [email concealed]
_______________________________________________
saag mailing list
saag (at) mit (dot) edu [email concealed]
https://jis.mit.edu/mailman/listinfo/saag
[ reply ]