Some of you may have heard, over the last year and a bit, about the various flaws in and outcry against the UK’s chip and pin system, for protecting credit and debit cards against unauthorised use. I’ll skip over for a second the banks conflating authentication and authorisation, and also the human flaws and vulnerabilities, and only briefly touch on the lack of accessibility features for a wide range of disabled users.
One of the biggest problems is the system contains a number of fundamental security issues, which have attracted the attention of a good number of security and computer science researchers. One researcher in particular, by the name of Omar Choudary, made some aspects of it the subject of their MPhil thesis(PDF) at Cambridge University. This attracted the attention of the UK Card Association, who weren’t terribly happy. So unhappy in fact, that they wanted the thesis censored(PDF).
Needless to say, this went down poorly with the people responsible for Security Research at Cambridge, one of whom then wrote back(PDF).
My favourite quote is thus:
Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent.
For those not familiar with the subject, it can be translated as thus “Oh, hey, no. Also, fuck off, by the way fuck you, also the horse you rode in on. Love and hugs.”
There is a lot more detail on the Light Blue Touchpaper blog, which is from the Security Research Group in the Computer Laboratory at Cambridge University, about banking security. Some of which may make you either laugh or cry. Others may make you gawp incredulously.
On the other hand, it probably shouldn’t come as a surprise to anyone that large corporations don’t have our best interests at heart. What a load of bankers.
