[saag] Of potential interest -- Citibank tries to gag crypto bug disclosure (fwd)

• Previous message: Daniel Ahlberg: "GLSA: bitchx (200302-11)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Mirza Ahmad
Symantec

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

---------- Forwarded message ----------
Date: Thu, 20 Feb 2003 14:04:01 -0800
From: Robert Moskowitz <rgm-sec@htt-consult.com>
To: saagat_private
Subject: [saag]  Of potential interest -- Citibank tries to gag crypto bug
    disclosure

 >To: ukcryptoat_private
 >Subject: Citibank tries to gag crypto bug disclosure
 >Date: Thu, 20 Feb 2003 09:57:34 +0000
 >From: Ross Anderson <Ross.Andersonat_private>
 >
 >
 >Citibank is trying to get an order in the High Court today gagging
 >public disclosure of crypto vulnerabilities:
 >
 >    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
 >
 >I have written to the judge opposing the order:
 >
 >    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
 >
 >The background is that my student Mike Bond has discovered some really
 >horrendous vulnerabilities in the cryptographic equipment commonly
 >used to protect the PINs used to identify customers to cash machines:
 >
 >    http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
 >
 >These vulnerabilities mean that bank insiders can almost trivially
 >find out the PINs of any or all customers. The discoveries happened
 >while Mike and I were working as expert witnesses on a `phantom
 >withdrawal' case.
 >
 >The vulnerabilities are also scientifically interesting:
 >
 >    http://cryptome.org/pacc.htm
 >
 >For the last couple of years or so there has been a rising tide of
 >phantoms. I get emails with increasing frequency from people all over
 >the world whose banks have debited them for ATM withdrawals that they
 >deny making. Banks in many countries simply claim that their systems
 >are secure and so the customers must be responsible. It now looks like
 >some of these vulnerabilities have also been discovered by the bad
 >guys. Our courts and regulators should make the banks fix their
 >systems, rather than just lying about security and dumping the costs
 >on the customers.
 >
 >Curiously enough, Citi was also the bank in the case that set US law
 >on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
 >that's an omen, if not a precedent ...
 >
 >Ross Anderson
Robert Moskowitz
TruSecure Corporation
Security Interest EMail: rgm-sec@htt-consult.com

_______________________________________________
saag mailing list
saagat_private
https://jis.mit.edu/mailman/listinfo/saag

• Next message: Peter Werner: "login_ldap security announcement"
• Previous message: Daniel Ahlberg: "GLSA: bitchx (200302-11)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 15:32:30 PST