A financial industry trade group demanded that it be removed from public view—it being a Master's Thesis by University of Cambridge student Omar S. Choudary that explains how to build a gadget that protects consumers from being hacked while using their bank card.

"The publication of this level of detail" goes beyond "the boundary of responsible disclosure," the UK Cards Association told Cambridge in December. "Essentially, it places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN."

'Chip and PIN' is shorthand for Europay, MasterCard and VISA (EMV)—the United Kingdom's protocol for handling transactions between a point-of-sale terminal and a smart card.

Therefore, "we would ask that this research be removed from public access immediately," the UK Card letter concluded, "and would hope that you are able to give us comfort about your policy towards future disclosures."

To which Cambridge Professor of Computer Security Ross Anderson offered this uncompromising reply:

You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest ?nds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material!

No PIN confidence

What does this supposedly threatening paper reveal? Actually, it's a pretty interesting read, and its author did a public service by exploring a fix to what has been acknowledged across the United Kingdom as a widespread problem.

"Chip and Pin is Broken" famously declared a Cambridge University research paper in 2008. "In this paper we describe and demonstrate a protocol ?aw which allows criminals to use a genuine card to make a payment without knowing the card's PIN [Personal Identification Number]," the three authors of the document explained, "and to remain undetected even when the merchant has an online connection to the banking network."

The news that miscreants can rig cards to work even if the PIN code '0000' is entered sent shock waves across the United Kingdom and France, where the protocol is used. But it gets worse. Choudary's paper says that hackers can tinker with Chip/Pin enabled banking/credit card terminals and wirelessly intercept data about live consumer transactions to get into the system themselves.

"In this scenario it is possible for someone to tamper with the terminal such that the amount shown on the display is higher than the amount requested to the card," Choudary warns. "The user will confidently enter the PIN and authorize the transaction."

So the thesis describes the creation of "Smart Card Detective" or "man-in-the-middle" device that intercepts information about the exchange to make sure that it is legitimate. Basically the inexpensive, cellphone-sized prototype Choudary built lets the user slip their card into a small physical interface that can be connected to a bank or credit card terminal. The gadget then verifies that the transaction is safe, and asks the user to decide whether to proceed.

Cambridge even tested the gizmo with a rigged terminal in which the LCD display showed a cost of £5.00 but requested a payment of £123.45. "Using the SCD between a real card and the fake terminal we were able to see the correct amount (£123.45) on the display and cancel the transaction," the paper concludes.

Not in the cards

What were the specific objections of the UK Cards Association to the document? "Publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them, and/or give organised crime access to material that they might be able to develop further," the missive insists.

Cambridge's Anderson responded that the purpose of the project was to develop technology that consumers can use to protect themselves against criminals.

"You complain that our work may undermine public confidence in the payments system," the university's letter concludes. "What will support public con?dence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it."

Upon publishing the reply, Cambridge classified Choudary's thesis as a "Computer Laboratory Technical Report," which will "make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent."

Then Anderson announced the move on his blog. "Merry Christmas to All Bankers," he titled the post:

"The bankers also fret that 'future research, which may potentially be more damaging, may also be published in this level of detail.' Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that's been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!"