Chip and PIN flaw that banks tried to censor: Cambridge scientist exposed security failures



Storm: Ex-Labour MP Melanie Johnson tried to suppress research which showed a fatal flaw in chip and PIN security

Banks were yesterday accused of a cover-up after they tried to silence a Cambridge University scientist who exposed a fatal flaw in chip and PIN card security.

The UK Cards Association, which represents the country’s biggest banks, objected to research that showed how a simple £20 device could be used by fraudsters to buy goods without entering a valid personal identification number at the till.

Ex-Labour MP Melanie Johnson, a former Treasury minister who now works in the private sector as chairman of the UKCA, tried to stop the embarrassing research being published.

But in a blistering defence of academic freedom, Cambridge professor Ross Anderson warned the attempt to gag the scientists was ‘a nasty piece of spin-doctoring’ and ‘deeply offensive’.

The professor said that Cambridge would continue to publish controversial research just as it had done with scientists such as Sir Isaac Newton and Charles Darwin.

The chip and PIN system, introduced in 2006, was intended to reduce card fraud as thieves would not be able to use stolen cards without knowing the PIN.

Scientists at Cambridge began to look for flaws in the system after card users said their cards had been stolen and their PINs used – something the banks still deny is happening.

Research: Student Omar Choudary (left) used an MPhil project to design a gadget that tricks chip and PIN machines into accepting cards without a valid PIN



Research student Omar Choudary described in an MPhil research project how to build a gadget that tricks chip and PIN machines into accepting cards without a valid PIN.

The cigarette packet-sized device can be concealed up a sleeve while attached to a card.



When the card is inserted into a chip and PIN machine at a till, the device uses electronics to ensure the card is accepted.

Fury: Prof Ross Anderson said the MP's attempt to gag the research was 'a nasty piece of spin-doctoring'

Mr Choudary was able to buy books and CDs worth £50 in Cambridge HMV using a borrowed card and the device.

Miss Johnson wrote to the university press office demanding that it remove all details of Mr Choudary’s device from its website.

She said publication on the web ‘oversteps the boundaries of what constitutes reasonable disclosure’ and gave too much detail on how the chip and PIN system could be overcome.

But Professor Anderson, from Cambridge University’s Computer Laboratory, said: ‘This is a nasty piece of spin-doctoring.



'It’s not the PR department who decides what gets published at a university.’

He told Miss Johnson: ‘You seem to think that we might censor a student’s thesis – which is lawful and already in the public domain – simply because a powerful interest group finds it inconvenient.

‘Censoring writings that offend the powerful is offensive to our deepest values.’

The UKCA said it was not seeking to challenge the work of the university but asking whether publishing details was in the public interest.