UKCA Tries To Block Chip & PIN Hack Research Paper

A Cambridge University professor has accused the UK banks of trying to prevent the publication of research that reveals a serious flaw in the Chip & PIN, the Europay, MasterCard and VISA (EMV) payment card security system.

Professor Ross Anderson revealed that a student had created a £20 device that could fool a payment machine into accepting a card without a valid PIN. The UK Card Association (UKCA) wrote to the university’s press office demanding the removal of the research document from its website.

Overstepping The Mark

Anderson said the attempt to gag the scientist concerned was “a nasty piece of spin-doctoring” and “deeply offensive”.

Melanie Johnson, chairwoman of the UKCA and ex-Treasury minister for the Labour party, said publication of the research paper on the web “oversteps the boundaries of what constitutes reasonable disclosure”. She said that too much detail was given on how the chip and PIN system could be overcome.

The Mail Online quoted Anderson as saying: “You seem to think that we might censor a student’s thesis – which is lawful and already in the public domain – simply because a powerful interest group finds it inconvenient. Censoring writings that offend the powerful is offensive to our deepest values.”

Student Omar Choudary used a Master of Philosophy project to look for flaws in the system . Card users have often complained that money disappears from their accounts unexpectedly.

The banks rarely accept these claims, believing the Chip & PIN system is flawless. Choudary decided to see if these beliefs were well-founded.

For his project he built a device, approximately the same size as a cigarette packet which he could conceal up his sleeve. The gadget is wired to the card and, when the card is inserted in a merchant’s PIN machine the electronic system ensures the card is accepted without the correct PIN number.

Choudary claims he was able to  purchase books and CDs worth £50 in the Cambridge branch of media store HMV using a borrowed card.

The UKCA said it was not seeking to censor Choudary’s work but did question whether openly publishing the details was in the public interest, the Mail reported.