Researcher at Cambridge University is educating hackers

A researcher at Cambridge University is teaching hackers how to break banking security technology during the Chaos Computer Club annual conference “26C3” (CCC). The researcher Steven J. Murdoch, belonging to the Cambridge University Security Group, which is headed by Dr. Ross Anderson, are now pushing their public appearance by leveraging on the published paper they submitted last year “Optimised to fail: Card readers for online banking”. During this conference, they are showing the hacker community how to reverse engineer the UK variant of card readers and smart cards and provides a public description of the protocol (link here).

To make security weaknesses public is a good thing, but is a hacker conference the correct place? It’s certainly one way of radically pushing the public view? Well, that might change for Mr Murdoch, as he recently submitted a pre-conference paper, and therefore intend to participate in the “Workshop on Ethics in Computer Security Research“, which might bring suggestions on ethical and responsible conduct in computer security research.

Security is always a trade-off, the real challenge is to find a solution that really works in practice, other than simply identifying isolated security issues.

MasterCard’s Chip Authentication Program, which is also known as VISA dynamic passcode authentication has been deployed by many banks worldwide. Banks that have introduced the technology, indicates that the fraud rate have dropped significantly, making a win-win situation for both the bank and the cardholder. The cardholder gains increased trust, and the number of disputes, charge backs are being dramatically reduced. There will be evolution in this field as well, but no matter what, convenience with a blend of security is what will drive this business forward.


~ by petergullberg on January 2, 2010.

2 Responses to “Researcher at Cambridge University is educating hackers”

  1. Hi Peter,

    I think you are misunderstanding the purpose of the CCC. Yes, it is a self-described “hacker conference”, but its organizers are using the word “hacker” in its original, positive, sense, as can be found in common circulation, e.g.

    “A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.” —Bruce Schneier

    All the organizers of the CCC and I strongly disapprove of computer crime, and the goal of my talk was to improve banking security. The CCC is one of the primary conferences for the European computer security industry. Its typical audience consists of people who design, build and maintain security systems for the public good — not those who exploit the systems’ flaws for criminal gain. In fact, the people at the CCC who talked to me about my presentation were mainly bank security personnel, and they found my presentation very helpful.

    As an ethical security researcher and academic, I publicize my work to those in the position to improve security. My original presentation at the Financial Cryptography conference, on which my CCC presentation was based, was targeted at an academic audience. My CCC presentation was targeted at developers. Indeed, I know that there were at least six bank employees at my CCC presentation. One of these told me afterwards that he thought he had spotted quite a few more.

    Following responsible security disclosure practices, I have given a copy of my paper to those companies whose system vulnerabilities were discussed three months before the paper’s public release. Since then, the paper has been circulated widely in the security industry and beyond, and has even featured in a Todos press-release. Given that the information is already out in the open, it is better to discuss the security vulnerabilities covered by the paper freely. After all, we both want to improve the security of online authentication, and your comments about blending convenience and security are well made.

  2. Steven,
    I fully agree that the way you handled the paper is fully ethical, I don’t have any issues about that. I know you made copies available to several highly relevant industry partners before publishing it, where financial institutions, payment associations and banks were involved in early peer review, among them APACS, MasterCard and CommerzBank.

    It’s great that you publish your research, it’s brilliant work that you and your colleagues are doing at Cambridge, and I understand that you need to demonstrate that the research you’re doing has public interest and is industrially applicable.

    I also know we (Todos) press-released this, mainly because being the innovator of the technology that you describes in your paper, HHD 1.3, which is a solution that mitigates most of these attacks, quoting from the paper, “…incorporates defences against a number of the attacks we discuss in the paper.

    What concerns me is that making too much public appearance, and especially on conferences that have a lot of stigma, will eventually cause negative press on the technology. I think it’s not fair to CAP (Chip Authentication Program), as CAP and variants of it, such as Dynamic Signatures or HHD are good alternatives for banks to use, to protect online banking and ecommerce transactions, as it leverages on the chip card and the PIN that the cardholder remember, and this brings convenience to him.

    Take care

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: