13 years, 6 months ago

Kudos to Cambridge for refusing to cover up security holes in “Chip and PIN”

Link: http://blogs.msdn.com/b/nickmalik/archive/2010/12/26/kudos-to-cambridge-for-refusing-to-cover-up-security-holes-in-chip-and-pin.aspx

One challenge with long-running news stories is that it is often difficult to keep track of the “current” bits.  Even important news can seem like “old” news because the problem is taking so long to be resolved, or even addressed.  What worries me is that many folks, especially here in the USA, are completely unaware of this story. 

I’m talking about the flaws in the Chip-and-PIN system for credit card validation and in the “Verified by Visa” ecommerce validation systems.  It turns out that both systems, heavily invested attempts by the credit card industry to reduce fraud, have not had the intended effect.  Fraud has increased, despite both changes.  Security researchers at Cambridge University have pointed out these flaws for years, in paper after paper, in the open.

Here’s the kicker.  On December 1, 2010, the UK credit card industry sent a letter to Cambridge to ask them to take a research paper off of their website.  Effectively, they asked the University of Sir Isaac Newton and Charles Darwin to censor the valid (yet embarrassing) research of one of their own scholars because he pointed out serious flaws in the Chip-and-PIN system.  I am not surprised by their request, nor by the response of the University… they refused

On the other hand, at the first sign of censorship, I encourage all of us to Read Dangerous Works, Think Dangerous Thoughts, and Embrace Dangerous Ideas.  Only through the consumption of dangerous ideas can they survive.  And survive they must, because all truly innovative ideas were, at one time or another, dangerous. 

What makes an idea dangerous?  When a powerful person seeks to censor it, it is dangerous.  This goes for burned books, blasphemous websites, and, yes, for dry technical white papers that point out that the banks are pushing for a massive shift in liability, hoping to move liability for fraud from the banks to the banking customers, to the tune of hundreds of millions of dollars, by “selling” us on a security system that is not secure.

The researchers at Cambridge have been getting the media to notice.  I encourage folks to watch this YouTube video, part of a BBC news broadcast:


Now, my regular readers may be surprised to see me take a stand against censorship.  After all, just a few weeks ago, I expressed strong concern over the publication, by Wikileaks, of a list of potentially valuable targets for terrorists.  Was I not asking for censorship then?  What changed?

I walk a fine line here.  After all, what is the principle that I am following that says “Cambridge is right to publish instructions for thieves while Wikileaks is bad for publishing instructions for terrorists.”  The principle is simple: value for human life.  If information, widely shared, has the opportunity to lead directly to the loss of human life, it should not be widely shared.  If, on the other hand, information widely shared can drive good behavior on the part of powerful people without endangering human life, it should be shared. 

Falsely yelling “Fire” in a crowded theater is not “protected free speech” because people can be injured or killed.  On the other hand, publishing a list of theatres that have inadequate fire safety protections is protected free speech, because the theatre owners now have a reason to improve their safety records or face the loss of business to competing (safer) theatres.  (If this example seems a bit antiquated, especially to those folks from outside the USA, I’m referring to a case in the US Supreme Court in 1919). 

The publication of imperfections in the security scheme of credit cards is similar to my example of publishing a list of theatres with poor fire-safety protections.  Customers who frequent merchants using the Chip-and-PIN system, and the Verified by Visa system, are not safer as a result and may, in fact, be LESS secure.  As consumers, and free citizens, we have the right to not only vote with our wallets, but also demand regulations that will drive good behavior on the part of credit card companies.  Now that the USA has a branch of the government specifically chartered with Consumer Protection, perhaps this is an issue that they can take up.