Must Reads

U Bank Card Association Demands Takedown of Student Research Paper

The UK Cards Assocation, a leading association representing the bank card industry, has written to Cambridge University to demand that it take down the web version of a research paper by a graduate student.  The paper identifies security holes in one bank card products.  The association argues the disclosure “oversteps the boundaries of what constitutes responsible disclosure.”  A blog post on the paper can be found here.


  1. really?
    Security by obscurity is not security… like MS and Apple learned… now banks must also learn that obscurity does not means security.

  2. Depends on the definition of ‘Responsible disclosure’
    Too often companies use ‘Reponsible disclosure’ to get people to disclose the security holes, but, fail to act on it. It appears to be a way to shut down people so that they cannot report on a problem that we should be knowing about. Black-hats probably have this already and have tools to take advantage of this. If the consumer gets taken and loses money the banks say you must have disclosed your PIN therefore we won’t re-imburse your losses. This article shatters the notion that PINs are 100% secure and the banks should be looking at the next generation to protect our accounts when using a card rather than trying to hide the problem by shutting down legit research.

  3. From the letter: “It provides links to the paper by Mr Choudary and to a ‘project’s page’, where he gives an overview of the work done and a pointer to both the source code and hardware schematics for the device’s application and functions.

    It is the publication of this level of detail which we believe breaches the boundary of responsible disclosure. Essentially, it places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN.”

    Question: How many here would find the publication of bomb-making information as “responsible disclosure”? Admittedly this is a bit of an extension, since a bomb kills and injures people and damages property, while a device such describes simply allows someone to skim private information, but both are illegal. The research itself isn’t the problem from what I read (certainly they’d have far less to complain about if the only results had been published), rather it is publishing the instructions on how to make the device (that was used to generate the results) that is the problem. This has the potential to increase the amount of skimming going on.

    TomT: I agree this is legitimate research. However, is publishing (on the web) the schematics and source for a device that allows one to make a device to do the skimming absolutely necessary to publishing the research. He could have not included the links in the web published version of the document, and sent the schematics and source separately to those that needed to review the research? At the end of the day, this accomplishes the goal of publishing the results.

  4. Cambridge’s reply
    I saw this on a another blog,, which includes an amazing reply from Cambridge University. The reply can be downloaded as pdf here:

  5. tony
    wholesale electronics