The Security Research Computer Lab at Cambridge University posted an article about industry response to a fundamental flaw in the “chip and pin” system in February. The paper, by Omar Choudary (a PhD student), highlights a flaw in the standard that permits the use of any PIN number. The University passed it to industry two months before publishing.
Now, some eight months later, the only bank known to have addressed this is Barclays. Instead of addressing the issue, the bankers’ trade association feels the best course of action is to tell the University its being irresponsible [pdf] in publishing the information! Given the Streisand Effect, is that not trying to close the stable door after the horse has bolted? The University’s response is an emphatic no, at the moment.
It is interesting that the UK Cards Association feels an offence was committed in proving the vulnerability. I would have thought they’d welcome the information, given their front page statement:
We inform and engage with stakeholders to advance the industry for the ultimate benefit of our members’ consumer and retail customers. Our work includes preventing card fraud, contributing to legislative changes, collating industry statistics and developing industry standards and best practices.