Worker who criticised Chip and Pin research violated UK Card Association policy

A UK Card Association member of staff has been traced as the source of an anonymous comment criticising research that identified weaknesses in the Chip and Pin system.

A UK Card Association member of staff has been traced as the source of an anonymous comment criticising research that identified weaknesses in the Chip and Pin system.

University of Cambridge academics published a paper entitled "Chip and Pin is broken" earlier this month, which revealed how a middleperson attack on EMV lets criminals use stolen Chip and Pin cards without knowing the Pin.

Researchers said the flaws are so serious that banks, credit card companies and retailers should consider the Chip and Pin system broken, until it is redesigned.

A blog post about the research received a comment which claimed the research had major flaws. According to a report on The Register, the comment was posted by someone working at the UK Card Association, formerly APACS.

Among other things, it said: "If I were an academic and a student were to present me a copy of a paper with so many unproven assertions and innuendo I would be forced to return it to them and ask them to show again!"

In reference to questions recently being raised over the validity of climate change research carried out by East Anglia University, the blog commenter, using the name Scrutineer, said: "At a time when other academics are under pressure because of doubts over the validity of their research and findings on climate research, it is very worrying that others seem hell bent on following the same path; research must be sold and assertions backed up by facts. To me it reads as opinion and rant thinly disguised as fact."

The IP address was traced to a UK Card Payment Association computer. A spokeswoman at the organisation said the individual responsible had violated its policy on blog commenting and it was "a disciplinary issue".

In response to the BBC Newsnight feature about the research, the UK Card Payments Association said: "The industry strongly refutes the allegation made on Newsnight and in the University of Cambridge's paper. We do not accept the serious claim that the protocol behind one of the most successful anti-fraud initiatives is either broken or fatally flawed.

"We believe that this complicated method [as described in the research] will never present a real threat to our customers' cards. It requires possession of a customer's card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal. This fraud is also detectable by the industry's systems."

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close