Updated 4 April 2003
3 April 2003
Introductory note published 26 February 2003 at http://cryptome.org/pacc.htm
The court's order of 21 February 2003, gagging public disclosure of Citibank's crypto vulnerabilities:
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/citibank_order.pdf
18 February 2003
To: [email protected]
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <[email protected]> Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities: http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf I have written to the judge opposing the order: http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines: http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case. The vulnerabilities are also scientifically interesting: http://cryptome.org/pacc.htm For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers. Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ...
These are the documents banned by the High Court.