12 February 2016

Steven Murdoch

Steven Murdoch - University College London

9Posts 54,956Views 34Comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

UK Cards Association attempt to supress Cambridge research

25 December 2010  |  7487 views  |  4

The UK Cards Association (previously known as APACS) has written to the University of Cambridge asking them to remove a paper, claiming that it contains information that might be of use to criminals. The thesis, from a master's project by Omar Choudary, showed how to build a device that protects cardholders from tampered Chip & PIN terminals.

Professor Ross Anderson responded to the request, and refused to censor Omar's research:

...
“Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent.”
...
There are further details in the post on Light Blue Touchpaper.
TagsCardsSecurity

Comments: (6)

John Dring
John Dring - Intel Network Services - Swindon | 07 January, 2011, 04:45

Brilliant and just the right response.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ben Smyth
Ben Smyth - University of Birmingham - UK | 12 January, 2011, 12:07

Dear Steven,

Could you clarify the hardware cost of this attack? Some figures were quoted in the press, but I'd be interested to hear first-hand.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Steven Murdoch
Steven Murdoch - University College London - London | 12 January, 2011, 12:21

Ben,

The hardware costs would be small. Its hard to put a number on it because it dramatically depends on how many of the devices are manufactured. My estimate is that if you wanted to manufacture 10, it would cost about $100, including labour. If you wanted to manufacture 100,000 it would cost about $10.

Steven.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ben Smyth
Ben Smyth - University of Birmingham - UK | 12 January, 2011, 12:40

Steven,

To clarify, 10 units cost $100 ($10/unit) or 10 units cost $100/unit?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ben Smyth
Ben Smyth - University of Birmingham - UK | 12 January, 2011, 12:44

I assume you meant $100/unit when manufacturing 10 units. In my opinion, this makes the attack practical.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Steven Murdoch
Steven Murdoch - University College London - London | 12 January, 2011, 12:45

$100 per unit (very approximately; for low quantities component cost can easily vary by a factor of 5 depending on supplier and how soon the components are needed).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from

Steven's profile

job title Royal Society University Research Fellow
location London
member since 2009
Summary profile See full profile »
Dr Steven J. Murdoch is a Royal Society University Research Fellow in the Information Security Research Group of University College London, working on developing metrics for security and privacy.

Steven's expertise

What Steven reads
Steven writes about
Steven's blog archive
2012 (1)2010 (5)2009 (3)

Who's commenting on Steven's posts