20 April 2014

Steven Murdoch

Steven Murdoch - University of Cambridge

9 | posts 49,814 | views 31 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

UK Cards Association attempt to supress Cambridge research

25 December 2010  |  6491 views  |  4

The UK Cards Association (previously known as APACS) has written to the University of Cambridge asking them to remove a paper, claiming that it contains information that might be of use to criminals. The thesis, from a master's project by Omar Choudary, showed how to build a device that protects cardholders from tampered Chip & PIN terminals.

Professor Ross Anderson responded to the request, and refused to censor Omar's research:

...
“Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent.”
...
There are further details in the post on Light Blue Touchpaper.
TagsCardsSecurity

Comments: (6)

John Dring - Intel Network Services - Swindon | 07 January, 2011, 04:45

Brilliant and just the right response.

Ben Smyth - University of Birmingham - UK | 12 January, 2011, 12:07

Dear Steven,

Could you clarify the hardware cost of this attack? Some figures were quoted in the press, but I'd be interested to hear first-hand.

Steven Murdoch - University of Cambridge - Cambridge | 12 January, 2011, 12:21

Ben,

The hardware costs would be small. Its hard to put a number on it because it dramatically depends on how many of the devices are manufactured. My estimate is that if you wanted to manufacture 10, it would cost about $100, including labour. If you wanted to manufacture 100,000 it would cost about $10.

Steven.

Ben Smyth - University of Birmingham - UK | 12 January, 2011, 12:40

Steven,

To clarify, 10 units cost $100 ($10/unit) or 10 units cost $100/unit?

Ben Smyth - University of Birmingham - UK | 12 January, 2011, 12:44

I assume you meant $100/unit when manufacturing 10 units. In my opinion, this makes the attack practical.

Steven Murdoch - University of Cambridge - Cambridge | 12 January, 2011, 12:45

$100 per unit (very approximately; for low quantities component cost can easily vary by a factor of 5 depending on supplier and how soon the components are needed).

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Steven

Chip and Skim: cloning EMV cards with the pre-play attack

11 September 2012  |  5558 views  |  3  |  Recommends 1 TagsSecurityPaymentsGroupInformation Security

UK Cards Association attempt to supress Cambridge research

25 December 2010  |  6491 views  |  4  |  Recommends 1 TagsCardsSecurityGroupInformation Security

Reliability of Chip and PIN evidence in banking disputes

26 February 2010  |  5460 views  |  0  |  Recommends 0 TagsSecurityRisk & regulationGroupInformation Security

Chip and PIN is broken

12 February 2010  |  9685 views  |  13  |  Recommends 0 TagsCardsSecurityGroupInformation Security

Verified by Visa and MasterCard SecureCode

27 January 2010  |  8040 views  |  3  |  Recommends 1 TagsSecurityPaymentsGroupInformation Security
name

Steven Murdoch

job title

Researcher

company name

University of Cambridge

member since

2009

location

Cambridge

Summary profile See full profile »
Researcher in the Security Group of the University of Cambridge, based in the Computer Laboratory...

Steven's expertise

What Steven reads
Steven writes about

Who is commenting on Steven's posts