Citibank and Diners Club have won a High Court order in London gagging public disclosure of crypto vulnerabilities in ATMs by Cambridge University scientists who have agreed to act as expert witnesses in a phantom withdrawal case.
The Cambridge scientists claim to have discovered serious vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines. They are due to testify on behalf of a South African couple who claim to have lost £50,000 during a series of alleged phantom withdrawals from British ATMs in March 2000. The case is to be heard in the South African high Court in next month.
Lawyers acting on behalf of Citibank and Diners Club have been granted an injunction preventing the public disclosure of confidential information relating to the operation of their ATM networks by witnesses in the case, including their own staff and defence witnesses.
The UK scientists, professor Ross Anderson of Cambridge University and Phd students Mike Bond and Richard Clayton, have published a series of papers which they claim prove that bank insiders can almost trivially find out the PINs of any or all customers.
They believe the Citbank injunction will suppress scientific research and teaching and undermine the rights of other victims of phantom withdrawals.
In a posting to an Internet security mailing list last week, Anderson wrote: "Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers."