Flaw in chip and pin published by Cambridge University

According to the latest reports, an institution of higher learning has prevailed over the powers of higher finance.  Cambridge University refused a demand from the UK Cards Association to remove a student’s thesis from the internet on the grounds that such censorship goes against the very foundations of what a university is all about.

Omar Choudary is the student who published his master’s thesis, which he called “The smart card detective:  a handheld EMV interceptor” on the net.  His thesis described a flaw in the chip-and-pin security system that was currently in use by most major banks in the U.K., and gave specific details about how it could be exploited by the criminally minded.

Melanie Johnson, chair of the UKCA, sent a letter to Cambridge authorities telling them to remove the offending thesis from the public domain, saying that it went beyond the acceptable bounds of public disclosure by explaining the glitch that made chip-and-pin security vulnerable to unauthorized users.

However, Omar’s professor of security engineering, Ross Anderson, sent his own letter in return, saying in effect that the information was already in the public domain, and that the University would uphold the student’s right to publish it.   He said it would be authorized for publication as a Computer Laboratory technical report so it would remain online.

Anderson and his colleagues discovered the flaw upon which Choudary based his thesis in 2009, and they notified the banks about it shortly thereafter.  The glitch was brought to public attention on BBC’s Newsnight in February last year.