TWO Cambridge scientists face a court gag after discovering what they claim is a serious flaw in the software used to protect credit card Pin numbers.

Ross Anderson and PhD student Mike Bond, who are based at Cambridge University’s world-renowned Computer Laboratory, say they discovered a flaw in the cryptographic equipment commonly used to generate Pins while working as expert witnesses on a “phantom withdrawal” case.

Citibank, one of the world’s biggest banks and owner of Diners Club, has won an order in the High Court to prevent details of the research falling into the public domain on the grounds that it could compromise the company’s security.

Credit card fraud in Britain amounts to about £700m a year. Overall fraud is not growing rapidly, although Bond says card companies and criminals are constantly trying to outwit each other.

Anderson and Bond are witnesses in a case that involves a businessman in Durban, South Africa. He received a Pin for his Diners Club card, which can be used to withdraw money from cashpoints, in February 2000 but found it would not work. However, over the following two days a copy of the card was used 6,000 miles away in London to withdraw £55,000 in cash from machines in 190 separate transactions.

Curiously the thieves also appear to have bypassed any limit on withdrawals for the businessman’s card, a detail that has so far not been explained by Citibank.

Such phantom withdrawals are often put down to “shoulder surfing” — a technique in which fraudsters obtain a victim’s Pin number by discreetly watching them type it into a cashpoint. But in the Citibank case the victim’s lawyers argued he had been the subject of a new and more sophisticated fraud involving company insiders “cracking” the machines that generate Pins.

“All the big card issuers use similar machines that are based on 1980s technology,” says Anderson. “Computers have gone through something like eight generations since then, but these machines have not kept up.”

The matter went to court in South Africa, where the judge agreed to take evidence from expert witnesses including Anderson and Bond.

While preparing his submissions for the case, Bond says he discovered the machines that generate Pins can be compromised using a simple mathematical technique. “It is then possible to guess each Pin using an average of 15 guesses instead of nearly 10,000,” says Bond. In a lunch break an attacker on the inside could discover about 7,000 Pins and with a £200 limit on each card the potential bounty is about £1.4m. ”

Bond, with a colleague, has already written a paper on the new technique for cracking the encryption machines that was discussed in a seminar organised by Microsoft in Cambridge last week. The High Court has now agreed that the hearings in front of the South African judge, due to begin next month, should be held in camera to prevent sensitive details of banking security getting into the public domain.

Last night Citibank denied its cards were insecure or that it was trying to limit academic freedom. “The High Court has ordered that information that is not already in the public domain must be protected in the proceedings and Citigroup will assist on that basis,” it said.

Explore UK News

• Crime News

• Education News

• Health News

• Science News

• Scotland News

Times Recommends

• Swine flu vaccine for all as drug rushed through
• Artificial sperm and the race to build a baby
• BBC jets out stars to tout for prizes