Thats basically a big FU from a Cambridge professor to the banking industry who think they have the power to censor a student's thesis. Whats the thesis on? It documents a well-known flaw in the chip-and-PIN system used in banking:
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.
In this era of Wikileaks and censoring information, its hard to side with the big multinational conglomerates who only have one function: make money. All they are trying to do is protect their own interests. With all the talk of 'corporate responsibility' you think the banking industry would want to actually notify the public with the problem. But what do they really try to do? Censor it.
Why shouldn't a vulnerability related to banking PINs be exposed and then ultimately patched? Shouldn't the public be aware of such an exploit?
Personally, I am for censoring classified documents the government wants to keep secure, but censoring something as serious as a banking exploit is just absurd.
Here's Ross Anderson's
reply to the banking industry.