Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2003 >  February 2003 >  Citibank wins injunction against ATM vulnerabilities disclosure

Citibank wins injunction against ATM vulnerabilities disclosure

OUT-LAW News, 24/02/2004

Following a request by Citibank and Diners' Club, the High Court in London has issued an order preventing a group of Cambridge University researchers from publicly disclosing cryptographic vulnerabilities in the technology used to protect withdrawals from ATM machines, according to The Register.

The injunction was issued in a legal dispute between Diners' Club, Citibank, and South African couple Anil and Vanita Singh, over allegedly fraudulent withdrawals from the couple's Diners' Club account through UK ATMs.

The dispute arose in March 2000, when a total of approximately £50,000 was withdrawn from the Singhs' Diners' Club card account, through 190 separate transactions at ATMs in Britain. The couple denied having withdrawn the money, claiming that they were in South Africa at the time of the transactions.

Diners Club International, on the other hand, maintained that as all the computer systems involved are secure, the Singhs must be responsible for the withdrawals.

Diners' Club International is seeking to recover the money from the Singhs. In order to support their arguments in the court, the Singhs have drafted in three cryptography researchers from Cambridge University as defence witnesses in the case: Ross Anderson, an expert of the Cambridge Computer Laboratory, and his PhD students Richard Clayton and Mike Bond.

According to reports, Bond this month co-authored a paper partly examining security flaws in ATM systems. The paper, published last week, reportedly reveals serious cryptographic deficiencies that could enable fraudsters to discover thousands of card owners' personal identification numbers.

Citibank and Diners' applied for an order requiring the parties to keep confidential all information revealed during the examination of the case, and not to use this information for any other purpose.

The applicants also wanted the order to prevent Citibank and Diners' staff from being called to testify about the security of the computer systems involved.

Mr Anderson apparently asked the court not to grant the order, claiming that it would inhibit legitimate research into cryptography and banking security systems.

He further pointed out that most of he evidence has already been published in Mr Bond's paper, and that the order would contravene academic freedoms by prohibiting his student from including the information in his doctoral thesis.

Mr Anderson claimed in a letter posted to an encryption mailing list that "the order as originally sought by Citibank would have gagged anything revealed in the hearing."

Although the High Court in London has apparently granted the order, its exact form has not been disclosed yet. The case itself is scheduled to be heard in the first week of March.

 

 

OUT-LAW Recommends

Free OUT-LAW seminars
- Making your contract work
- Information security
Six cities, October & November

This week's podcast
Are ISPs about to betray our trust?

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.