14 DAY TRIAL // The University of Cambridge has rejected the UK Cards Association's request to remove an MPhil thesis from its website, viewing it as an offensive censorship attempt.
The UK Cards Association is Britain's trade organization of credit and debit card issuers and actively works to prevent card-based fraud.
The organization recently wrote to University of Cambridge to request that Omar S. Choudary's dissertation for a degree of Master of Philosophy in Advanced Computer Science be taken offline because the information within poses a risk to consumers.
The thesis in question includes the hardware schematics for a device dubbed a Smart Card Detective (SCD), which can audit and modify any part of an EMV (Chip-and-PIN) transaction.
The SCD is a practical implementation of the so called No-PIN attack, developed and publicly disclosed in 2009 by Steven Murdoch, Saar Drimer, Ross J. Anderson and Mike Bond.
"[...] You seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work," Ross J. Anderson, professor of Security Engineering of the University of Cambridge Computer Laboratory, wrote in a response letter [pdf] to the UK Cards Association.
"Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material!" the reputed professor and researcher added.
Anderson went even further and authorized the thesis to be issued as a technical report from the computer science department, which will give it an even more prominent place on the university's website.
It's worth noting that when the No-PIN attack was publicized last year, the industry associations called it unpractical. Omar Choudary's device, which can be attached to one's arm, proves the contrary, especially since it only costs around £100 to build.
"You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies," Professor Anderson told the UK Cards Association.
"Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it," he concluded.