Out-Law / Your Daily Need-To-Know

Citibank wins injunction against ATM vulnerabilities disclosure

24 Feb 2004, 12:00 am

Following a request by Citibank and Diners' Club, the High Court in London has issued an order preventing a group of Cambridge University researchers from publicly disclosing cryptographic vulnerabilities in the technology used to protect withdrawals from ATM machines, according to The Register.

The injunction was issued in a legal dispute between Diners' Club, Citibank, and South African couple Anil and Vanita Singh, over allegedly fraudulent withdrawals from the couple's Diners' Club account through UK ATMs.

The dispute arose in March 2000, when a total of approximately £50,000 was withdrawn from the Singhs' Diners' Club card account, through 190 separate transactions at ATMs in Britain. The couple denied having withdrawn the money, claiming that they were in South Africa at the time of the transactions.

Diners Club International, on the other hand, maintained that as all the computer systems involved are secure, the Singhs must be responsible for the withdrawals.

Diners' Club International is seeking to recover the money from the Singhs. In order to support their arguments in the court, the Singhs have drafted in three cryptography researchers from Cambridge University as defence witnesses in the case: Ross Anderson, an expert of the Cambridge Computer Laboratory, and his PhD students Richard Clayton and Mike Bond.

According to reports, Bond this month co-authored a paper partly examining security flaws in ATM systems. The paper, published last week, reportedly reveals serious cryptographic deficiencies that could enable fraudsters to discover thousands of card owners' personal identification numbers.

Citibank and Diners' applied for an order requiring the parties to keep confidential all information revealed during the examination of the case, and not to use this information for any other purpose.

The applicants also wanted the order to prevent Citibank and Diners' staff from being called to testify about the security of the computer systems involved.

Mr Anderson apparently asked the court not to grant the order, claiming that it would inhibit legitimate research into cryptography and banking security systems.

He further pointed out that most of he evidence has already been published in Mr Bond's paper, and that the order would contravene academic freedoms by prohibiting his student from including the information in his doctoral thesis.

Mr Anderson claimed in a letter posted to an encryption mailing list that "the order as originally sought by Citibank would have gagged anything revealed in the hearing."

Although the High Court in London has apparently granted the order, its exact form has not been disclosed yet. The case itself is scheduled to be heard in the first week of March.