Cash machine security: Could someone steal your PIN number?

A lawsuit over possibly fraudulent withdrawals from cash machines in London could gag academic research into the vulnerabilities of banks' cryptographic systems.

South Africa's branch of Citibank, which is investigating about $80,000 in disputed withdrawals, has asked London's High Court of Justice to take testimony starting on 3 March from a team of scientists from the University of Cambridge. The researchers fear that Citibank's proposed secrecy order would restrict future explorations into bank security systems.

Professor Ross Anderson, a cryptography expert working within Cambridge University's computer labs, said in a post to an encryption mailing list this week: "The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers."

The High Court held a hearing Thursday on how the case should proceed and promised a decision before 3 March. Anderson said: "The order as originally sought by Citibank would have gagged anything revealed in the hearing. The language that was being used meant that anything that was revealed in the hearing would have been silenced forever."

Bond co-authored a paper this month titled "Decimalisation table attacks for PIN cracking," which described how a rogue bank employee could discover 7,000 customer personal identification numbers in half an hour. The research reports a flaw in the security of the 1980-vintage IBM 3624 ATM and many of its successors, which store PINs in a tamper-resistant hardware security module.

The Cambridge researchers became involved in the case after they agreed to be defence witnesses for Anil Singh and Vanitha Singh, who were sued by Citibank in South Africa for allegedly permitting their ATM card to be taken to London and misused. In March 2000, their ATM card was used in about 190 successful transactions in London to withdraw about $80,000, and the Singhs are hoping to demonstrate that a Citibank insider was responsible for the heist.

Thomas Teichgraeber, general counsel to CitiGroup's Diner's Club International, wrote a letter to the court on Monday asking to intervene in the case to ensure that no confidential information was disclosed. Teichgraeber did not return phone calls on Friday to his office in Chicago.

In his own letter to the court sent on Wednesday, Anderson said that much of the information about the bank vulnerabilities was in the public domain and had been presented at a conference in Paris and a seminar at Cambridge and should remain public. "I respectfully submit that it would not be reasonable or legitimately justified to make any secrecy order at all concerning defense expert testimony," Anderson wrote.