Media Coverage

PIN Mailer Security - August 2005

The work I did with Steven Murdoch and Jolyon Clulow on PIN mailer security seems after three weeks or so to have been spotted and got some publicity. Today, 24th August, InfoSecurity web magazine put up an article: UK banks sent out vulnerable PIN mailers. It's a fairly short affair, but I was quite pleased that the observation about shared risk and weak samples betraying generally more secure stock got in.

More coverage appeared the next day on BBC news online -- Poor print exposing pin numbers , and also in The Register -- The GIMP threatens PIN number security.

And the next day... BBC Radio 5 Live asked for a brief interview too on the Simon Mayo show. Since then, my colleague Steven started collecting links for his scrap book, so I'm off the hook... see his list here Steven's LiveJournal Entry.

Chip and Spin (Take 3) - July 2005

On 20th July LBC Radio's Breakfast Show with Nick Ferrari briefly interviewed me on Chip and PIN. Recent news stories that have been negative about the progress of Chip and PIN in fighting fraud, for instance the Observer's Shadow hanging over card users, seem to have attracted further attention. During the comments I briefly made, I focussed not on the success or failure of Chip and PIN fighting fraud wholesale, but on the effect is is having on dispute resolution.

A few weeks later I spoke on the lunchtime programme on Newstalk 106 in Dublin, Ireland. I spoke about some of the liability shift concerns, fallback issues, and very briefly about the new PIN mailer vulnerability research released at the beginning of August. I forget the name of the spokesperson who represented the Irish banks, but her responses to the criticisms raised seemed intelligent and honest -- not always the case in media spin wars.

Chip and Spin (Take 2) - April 2005

Friday 8th April saw a second programme on the telly about Chip and PIN, this time ITV's "Tonight with Trevor McDonald". I've yet to see the programme myself, so I can't comment on its angle.

Sumitomo Mitsui Hackers Foiled - Mar 2005

On 17th March 05 The BBC got very excited about what was potentially the UK's largest ever sum stolen in a bank raid, GBP 220 million from Sumitomo Mitsui Banking Corporation's UK office. However, the plot was foiled by the National Hi-tech Crime Unit, and the bank in question. I was asked to comment by BBC Radio 5 Live, BBC Radio Scotland, and BBC World Service. I was able to explain roughly what keyloggers were, and how they fitted into the attack, and also explain that internal bank systems security should not be confused with online retail banking security, where keylogging software is of course a danger too.

Chip and Spin! - Mar 2005

The ITV London Programme broadcasted on the 15th March "The Truth About Chip and PIN". I was interviewed for this programme, and discussed at length issues to do with dispute resolution, and shortcomings in the Static Data Authentication Mode (SDA) of the Chip and PIN cards. In the end the programme focussed on "exposing" that fallback to magnetic stripe technology continues to be a viable attack method, and on explaining why it may be some time indeed before magnetic stripe can be discontinued. To clarify our original concerns, Ross Anderson and I wrote Chip and Spin and put up a summary site

Continued Interest in Chip and PIN - Nov 2004

On 30th Nov, Morning Ireland on RTE Radio 1, an Irish news and current affairs show, engaged me to provide brief comment on the down side to Chip and PIN (from the point of view of the customer). It seems the Guardian article "Safety In Numbers : Not Likely" has become a little controversial. Several other stations and printed-news journalists have approached me, but the stories have since been pulled. I'm not entirely sure why: probably the banks didn't field any specific responses to the suggestions put forward in the Guardian article, and where there's no battle of words, there's no story.

On 2nd December, BBC Radio 4's "You and Yours" consumer affairs program did an item on "Chip and PIN". Sandra Quinn from APACS and myself presented some of the issues to do with the new payment scheme. Unfortunately from my point of view, the discussion focussed more on issues around the design and security of the Chip and PIN terminals themselves, rather than what I felt to be the key issues for consumers: PIN vs. Signature and Liability. However, raising customer awareness is no bad thing, regardless of the focus. You can relisten to the piece here with Real Audio. Not sure for how long this link will remain active.

Phantom Withdrawals Nearly Double - Nov 2004

It seems APACS reported that cash machine fraud has gone up by 85% in the last year (see BBC News Online article) , and this prompted much speculation as to the reasons why. Some commentators reckon this is the final death throe of the scammers before Chip and PIN arrives, others think this could be the start of something really nasty. BBC Radio Cambridgeshire asked me to comment briefly, and they wanted to direct their listeners to my phantom withdrawals website which contains advice for people involved in disputes with banks, and documents similar cases.

Chip and PIN - Oct 2004

On 27th Oct, the Guardian ran a story on the introduction of Chip and PIN, and the various benefits and risks. It was the front page article of their G2 supplement, but is also online: "Safety In Numbers : Not Likely". I pointed out some of the risks involved in using PINs for authorisation much more frequently.

ATM Fee Charging and ATM Security - Sep 2004

BBC Radio Wales invited me to discuss the increasing number of ATMs operated for profit in so-called "convenience" locations, and a recently released report on charging best practices by Nationwide. My emphasis was on the security implications of running ATMs for profit, and in different sorts of locations.

Phantom Withdrawals In Cambridgeshire UK - Jul 2004

BBC Radio Cambridgeshire's "Consumer Show" received a number of calls from listeners about phantom withdrawals during early July. They invited me to talk about my phantom withdrawal website when I returned from a conference a week later, on 16th July. Unfortunately much of the interview was spent sorting out a misunderstanding over the exact URL of the site.

Double Dispensing Cash Machines, Northumberland UK - Apr 2004

Night-owls in the UK may have heard me give a brief interview on the Matthew Bannister Show on BBC Radio 5 Live, in the early hours of 29th April (my fifteen minute reserve of fame is now running rather low). The interview was a follow up to a BBC news article describing an ATM mistakenly dispensing twenty pound notes instead of tens. Have a look at my phantom website for more curious and amusing stories of bizarre ATM failures.

Phantom Withdrawals in Ireland, and the Wallace Case - Dec 2003

In December of 2003, a phantom withdrawal caused some attention in County Wicklow, Ireland. The Sunday Business Post ran two articles about ATM fraud on 7th December, and I gave a radio interview on 9th December on the Declan Mehan show, East Coast FM.

Decimalisation Table Attacks, Citibank & the Singh Case - Feb 2003

Online Media:

Broadcast media:

Printed media:

Online Banking Security - May 2002

Friends might want to read some of my comments on online banking security in the CNET News Article published last year. I don't say anything particularly controversial.

Attacks on the IBM 4758 CCA - Nov 2001


USA National

USA Local

UK National

UK Local


Bug Reports