The work I did with Steven Murdoch and Jolyon Clulow on PIN mailer security seems after three weeks or so to have been spotted and got some publicity. Today, 24th August, InfoSecurity web magazine put up an article: UK banks sent out vulnerable PIN mailers. It's a fairly short affair, but I was quite pleased that the observation about shared risk and weak samples betraying generally more secure stock got in.
More coverage appeared the next day on BBC news online -- Poor print exposing pin numbers , and also in The Register -- The GIMP threatens PIN number security.
And the next day... BBC Radio 5 Live asked for a brief interview too on the Simon Mayo show. Since then, my colleague Steven started collecting links for his scrap book, so I'm off the hook... see his list here Steven's LiveJournal Entry.
On 20th July LBC Radio's Breakfast Show with Nick Ferrari briefly interviewed me on Chip and PIN. Recent news stories that have been negative about the progress of Chip and PIN in fighting fraud, for instance the Observer's Shadow hanging over card users, seem to have attracted further attention. During the comments I briefly made, I focussed not on the success or failure of Chip and PIN fighting fraud wholesale, but on the effect is is having on dispute resolution.
A few weeks later I spoke on the lunchtime programme on Newstalk 106 in Dublin, Ireland. I spoke about some of the liability shift concerns, fallback issues, and very briefly about the new PIN mailer vulnerability research released at the beginning of August. I forget the name of the spokesperson who represented the Irish banks, but her responses to the criticisms raised seemed intelligent and honest -- not always the case in media spin wars.
Friday 8th April saw a second programme on the telly about Chip and PIN, this time ITV's "Tonight with Trevor McDonald". I've yet to see the programme myself, so I can't comment on its angle.
On 17th March 05 The BBC got very excited about what was potentially the UK's largest ever sum stolen in a bank raid, GBP 220 million from Sumitomo Mitsui Banking Corporation's UK office. However, the plot was foiled by the National Hi-tech Crime Unit, and the bank in question. I was asked to comment by BBC Radio 5 Live, BBC Radio Scotland, and BBC World Service. I was able to explain roughly what keyloggers were, and how they fitted into the attack, and also explain that internal bank systems security should not be confused with online retail banking security, where keylogging software is of course a danger too.
The ITV London Programme broadcasted on the 15th March "The Truth About Chip and PIN". I was interviewed for this programme, and discussed at length issues to do with dispute resolution, and shortcomings in the Static Data Authentication Mode (SDA) of the Chip and PIN cards. In the end the programme focussed on "exposing" that fallback to magnetic stripe technology continues to be a viable attack method, and on explaining why it may be some time indeed before magnetic stripe can be discontinued. To clarify our original concerns, Ross Anderson and I wrote Chip and Spin and put up a summary site http://www.chipandspin.co.uk.
On 30th Nov, Morning Ireland on RTE Radio 1, an Irish news and current affairs show, engaged me to provide brief comment on the down side to Chip and PIN (from the point of view of the customer). It seems the Guardian article "Safety In Numbers : Not Likely" has become a little controversial. Several other stations and printed-news journalists have approached me, but the stories have since been pulled. I'm not entirely sure why: probably the banks didn't field any specific responses to the suggestions put forward in the Guardian article, and where there's no battle of words, there's no story.
On 2nd December, BBC Radio 4's "You and Yours" consumer affairs program did an item on "Chip and PIN". Sandra Quinn from APACS and myself presented some of the issues to do with the new payment scheme. Unfortunately from my point of view, the discussion focussed more on issues around the design and security of the Chip and PIN terminals themselves, rather than what I felt to be the key issues for consumers: PIN vs. Signature and Liability. However, raising customer awareness is no bad thing, regardless of the focus. You can relisten to the piece here with Real Audio. Not sure for how long this link will remain active.
Night-owls in the UK may have heard me give a brief interview on the Matthew Bannister Show on BBC Radio 5 Live, in the early hours of 29th April (my fifteen minute reserve of fame is now running rather low). The interview was a follow up to a BBC news article describing an ATM mistakenly dispensing twenty pound notes instead of tens. Have a look at my phantom website for more curious and amusing stories of bizarre ATM failures.
In December of 2003, a phantom withdrawal caused some attention in County Wicklow, Ireland. The Sunday Business Post ran two articles about ATM fraud on 7th December, and I gave a radio interview on 9th December on the Declan Mehan show, East Coast FM.
Friends might want to read some of my comments on online banking security in the CNET News Article published last year. I don't say anything particularly controversial.