As reported previously by Infosecurity, in-depth research led by Professor Ross Anderson of Cambridge University's security engineering department had revealed potentially serious flaws in the way the Chip and PIN system operates.
Now Professor Anderson has accused the UK bank card industry of making a "very nasty attempt at censorship" over a flaw in chip and PIN technology.
The UK Cards Association (UKCA) apparently wrote to the university to try to remove the online publication of research that shows how a simple hand-held device can be used to buy goods without entering the correct PIN.
In a security blog, Professor Anderson said that this step was "absolutely unacceptable. It was a very, very nasty attempt at censorship."
The Press Association quotes Melanie Johnson – a former Labour Treasury Minister who is now chair of the UKCA – as saying the publication of the paper on Chip & PIN insecurity "oversteps the boundaries of what constitutes responsible disclosure".
Infosecurity notes that Omar Choudary's research paper details the designs of a low-cost device that can exploit a loophole in the security of the Chip and PIN system.
This is despite proponents of the card security system having previously described the Chip and PIN system as infallible.
In his blog – titled 'A Merry Christmas to all Bankers' – Anderson says that the banker's trade association has complained that Choudary's paper "contains too much detail of our No-PIN attack on Chip-and-PIN and thus 'breaches the boundary of responsible disclosure' ".
"There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays' cards at a Barclays merchant. So at least they've started to fix the bug – even if it's taken them a year. We'll check and report on other banks later", he said.
According to Anderson, the bankers are also fretting that 'future research, which may potentially be more damaging, may also be published in this level of detail'.
And, the professor adds, this is indeed the case, as Choudary "is one of my co-authors on a new Chip-and-PIN paper that's been accepted for the Financial Cryptography 2011 security conference.
"So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say", he said.
The Press Association, meanwhile, quotes the UKCA as confirming it has written the university "not to challenge the work of the university's security academics but only to challenge whether publishing explicit details of how to attempt a fraud – specifically one which there is no evidence of a fraudster yet undertaking – is necessary and serving the public's best interest."
"We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters – as unfortunately it is only the fraudsters who stand to gain from any lack of co-operation between us", the UKCA added.