Two Cambridge University researchers have discovered serious flaws in the security that many banks use in Auomatic Teller Machines around the world. The researchers, Mike Bond and Piotr Zielinski, released their findings in a paper, but various powers-that-be in the banking industry are not happy.Not only are the banks upset that their encryption is flawed (as they should be) but they seem to be pretty peeved that additional information about the flaws could be widely circulated, particularly that testimony by the researchers and other security experts may be made public through their testimony in an upcoming court case.
It’s not particularly surprising that the banking and credit card industry is trying to prohibit these researchers from releasing their findings. This is an ongoing debate in the computer security sphere. Should researchers loudly proclaim the flaws in commonly-used security in order to prod vendors and users to plug the holes quickly, thus risking allowing more would-be criminals the opportunity to crack not-yet-patched systems, or should they try to keep their discoveries under wraps in order to give the vendors more time to issue fixes?
The fact is that users are generally delinquent in patching their systems in a timely manner (as is evidenced in Microsoft’s own SQL Server machines recently being affected by the Slammer Virus even though there had been a patch for that flaw for months). I believe that it takes a genuine security panic to ensure that the majority of insecure systems will be patched in a timely manner, and it’s likely that by the time “white hat” security experts uncover a particular security hole it’s likely that criminals have been exploiting the hole for some time already. In this case, it appears that criminals may have known about the flaws before the Cambridge researchers discovered it.
I think that giving the vendors of a particular product or device a reasonable time period to produce a patch is fair, but after that, security researchers should shout their findings from the rooftops. What do you think?