Feeds

French credit card hacker convicted

Crime doesn’t pay, and neither does integrity...

  • alert
  • submit to reddit

Top 10 endpoint backup mistakes

Serge Humpich, the 36 year-old engineer who discovered flaws in the chip-based security of French credit cards, was sentenced yesterday in Paris. Under the ruling issued by the 13th correctional chamber, he was sentenced to a suspended prison sentence of 10 months, 12,000 francs (approx. £1,200) in fines, and one symbolic franc in damages to the Groupement des Cartes Bancaires. His computer equipment has been seized, as well as the document that he had filed with the INPI (France’s patents and trademarks office), detailing his findings. Humpich began studying credit card security four years ago. When he discovered significant flaws in the authentication system, he contacted the Groupement des Cartes Bancaires, through lawyers, to negotiate a "technology transfer" of his discovery, for an undisclosed amount (estimates of up to £20M were never confirmed by either party). During Court hearings held on January 21 it was revealed that Humpich had committed only one fraud (when he bought metro tickets using cards he made), performed at the instigation of the GCB, and using the blank cards that it had supplied. Little did he know that the GCB had already contacted the authorities, and that his phone was tapped. Humpich was later arrested, his equipment seized, and his house (as well as his lawyer’s offices) raided by police. Inventing the 57 franc note "My intention was always to negotiate the results of my invention", Humpich told The Register. "My mistake was dealing with such a formidable opponent. Had I not been duped about their true intentions, no one would have ever heard a word about the whole thing." Convicted for "counterfeiting credit cards", Humpich doesn’t consider his work forgery. "It's just as if I'd designed a perfect 57 francs bill," Humpich smiles. Although his conviction validates his findings in a way, he is quick to correct that the cards he manufactured were not copies of existing cards, but rather spoof cards that could fool point-of-sale terminals (i.e. not hardwired into the banks computers), which would deem the doctored cards valid. Understandably reluctant to go into too much detail, Humpich does acknowledge that the cards he made could have arbitrary numbers, and be used with any four-digit PIN code. At the heart of the case lies the crypto authentication algorithm used by the cards, that relies on a 96 digit key computed from a 321 bit public key. Part of Humpich’s breakthrough was the factoring of that public key. Evidence has come up that the system in use in most cards today was deemed unsafe by experts as far back as 1988. Documents backing the claim have been posted on a website (www.humpich.com) hosted by supporters of Humpich. According to the documents, the 96 digit key standard dates back to the original 1983 design, and was never upgraded to keep up with computing power. Apparently, French banks need a serious refresher course on Moore’s law. Another fine mess Chip cards have been implemented in French credit cards since 1992. In a classic case of security through obscurity, GCB won’t discuss the specifics of credit card security, staunchly defending the official line that "chip cards are the safest around, with tremendous benefits on fraud statistics." However, in a recent interview, the GCB stated that a long, hard low-tech look at the hologram imprinted in the cards, was the best way for a retailer to check a card’s validity. Retrofitting POS terminals to patch up security could cost banks as much as £3 billion, according to some estimates. ATM cash terminals, which only use the data stored on the cards’ magnetic stripe for reasons of backwards compatibility with foreign (i.e. chip-less) cards, are not prone to the flaws discovered by Humpich. "Right now, a credit card is about as safe as a Post-It note," Humpich says. "I have proved that their protection can be circumvented, and they have yet to fix the flaws. But that would mean admitting that they were negligent in the first place." When asked if he thinks that others will pick up his work where he left it, Humpich answers that it will be "much easier for them now that all this is into the open. Some are really close to the solution now". Already, anonymous messages on Usenet are providing details on the keys used for credit card authentication. The French credit card safety saga rumbles on, despite the Humpich's conviction. In an open statement, eight French consumer associations demanded that banks provide a full disclosure on credit card safety. The affair could undermine France’s attempts at exporting this chip technology, as well as the prospects of installing cheap card readers on PCs as a mean of authenticating e-commerce transactions. "You know, I didn’t put them in the mess they're in today," Humpich says. His lawyers plan to appeal the conviction. ®

A new approach to endpoint data protection

More from The Register

next story
Amazon says Hachette should lower ebook prices, pay authors more
Oh yeah ... and a 30% cut for Amazon to seal the deal
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Nintend-OH NO! Sorry, Mario – your profits are in another castle
Red-hatted mascot, red-colored logo, red-stained finance books
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
Feel free to BONK on the TUBE, says Transport for London
Plus: Almost NOBODY uses pay-by-bonk on buses - Visa
Twitch rich as Google flicks $1bn hitch switch, claims snitch
Gameplay streaming biz and search king refuse to deny fresh gobble rumors
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?