Feeds

French credit card hacker convicted

Crime doesn’t pay, and neither does integrity...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Serge Humpich, the 36 year-old engineer who discovered flaws in the chip-based security of French credit cards, was sentenced yesterday in Paris. Under the ruling issued by the 13th correctional chamber, he was sentenced to a suspended prison sentence of 10 months, 12,000 francs (approx. £1,200) in fines, and one symbolic franc in damages to the Groupement des Cartes Bancaires. His computer equipment has been seized, as well as the document that he had filed with the INPI (France’s patents and trademarks office), detailing his findings. Humpich began studying credit card security four years ago. When he discovered significant flaws in the authentication system, he contacted the Groupement des Cartes Bancaires, through lawyers, to negotiate a "technology transfer" of his discovery, for an undisclosed amount (estimates of up to £20M were never confirmed by either party). During Court hearings held on January 21 it was revealed that Humpich had committed only one fraud (when he bought metro tickets using cards he made), performed at the instigation of the GCB, and using the blank cards that it had supplied. Little did he know that the GCB had already contacted the authorities, and that his phone was tapped. Humpich was later arrested, his equipment seized, and his house (as well as his lawyer’s offices) raided by police. Inventing the 57 franc note "My intention was always to negotiate the results of my invention", Humpich told The Register. "My mistake was dealing with such a formidable opponent. Had I not been duped about their true intentions, no one would have ever heard a word about the whole thing." Convicted for "counterfeiting credit cards", Humpich doesn’t consider his work forgery. "It's just as if I'd designed a perfect 57 francs bill," Humpich smiles. Although his conviction validates his findings in a way, he is quick to correct that the cards he manufactured were not copies of existing cards, but rather spoof cards that could fool point-of-sale terminals (i.e. not hardwired into the banks computers), which would deem the doctored cards valid. Understandably reluctant to go into too much detail, Humpich does acknowledge that the cards he made could have arbitrary numbers, and be used with any four-digit PIN code. At the heart of the case lies the crypto authentication algorithm used by the cards, that relies on a 96 digit key computed from a 321 bit public key. Part of Humpich’s breakthrough was the factoring of that public key. Evidence has come up that the system in use in most cards today was deemed unsafe by experts as far back as 1988. Documents backing the claim have been posted on a website (www.humpich.com) hosted by supporters of Humpich. According to the documents, the 96 digit key standard dates back to the original 1983 design, and was never upgraded to keep up with computing power. Apparently, French banks need a serious refresher course on Moore’s law. Another fine mess Chip cards have been implemented in French credit cards since 1992. In a classic case of security through obscurity, GCB won’t discuss the specifics of credit card security, staunchly defending the official line that "chip cards are the safest around, with tremendous benefits on fraud statistics." However, in a recent interview, the GCB stated that a long, hard low-tech look at the hologram imprinted in the cards, was the best way for a retailer to check a card’s validity. Retrofitting POS terminals to patch up security could cost banks as much as £3 billion, according to some estimates. ATM cash terminals, which only use the data stored on the cards’ magnetic stripe for reasons of backwards compatibility with foreign (i.e. chip-less) cards, are not prone to the flaws discovered by Humpich. "Right now, a credit card is about as safe as a Post-It note," Humpich says. "I have proved that their protection can be circumvented, and they have yet to fix the flaws. But that would mean admitting that they were negligent in the first place." When asked if he thinks that others will pick up his work where he left it, Humpich answers that it will be "much easier for them now that all this is into the open. Some are really close to the solution now". Already, anonymous messages on Usenet are providing details on the keys used for credit card authentication. The French credit card safety saga rumbles on, despite the Humpich's conviction. In an open statement, eight French consumer associations demanded that banks provide a full disclosure on credit card safety. The affair could undermine France’s attempts at exporting this chip technology, as well as the prospects of installing cheap card readers on PCs as a mean of authenticating e-commerce transactions. "You know, I didn’t put them in the mess they're in today," Humpich says. His lawyers plan to appeal the conviction. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.