Feeds

French credit card hacker convicted

Crime doesn’t pay, and neither does integrity...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Serge Humpich, the 36 year-old engineer who discovered flaws in the chip-based security of French credit cards, was sentenced yesterday in Paris. Under the ruling issued by the 13th correctional chamber, he was sentenced to a suspended prison sentence of 10 months, 12,000 francs (approx. £1,200) in fines, and one symbolic franc in damages to the Groupement des Cartes Bancaires. His computer equipment has been seized, as well as the document that he had filed with the INPI (France’s patents and trademarks office), detailing his findings. Humpich began studying credit card security four years ago. When he discovered significant flaws in the authentication system, he contacted the Groupement des Cartes Bancaires, through lawyers, to negotiate a "technology transfer" of his discovery, for an undisclosed amount (estimates of up to £20M were never confirmed by either party). During Court hearings held on January 21 it was revealed that Humpich had committed only one fraud (when he bought metro tickets using cards he made), performed at the instigation of the GCB, and using the blank cards that it had supplied. Little did he know that the GCB had already contacted the authorities, and that his phone was tapped. Humpich was later arrested, his equipment seized, and his house (as well as his lawyer’s offices) raided by police. Inventing the 57 franc note "My intention was always to negotiate the results of my invention", Humpich told The Register. "My mistake was dealing with such a formidable opponent. Had I not been duped about their true intentions, no one would have ever heard a word about the whole thing." Convicted for "counterfeiting credit cards", Humpich doesn’t consider his work forgery. "It's just as if I'd designed a perfect 57 francs bill," Humpich smiles. Although his conviction validates his findings in a way, he is quick to correct that the cards he manufactured were not copies of existing cards, but rather spoof cards that could fool point-of-sale terminals (i.e. not hardwired into the banks computers), which would deem the doctored cards valid. Understandably reluctant to go into too much detail, Humpich does acknowledge that the cards he made could have arbitrary numbers, and be used with any four-digit PIN code. At the heart of the case lies the crypto authentication algorithm used by the cards, that relies on a 96 digit key computed from a 321 bit public key. Part of Humpich’s breakthrough was the factoring of that public key. Evidence has come up that the system in use in most cards today was deemed unsafe by experts as far back as 1988. Documents backing the claim have been posted on a website (www.humpich.com) hosted by supporters of Humpich. According to the documents, the 96 digit key standard dates back to the original 1983 design, and was never upgraded to keep up with computing power. Apparently, French banks need a serious refresher course on Moore’s law. Another fine mess Chip cards have been implemented in French credit cards since 1992. In a classic case of security through obscurity, GCB won’t discuss the specifics of credit card security, staunchly defending the official line that "chip cards are the safest around, with tremendous benefits on fraud statistics." However, in a recent interview, the GCB stated that a long, hard low-tech look at the hologram imprinted in the cards, was the best way for a retailer to check a card’s validity. Retrofitting POS terminals to patch up security could cost banks as much as £3 billion, according to some estimates. ATM cash terminals, which only use the data stored on the cards’ magnetic stripe for reasons of backwards compatibility with foreign (i.e. chip-less) cards, are not prone to the flaws discovered by Humpich. "Right now, a credit card is about as safe as a Post-It note," Humpich says. "I have proved that their protection can be circumvented, and they have yet to fix the flaws. But that would mean admitting that they were negligent in the first place." When asked if he thinks that others will pick up his work where he left it, Humpich answers that it will be "much easier for them now that all this is into the open. Some are really close to the solution now". Already, anonymous messages on Usenet are providing details on the keys used for credit card authentication. The French credit card safety saga rumbles on, despite the Humpich's conviction. In an open statement, eight French consumer associations demanded that banks provide a full disclosure on credit card safety. The affair could undermine France’s attempts at exporting this chip technology, as well as the prospects of installing cheap card readers on PCs as a mean of authenticating e-commerce transactions. "You know, I didn’t put them in the mess they're in today," Humpich says. His lawyers plan to appeal the conviction. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.