Feeds

France braces for smart card fraud onslaught

It's out, how much will it cost, how fast can we upgrade?

  • alert
  • submit to reddit

High performance access to file storage

Fear of consumer having their bank accounts debited via fraudulent smart card transactions has gripped France, but the potential victims of the cracking of the security code would be the French banks, and not individuals. Nevertheless, Gallic pride in the "puce" - or flea, as the French call the chips in their smart card  - has been damaged by Serge Humpich's proof that the system was not  "inviolate and inviolable", as was being claimed. Last night Roland Moreno, the French smart card inventor, offered a million francs to anyone who could get the code from three cards and a smart card reader. Moreno formulated the conditions of his challenge carefully, in an attempt to keep public confidence in the system, but he has had to admit that it is possible to crack the 320-bit (96-digit) RSI key and to make a fraudulent card that could be accepted by smart-card readers. Humpich says he did not post the key he cracked three years ago, and which appeared anonymously earlier this month in fr.misc.cryptologie - and which is now of course in many other sites. Fraudsters will only need to buy a smart-card reader (less than $400) and acquire a little knowledge, and they are potentially in business producing cards acceptable to any smart-card vending machine not permanently online to a bank computer. Authentication for smaller transactions is carried out by the smart-card reader, with the user keying-in a four digit PIN. Fraudulent cards could only be used for smaller purchases where there is no online or telephone authorisation. It has been suggested that not all ATM machines are directly connected to bank computers, so they could also be vulnerable. Other targets are likely to be petrol and railway ticket purchases, where data is transmitted to a central computer from the vending machine only once a day. It seems only a matter of time before French phone cards (télécartes) are compromised as well: bank cards can be used in telephone boxes in France. Jean-Louis Desvignes, head of the computer security branch of the Défence Nationale confirmed that "the banks must launch a wide-ranging action to improve the security of smart cards, which could imply replacing millions of smart card readers". Desvignes claims that bank card fraud in France is at the 0.02 per cent level, compared with 3-4 per cent in the US for magnetic stripe cards. The next generation of smart cards will be able to use a 2048-bit code, according to a French manufacturer, but its claim that this would give protection for "hundreds of years" is disputed by Paul Zimmermann, a mathematician at the Institut de Recherche en Information et en Automatique, who suggests that by 2023 such keys could be cracked. Robert Harley of INRIA noted that it now only takes a few days of computer time to factor the 320-bit code. The Groupement des Cartes Bancaires is in denial that its security is compromised, but the security claim now leans on the difficulty of faking the hologram, which only has some value in face-to-face transactions. The cards are of course widely used in Europe, with some 200 banks relying on the security integrity. All security experts are scornful at the arrogance of GCB in maintaining that security methods appropriate in 1980 could still be appropriate today. There is a move under way to use longer codes, but it may be too late to prevent fraud on a massive scale. The security problem does not affect the British and US magnetic stripe cards. There can sometimes be difficulties using such cards in France, and wise travellers are geared up to tell the merchant to telephone the authorisation centre to get the card accepted if it could not be read by the smart-card reader. It isn't yet meltdown time for the banks, but it could be later this year. They will presumably wait to see whether the anticipated wave of fraudulent card use becomes serious enough to make it essential to replace the POS machines earlier than planned. It could cost up to $5 billion, it has been estimated, to introduce a new generation of 2048-bit smart cards, but it would take time to manufacture and install the readers and to distribute the 34 million cards in use in France.  As long ago as 1983, it was suggested that the 96-digit code used in smart cards was not long enough, and that larger composite integers should be used. Cracking the RSA code (named after MIT researchers Rivest, Shamir & Adleman) is not exactly easy. We reported in The Register last August how an international effort co-ordinated by Herman te Riele at the Centrum voor Wiskunde en Informatica (National Research Institute for Mathematics and Computer Science) in Amsterdam broke the 512-bit RSA using distributed computing power. Humpich apparently used algorithms derived from a polynomial quadratic sieve for his 320-bit crack, and made the mistake of telling GCB. In a flash, his phone was tapped and he was fired from his job. He now acts as a consultant to Sony, designing digital video security devices, pending an appeal against his suspended prison sentence. ® Related stories: French credit card hacker convicted RSA-155 code cracked

High performance access to file storage

More from The Register

next story
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.