Feeds

France braces for smart card fraud onslaught

It's out, how much will it cost, how fast can we upgrade?

  • alert
  • submit to reddit

Build a business case: developing custom apps

Fear of consumer having their bank accounts debited via fraudulent smart card transactions has gripped France, but the potential victims of the cracking of the security code would be the French banks, and not individuals. Nevertheless, Gallic pride in the "puce" - or flea, as the French call the chips in their smart card  - has been damaged by Serge Humpich's proof that the system was not  "inviolate and inviolable", as was being claimed. Last night Roland Moreno, the French smart card inventor, offered a million francs to anyone who could get the code from three cards and a smart card reader. Moreno formulated the conditions of his challenge carefully, in an attempt to keep public confidence in the system, but he has had to admit that it is possible to crack the 320-bit (96-digit) RSI key and to make a fraudulent card that could be accepted by smart-card readers. Humpich says he did not post the key he cracked three years ago, and which appeared anonymously earlier this month in fr.misc.cryptologie - and which is now of course in many other sites. Fraudsters will only need to buy a smart-card reader (less than $400) and acquire a little knowledge, and they are potentially in business producing cards acceptable to any smart-card vending machine not permanently online to a bank computer. Authentication for smaller transactions is carried out by the smart-card reader, with the user keying-in a four digit PIN. Fraudulent cards could only be used for smaller purchases where there is no online or telephone authorisation. It has been suggested that not all ATM machines are directly connected to bank computers, so they could also be vulnerable. Other targets are likely to be petrol and railway ticket purchases, where data is transmitted to a central computer from the vending machine only once a day. It seems only a matter of time before French phone cards (télécartes) are compromised as well: bank cards can be used in telephone boxes in France. Jean-Louis Desvignes, head of the computer security branch of the Défence Nationale confirmed that "the banks must launch a wide-ranging action to improve the security of smart cards, which could imply replacing millions of smart card readers". Desvignes claims that bank card fraud in France is at the 0.02 per cent level, compared with 3-4 per cent in the US for magnetic stripe cards. The next generation of smart cards will be able to use a 2048-bit code, according to a French manufacturer, but its claim that this would give protection for "hundreds of years" is disputed by Paul Zimmermann, a mathematician at the Institut de Recherche en Information et en Automatique, who suggests that by 2023 such keys could be cracked. Robert Harley of INRIA noted that it now only takes a few days of computer time to factor the 320-bit code. The Groupement des Cartes Bancaires is in denial that its security is compromised, but the security claim now leans on the difficulty of faking the hologram, which only has some value in face-to-face transactions. The cards are of course widely used in Europe, with some 200 banks relying on the security integrity. All security experts are scornful at the arrogance of GCB in maintaining that security methods appropriate in 1980 could still be appropriate today. There is a move under way to use longer codes, but it may be too late to prevent fraud on a massive scale. The security problem does not affect the British and US magnetic stripe cards. There can sometimes be difficulties using such cards in France, and wise travellers are geared up to tell the merchant to telephone the authorisation centre to get the card accepted if it could not be read by the smart-card reader. It isn't yet meltdown time for the banks, but it could be later this year. They will presumably wait to see whether the anticipated wave of fraudulent card use becomes serious enough to make it essential to replace the POS machines earlier than planned. It could cost up to $5 billion, it has been estimated, to introduce a new generation of 2048-bit smart cards, but it would take time to manufacture and install the readers and to distribute the 34 million cards in use in France.  As long ago as 1983, it was suggested that the 96-digit code used in smart cards was not long enough, and that larger composite integers should be used. Cracking the RSA code (named after MIT researchers Rivest, Shamir & Adleman) is not exactly easy. We reported in The Register last August how an international effort co-ordinated by Herman te Riele at the Centrum voor Wiskunde en Informatica (National Research Institute for Mathematics and Computer Science) in Amsterdam broke the 512-bit RSA using distributed computing power. Humpich apparently used algorithms derived from a polynomial quadratic sieve for his 320-bit crack, and made the mistake of telling GCB. In a flash, his phone was tapped and he was fired from his job. He now acts as a consultant to Sony, designing digital video security devices, pending an appeal against his suspended prison sentence. ® Related stories: French credit card hacker convicted RSA-155 code cracked

Boost IT visibility and business value

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Fast And Furious 6 cammer thrown in slammer for nearly three years
Man jailed for dodgy cinema recording of Hollywood movie
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?