26th > February > 2000 Archive

The Register breaking news

French credit card hacker convicted

Serge Humpich, the 36 year-old engineer who discovered flaws in the chip-based security of French credit cards, was sentenced yesterday in Paris. Under the ruling issued by the 13th correctional chamber, he was sentenced to a suspended prison sentence of 10 months, 12,000 francs (approx. £1,200) in fines, and one symbolic franc in damages to the Groupement des Cartes Bancaires. His computer equipment has been seized, as well as the document that he had filed with the INPI (France’s patents and trademarks office), detailing his findings. Humpich began studying credit card security four years ago. When he discovered significant flaws in the authentication system, he contacted the Groupement des Cartes Bancaires, through lawyers, to negotiate a "technology transfer" of his discovery, for an undisclosed amount (estimates of up to £20M were never confirmed by either party). During Court hearings held on January 21 it was revealed that Humpich had committed only one fraud (when he bought metro tickets using cards he made), performed at the instigation of the GCB, and using the blank cards that it had supplied. Little did he know that the GCB had already contacted the authorities, and that his phone was tapped. Humpich was later arrested, his equipment seized, and his house (as well as his lawyer’s offices) raided by police. Inventing the 57 franc note "My intention was always to negotiate the results of my invention", Humpich told The Register. "My mistake was dealing with such a formidable opponent. Had I not been duped about their true intentions, no one would have ever heard a word about the whole thing." Convicted for "counterfeiting credit cards", Humpich doesn’t consider his work forgery. "It's just as if I'd designed a perfect 57 francs bill," Humpich smiles. Although his conviction validates his findings in a way, he is quick to correct that the cards he manufactured were not copies of existing cards, but rather spoof cards that could fool point-of-sale terminals (i.e. not hardwired into the banks computers), which would deem the doctored cards valid. Understandably reluctant to go into too much detail, Humpich does acknowledge that the cards he made could have arbitrary numbers, and be used with any four-digit PIN code. At the heart of the case lies the crypto authentication algorithm used by the cards, that relies on a 96 digit key computed from a 321 bit public key. Part of Humpich’s breakthrough was the factoring of that public key. Evidence has come up that the system in use in most cards today was deemed unsafe by experts as far back as 1988. Documents backing the claim have been posted on a website (www.humpich.com) hosted by supporters of Humpich. According to the documents, the 96 digit key standard dates back to the original 1983 design, and was never upgraded to keep up with computing power. Apparently, French banks need a serious refresher course on Moore’s law. Another fine mess Chip cards have been implemented in French credit cards since 1992. In a classic case of security through obscurity, GCB won’t discuss the specifics of credit card security, staunchly defending the official line that "chip cards are the safest around, with tremendous benefits on fraud statistics." However, in a recent interview, the GCB stated that a long, hard low-tech look at the hologram imprinted in the cards, was the best way for a retailer to check a card’s validity. Retrofitting POS terminals to patch up security could cost banks as much as £3 billion, according to some estimates. ATM cash terminals, which only use the data stored on the cards’ magnetic stripe for reasons of backwards compatibility with foreign (i.e. chip-less) cards, are not prone to the flaws discovered by Humpich. "Right now, a credit card is about as safe as a Post-It note," Humpich says. "I have proved that their protection can be circumvented, and they have yet to fix the flaws. But that would mean admitting that they were negligent in the first place." When asked if he thinks that others will pick up his work where he left it, Humpich answers that it will be "much easier for them now that all this is into the open. Some are really close to the solution now". Already, anonymous messages on Usenet are providing details on the keys used for credit card authentication. The French credit card safety saga rumbles on, despite the Humpich's conviction. In an open statement, eight French consumer associations demanded that banks provide a full disclosure on credit card safety. The affair could undermine France’s attempts at exporting this chip technology, as well as the prospects of installing cheap card readers on PCs as a mean of authenticating e-commerce transactions. "You know, I didn’t put them in the mess they're in today," Humpich says. His lawyers plan to appeal the conviction. ®
Cedric Ingrand, 26 Feb 2000
The Register breaking news

Microsoft drowns out Corel

It was a little childish to hear the volume from the Microsoft booth crank up when Michael Cowpland was giving his CeBIT 2000 press conference at the nearby Corel booth. Even after a complaint to the CeBIT management, the volume was turned back down again for a short time only. But perhaps we are being unkind: maybe there is a high incidence of deafness amongst Microsoft users. If so, or in any event, they deserve our sympathy. ®
Graham Lea, 26 Feb 2000
The Register breaking news

CeBIT – for Germany, or the World?

More than 700,000 visitors are expected at the 30th CeBIT this year, held a month earlier than usual, to see the 7,800 exhibits in 26 foot-weary halls to make the biggest trade show of any kind in the world. It could have been even bigger -- mercifully, CeBIT Home separated out the consumer side a few years ago, and it is being held in Leipzig this year as Hannover is to host EXPO 2000, Germany's first world exhibition. This has prompted the Messe and the City of Hannover to carry out some long-overdue infrastructure improvements. There has always been a debate in the 30 years of the show as to whether it's a German trade fair or an international one -- and the answer is that it is both, but the German side appears to be winning. In Germany, Internet commerce has been slower than in many European countries because of data protection and security issues, CeBIT press releases suggest. And that's not all -- mainframes are making a comeback as well, we are told. It's part of the German psyche to want to touch equipment and eyeball the senior management of a company before purchases are made, which accounts for the CeBIT phenomenon. Although the number of German exhibitors is up substantially, there are declines in French, Italian, Spanish, Dutch, Belgian and Irish exhibitors. These numbers must be treated cautiously however, as CeBIT counts exhibitor nationality according to which country sends the money, so that an American company paying through its German office is counted as being German. The UK exhibitor number is marginally up this year, with 317 exhibitors, behind Taiwan (508) and the USA (481). The telecoms sector has actually declined this year (and BT isn't here), no doubt as a result of last year's blockbuster Geneva Show. Banking and office technology are also down. ®
Graham Lea, 26 Feb 2000
The Register breaking news

Schroder calls for Blue Collar Net junkies

By happy coincidence, Chancellor Schröder is a former prime minister of Lower Saxony as well as native of Hannover, where he lives in a pleasant house near the zoo, so it was no problem for this local boy to drop by CeBIT to open it. His special theme was jobs, and he hopes that the sector will produce 350,000 in the multimedia sector by 2002. This could prove to be over-ambitious since only 100,000 were created in the last three years. Schroder pointed with some satisfaction to German IT sales of DM220 billion expected this year, an increase of only eight per cent, and said that Germany aims to break the DM300 billion barrier within five years -- a relatively modest ambition. So far as German Internet access plans are concerned, he hopes that the present 13 per cent of the population that can access the Internet will increase to 40 per cent by 2005, but he wants the new users to be wearing the right colour shirt -- there must be blue collar workers, men and women, as well as university graduates. Whether this includes female blue collar workers at universities was difficult for your reporter to determine, such are the complexities of the German language. Anyway, he wasn't going to have a society in which there are two camps -- those with and those without Internet access. Of course this is not social engineering, but we can't at the moment think of what we should call it. Schröder's speech writer also put in a bit about the allocation of UMTS (Universal Mobile Telecommunications System) frequencies later this year, but no clue was given about the intended German policy. He was on safer ground extolling the need for better security against "acts of sabotage", and said that the government took "a very serious view of these events". Schröder also said he was pleased that AOL was following Deutsche Telekom's example and offering free access in schools. But of most interest to the Germans was his re-iteration of his previous announcement about the Tax Relief Law that was to reduce the tax on business earnings to 43 per cent, and corporation tax to 25 per cent on retained earnings which -- he gleefully pointed out -- is 20 per cent lower than when his government entered office. The top rate of German Income tax will also fall to 45 per cent. Considerable doubt exists in Germany as to whether these measures will be sufficient to attract significant inward investment, and to stop German IT specialists moving abroad. ®
Graham Lea, 26 Feb 2000
The Register breaking news

Sommer attacks EU competition regime

Ron Sommer, chairman of Deutsche Telekom, attacked "parochial" European competition law, at CeBIT 2000. Outlining his special agenda for TIMES,(Telecommunications, Information Technology, Multimedia, Entertainment and Security Services), Sommer said he wants DT to become a player unconstrained by the present competition law in Europe, and that "parochial attitudes stifle progress. "Even after two years of liberalisation throughout Europe, the degree of access to telecommunication markets for newcomers as well as the level of free-market competition still vary from country to country... We need a larger market in Europe," he said. "Enterprises with substantial financial clout are needed in order to invest billions in innovative technologies... A few years ago this principle was not accepted... there is still a tendency among Europeans to view this new and necessary order of magnitude as a threatening factor or an attempt to secure market domination." Big is good He continued: "The situation can arise, of course, as we have seen recently with Microsoft, and it is clear from this case that the Americans are also aware of the risks." He warmed to his new theme of big is good: the AOL Time-Warner merger "is likely to be a further leap forward in innovation. Yet such a merger... would almost certainly not be approved at the present time by any government in Europe... as it would put too much power in the hands of one market player." His conclusion was that "in Europe we tend to focus too much on the risks, and less on the opportunities. Consequently, we are in danger of missing out on important opportunities." Sommer had his solution to his problem with European competition policy: "we're labouring under a handicap compared with the USA... we [need] market conditions in our continent that allow companies to develop their full potential for innovation. We therefore need rules governing competition which are global in their scope, which are observed by all the players, and whose observance can be globally verified." He confessed that Germany had "a reputation for being somewhat cautious, not to say downright hostile towards new technologies". Evidently, Sommer thinks competition law needs to be changed at a European level, as well as in Germany, to favour his globalisation desires; he wants to work with the European Commission and the German government to achieve this. The irony is that European competition law was closely based on the German law. Even if that were achievable - and it seems doubtful - it could only apply within the EU. Sommer's solution should be to tackle the WTO, especially in view of the recent victory to stop favourable and discriminatory foreign sales corporations tax treatment for US business. But getting WTO agreement to any globalisation plan could be even more difficult. ® CeBIT 2000: Full Coverage
Graham Lea, 26 Feb 2000
The Register breaking news

German IT lobby chief calls for relaxed immigration controls

Hannover has a modest track record in IT, since it was here that Leibnitz developed the binary system in 1673, and built the first useable calculator -- well, that's what Hannover mayor Herbert Schmalstieg said at the opening ceremony. Of course, the Hannover area has also produced Mixter,the hackmeister, who became in a few days better known than Leibnitz. He also noted that German access to the Internet is expected to increase four-fold by 2005, to 33 million users, creating 400,000 jobs. The snag is that there aren't enough people to do the work. Volker Jung, president of BITKOM, the new German Association for Information Technology, Telecommunications and New Media, noted that in 1970, German ICT sales were DM 20 billion, one tenth of the world total, but this year the German proportion has declined to less than 7 per cent. Although eastern Germany has more Internet connections than it had telephones just ten years ago, there are only 11 million German Internet users in the 48 million total for Europe. So far as Europe is concerned, Jung pointed to the latest tome from the so-called European Information Technology Observatory of the EU (which gets IDC to supply most of its data). This indicates that Internet usage in Europe will grow three-times faster than in the USA, until 2002, when it surpasses the US in the number of users. In the mobile communication market, Europe and the US are neck-and-neck, with Europe expected to take the lead shortly, thanks to the US fragmentation and local standards. The US-dominated "immobile" Internet of the 1990s will give way to a mobile Internet "with a European hallmark", Jung predicted. That's where BITKOM is supposed to come in -- as the promoter of this development within Germany -- since it now represents some 1,200 member companies with 700,000 employees and sales of DM 200 billion. No New taxes Jung took the opportunity of Schröder's presence to set out what the German IT industry wants. For a start, he pitched for "ground-breaking, forward-looking policies -- not policies that lag behind market developments". Oh yes, "the harmonisation of data protection, instead of hiding behind our national traditions" as well, and interestingly, "the reform of German competition legislation". It seemed that Jung was playing the role of Deutsche Telekom chairman Ron Sommer's hardman. Also on Jung's wish list was a desire for German consumers to have "the same rights as their European neighbours to participate in the price-cutting benefits of the Internet". He added the mantra that BITKOM wanted no "additional taxes and levies". It was refreshing to hear a German commentator pleading for an end to discussions about cryptology at an international level, which had been going on for "three long years", and for negotiations about international data protection, "about to enter their fourth year" to be concluded speedily. A German concern is apparently that a licence fee might be imposed, in the same way as it is on TVs, on business PCs and WAP phones in 2003, when the moratorium expires. On the job scene, Jung noted that Germany had 75,000 unfilled vacancies (there are 350,000 in Europe), and that sending highly-qualified Germans on visits to the US was risky because "they don't come back" because they are fed up with having "to invest 60 per cent of their working hours for the benefit of the income tax authorities and the social security system". Jung wants there to be 30,000 permits for IT specialists to come to work in Germany. He argues that each foreigner would create up to five new jobs, as had been shown to be the case in the US. In the long term, his solution was better education in Germany. But whether Germany will transform itself into an entrepreneurial information society is still a matter of some doubt. ®
Graham Lea, 26 Feb 2000
The Register breaking news

CeBIT letter sets out opposition to online media

CeBIT 2000 Hannover (24 February to 1 March) Dear Sir/Madam, We are in receipt of your request for press ID. Sadly we are unable to grant this request. Due to the ever-growing number of online media, it has become increasingly difficult to verify journalistic credentials. To meet the journalistic criteria an applicant must be employed in a publishing or broadcasting capacity in which it can be verified that journalistic/ethical codes are adhered to. This is normally the case for print media which is on sale for a price, or for electronic media allocated fixed frequencies. This is the main criterium we use for pre-selection. With the increasing number of online media we are regrettably no longer able to verify journalistic credentials since online media can be freely accessed by anyone. For this reason we can only issue you with press ID for the fair on presentation of a valid journalist‘s ID. We ask for your understanding for this ruling which has had to be introduced to safeguard the confidentiality of our exhibitors. Best regards, Deutsche Messe AG Press and Public Relations Department ®
Team Register, 26 Feb 2000