French Italiano Español Russian Polish Português Norsk Japanese Dansk
Humpich full case site (in French)
HomePage of Laurent Pelé (in French)

logo author: laurent@pele.org, do not reproduceFrench banking smartcard cracked : the story!

19/07/2001 Intelligence online #410 : French authorities worried by threatening actual attacks on French bank smart cards following public launch on the Internet of a software that automatizes creation of fake cards

14/04/2000 Lafferty.com : Assessing security in the French cards market

23/03/2000 Lafferty.com : French hit by chip scheme scare

17/03/2000 TLA.ch : Hackers Reveal How to Forge a Bank Card

15/03/2000 ABCNews : Exposed vulnerability in Country's smart card Prompts Action

15/03/2000 Card technology : 4 pages article about Serge Humpich and French smartcards in that american smartcard specialized magazine

15/03/2000 Wall Street Journal : The "Code-Cracker Gets Another Shot. Programmer Broke Smart-Card Algorithm, But Got No Reward."

14/03/2000 : The Register France braces for smart card fraud onslaught

13/03/2000 : Reuters World News French Bank card inventor dares Would-Be Pirates

11/03/2000 Newsbytes : French Banks Hacked

10/03/2000 Wired : Forecast for French Fraud

10/03/2000 3 major newspapers talk about the scandal in lack of security of credit cards in France :
Reuters 10/03/2000 : Card Alert for French Banks

25/02/2000 :
Serge Humpich has been said guilty of bank smartcard counterfeiting and hacking systems.
He has been condamned of a 10 months suspended jail sentence.
His hardware has been confiscated.
He will have to pay one symbolic franc (0.2 US $) indemnity to "GIE cartes bancaires" and 12000 French francs (1 810.73 $US) for GIE lawyer expenses.
His lawyers appealed the conviction.
But the French bank system is still unsecured, and it is a problem for democracy to say that it is forbidden to test the system : in the following months, merchants will have to replace their systems, who will pay for that ?
How can people be sure the French system of payments by smartcards is secured if experts can not check it (they could be put in jail for that according to that justice decision) and if the authentification scheme is not published and controlled by everyone ?
The Register has good article on that decision :
26/02/2000 The Register : Crime doesn't pay and neither does integrity
25/02/2000 Reuters : Frenchman Sentenced in Card Fraud Case
25/02/2000 BBC News : Credit card whistleblower sentenced, See also here

22/02/2000 :
It is so easy to make fake French bank smartcards that many of them should appear on the market in the next months

12/02/2000 :
Someone else than Serge Humpich has dicovered the secret of French banking smartcard and published it on the Internet, all the millions of smartcards and point of sale terminals should be replaced right now!

31/01/2000 :
Experts said in 1988 (in French) and 1990 (in English see the frame) that the French banking smartcard designed in 1983 was not secure any more, French banks launched it without any modifications in... 1993 ! It is still in operation now in year 2000 ! 25/01/2000 :
Serge Humpich lawsuit occured in Paris on January 21, 2000. We will know the results on February 25 2000.
The prosecutor recommended a two-year jail suspended sentence and $8000 US fine, it is quite big for somebody that haven't done any fraud.
Many French newspapers, radio and TV reports the case. In English, I recommend the following link :
Irish Times report of Serge Humpich lawsuit (dated January 22 2000)

25/01/2000 MS NBC report on Serge Humpich lawsuit

22/01/2000 The Gardian

27/01/2000 ZDNet Smart card 'inventor' lands in jail

23/01/2000 The Register

Note also that I (Laurent Pelé) am currently sued by La Poste for the logo shown on this page ("Trade mark violation").

Paris, September, 18 1999
Abstract :

According to the French newspaper "PiratesMag" Number 5, published on september, 15 1999, in an interview of Mr Serge Humpich by Mr Olivier Aichelbaum and Mr Damien Bancal, a French engineer that cracked the French banking credit card system based on smart card last year, he made fake smartcard by observing electronic point of sale system.

Develop (according to the source below) :
In June 1999, the French press announced that Serge Humpich, a 35 year-old french engineer specialized in computer science has cracked the French credit card banking system based on smart card with chip, that is said to be very secured.
Serge Humpich was interviewed at the French TV because he was sued by "GIE cartes bancaires", the french organization composed of all the french banks that issued the cards (all the credit cards are smart cards in France for many years).

The problem is that Serge Humpich made false smart cards that are recognised by electronic point of sale terminals in every shops in France and can successfully make real transactions.
He has tried the system succesfully by building 10 different false smart cards, and tried each by buying subway tickets in two tickets dispensers in Paris in 1998. (each of the 10 transactions was about 40 French francs). The total transaction is equivalent to US $ 63.40. The ticket dispenser gave him the subway tickets and 10 invoices.

Nobody at "GIE cartes bancaires" has detected that there was a false transaction.

Next, Serge Humpich, wrote to "GIE cartes bancaires", to tell them that he has done successfully false transactions and gave them copy of the 10 invoices given by the subway ticket dispenser.
His aim was to tell them what he has discovered and to be paid for that because it took him quite a long time to do it (it took him 4 years to crack that), he could explain what was the lack of the system and how to replace it (it will cost 5 billions of US dollars to replace all electronic point of sale terminals), not to become rich by buying goods with false money.

This negociation started one year ago and takes a long time because at the beginning, they didn't believe him, so he has to do this example in the French Metro.
But "GIE cartes bancaires" finally decided to sue without telling him : they wanted to have this information for free, to confiscate his hardware and hard drive at his home, avoid him to say anything about this story. So 40 policemen came to his home and took everything, they went to the office of his lawyer too and spied his telephone.
They intended to sue him privately, to avoid anybody else to know about it, but law suits are usually public in France.

He has always been free but his hardware has not been given back to him.
Then in June 1999 Mr Serge Humpich spoke about it on French TV with his lawyer.
But a french TV company Canal+ that wanted to say more about it has been censored by the french banking systeme represented by "GIE cartes bancaires" , that is the first time, because it was supposed to be an independant and parody program.

He has been fired from his company (may be because banks made pressure on the company that hired him).

Now we know a little more about what he has discovered, he doesn't want to say to much because he was first supposed to sell this information and because he his sued.

He his sued only for hacking (introduction in an electronic network), but it happened only when he bought the subway tickets for the demonstration ! So I think, it is not a crime according to French law. It is absolutely not forbidden to spread the secret of the discover publicly (for example on the Internet).

How he discovered that :
It took him 4 years to crack the system.
Some information about the smart card system is public because it is a standard.
He thought that tere could be a lack in the system but not in the smart card, so he attacked the electronic point of sale terminal and bought two of them. He also bought various hardware (smart card reader, signal analyzer, logic analyzer...)
By spying the electronic point of sale terminals he bought, he got more information about the system. He does not want to tell everything about it.
Finally he has to decypher a RSA key of 321 bits.

About RSA 321 public key :
This is the bank public key that proof that the smart card is issued by the bank.
It is used to check the digital signature of the smart card.
He used in 1997 the latest methods and research in factoring huge numbers in prime factors (more precesely, the RSA key length was 321 bits and cracked with a japanese software using algorithms derived from "polynomial quadratic sieve").
He discovered that the public key (the product N =PxQ, where P and Q are 2 large prime numbers) has some special properties that he intended to use.
And he did it successfully by setting up specifically special softwares and introduced probabilities.
It didn't take him much time to found that numbers, it took him more time to get the hardware (even sold publicly) and spying the electronic point of sale terminal.

The size of the RSA key is only 321 bits, the size hasn't changed changed since 1983. That is a fault of the banking system because smart cards were launched since 1993 and in 1988 and 1990 experts published in specialized newspapers the system was no more secured. About the lack of the system :
Not only the size of the key (321 bits) is low It is strange that a pirate can decypher that system by analyzing it.
The French banking system should be based on a zero-knowledge protocol, designed so that analyzing exchanges between the smart card and the electronic point of sale terminal won't give any information about the system used to check the card.

About the attitude of the French system :
it is not acceptable that such an Engineer is sued just because Mr Serge Humpich found that secret with legal means and want the information for free.
Moreover, the French banking system continue to lie to clients, banks and partner, saying that the system is secured but it is not secured any more.
Apologize for my English in such a technical subject. I tried to summarize what I know about the subject.
This article is available on http://www.parodie.com/english/smartcard.htm and may not be reproduced without my authorization and the one of ACBM, Pirates Mag Editor

--- Some links (not much for instance, sorry, some people doesn't want to talk about this story and some parts are secret) ---
Bruce Schneier from Counterpane System, CryptoGram news release 15 December 1999
Web server of Pirates Mag http://www.acbm.com (in French and the index of Pirates Mag Number 5 is not yet published)
Web server of friends of Serge Humpich http://parodie.com/monetique/ (in French), also on http://technopole.fr.fortunecity.com/binaire/101/
Web server of "GIE cartes bancaires" in English (nothing about this case, they don't want anybody to talk about it)
http://www.cartes-bancaires.com/gb/html/acc/index.html
Article in French Newspaper about Serge Humpich (Les dernières nouvelles d'Alsace)

Complete Original Text on PirateMag web server

--
Laurent PELE 13 rue Lantiez 75017 PARIS
Tél/Fax +33 1 40 25 08 50 mob + 33 6 08 21 96 69
laurent@pele.org http://www.pele.org
Online multi-currency converter on fxtop.com

Copyright © 1999 Laurent Pelé (except part from Pirate Mag Number 5)IDDN_Certification