IP: smart card cracked in France

[Dave Farber <farber () cis upenn edu>]

> From: golds () mail com
> X-Sender: golds () pop softhome net
> X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
> Date: Sun, 12 Mar 2000 10:57:45 -0600
> To: farber () cis upenn edu
> Subject: smart card cracked in France
>
> Card Alert for French Banks
>  March 10, 2000 4:05 pm EST
>
>  By Catherine Bremer
>
>  PARIS (Reuters) - France braced for a wave of petty fraud after officials
>  admitted on Friday that a formula posted on the Internet showed how to
>  forge smart payment cards.
>
>  But Cartes Bancaires, the French interbank group whose card system is
>  affected, said there was no danger that bank accounts would be emptied.
>
>  Cards made with the formula might be used to buy train tickets or pay
>  parking meters or toll booths although there was no evidence this had
>  actually happened, Cartes Bancaires spokesman Herve de Lacotte told
>  Reuters.
>
>  "For the first time in 10 years, a lock has been sprung," he said. "But
>  springing a lock will not necessarily open the door and let you in. 
> There is a
>  theoretical risk of fraud but the problem concerns banks, not consumers or
>  shops."
>
>  Despite claims to the contrary, Lacotte said, false cards made with the code
>  could not be used in cash dispensers, to make shop purchases or for
>  expensive goods.
>
>  Newspapers leaped on the story, quoting experts as saying the complex
>  96-digit code could be used to forge three in four of France's 34 
> million bank
>  cards.
>
>  Headlines like "Chip card secret out" left anyone with a bank card wondering
>  whether their money was safe.
>
>  "Consumers have been paying for bank cards that aren't even secure.
>  They've been cheated and lied to," said Eric April, Secretary-General of the
>  AFOC consumer group.
>
>  Lacotte said the scare stories were over the top and the Bank of France
>  accused the press of "exaggerating the risk."
>
>  "Even if certain clues relating to this algorithm have been made public...
>  other security measures exist enabling strong limits on the use that can be
>  made of this information," the French central bank said in a statement.
>
>  Cards issued since last autumn had added security which meant the pirate
>  formula would not work for them, he added.
>
>  SCSSI, the government body in charge of information security systems, urged
>  banks to replace older cards with updated ones.
>
>  The card formula was posted anonymously on Internet chat site last
>  weekend. It was actually discovered three years ago by computer whizz kid
>  Serge Humpich, who denies using it or circulating but has been given a
>  10-month suspended prison sentence for cracking the banks' secret.
>
>  Now that it is public, Humpich says, pirates could buy a chip card kit for
>  around $370 and be turning out false cards within weeks.
>
>  "A few weeks from now dozens of false cards are going to appear," he told
>  Liberation.