Telecom and Logistics Associates            home Public Alert service: www.tla.ch/alert
 
 
publication: Christian ALT  Security NEWs Service: TLAnews
 
new6.gif (1031 bytes) TLAalert    Security Service  Save Time and Money 

18.3.2000 Security: Updated there is still to be done before forging a card

  17.3.2000 SecurityHackers Reveal How to Forge a Bank Card

A controlled panic spread through the French banking system yesterday after computer hackers sent emails to banks detailing a formula for creating and using plastic cards which can fool electronic safeguards.

The Bank of France ordered the rapid introduction of new security measures after bank card operators admitted that their system, which uses microchip integrated plastic, was "vulnerable".

A month ago the Groupement des Cartes Bancaires, which administers Mastercard, Visa and other widely used charge cards, said it was not possible to crack the existing system of electronic protection. However, it has since emerged that that system has not been reviewed since 1985.

The reassurances were given before the trial of Serge Humpich, a programmer who received a 10-month suspended jail term when he was found guilty of using a homemade card which he claimed could deceive all electronic safeguards.

Humpich was charged with fraud after demanding £20m to disclose the secret formula and offering help in setting up a fail-safe system.

Humpich said his invention was smart enough to unravel a 96-number code and to persuade electronic bank guards to allow him access to the vaults. He proved his case by buying Métro tickets from a distributor, but was arrested while negotiating with bank officials.

Humpich's sentence appears to have angered hackers, including two who go by the names of Anie Nomat and Mail. They sent the formula for homemade bank cards from cyber cafes at the Odéon and the Boulevard Saint-Michel, in the student quarter in central Paris.

Bank detectives have drawn a blank in establishing their true identities.

After a complaint to the police, the formula vanished from the internet but not before banks and many private subscribers had been emailed information on how to make cards using equipment worth about £250 that can be bought on the internet.

The information included deciphered codes to validate forgeries when microchip-carrying cards were fed into cash dispensers or mobile phone-style terminals used by most shops and banks.

These are linked to central accounting, which carries out immediate debits as soon as the terminal reads the card number and the user enters his or her PIN number, without a signature being required.

Cryptographers who helped to dismantle the bank code said it had been a simple task because France was not yet protected by the same international security safeguards that protect Eurocard, Visa and Mastercard.

"It's possible to make cards carrying any PIN number you like," Humpich said. "They can be totally invented or real. Any hacker can pick up the first numbers from discarded cash dispenser receipts and then debit existing accounts."

During Humpich's trial, banks claimed his method posed no threat. But they have since admitted that his cards could be used to buy petrol or rail tickets, and to withdraw money from supermarket cash dispensers and rural banks. These terminals are not directly connected to central accounting.

Hervé de Lacotte, a spokesman for the Groupement des Cartes Bancaires, admitted that some of the banks' equipment was "vulnerable", but said there was no risk of loss to customers, only to the banks. But a security overhaul was not expected to be completed before 2004.

Jacques Stern, a cryptography professor, said specialists had warned banks of potential loopholes in security when France introduced microchip integrated plastic in 1985.

"But nothing was done about it," Prof Stern added. "Microchip cards are a remarkable invention but security updating has been forgotten for 15 years."

La menace de fraude à partir de fausses cartes à puce reste encore très hypothétique.  Pour l'instant, la clé publiée sur Internet ne concerne que le système de cryptographie statique qui authentifie la carte et le  porteur avec le terminal de lecture. Cette clé RSA 740 bits comportes deux biclés de 320 bits dont l'une est intégrée aux terminaux de paiement. Il n'en reste pas moins qu'une fausse carte devrait simuler les échanges entre la carte et le terminal. Reconstituer ce dialogue constitue une tâche autrement plus complexe, car il dépend des spécifications du masque B0' réservé à des souces agréées. Il est  vrai, cependant, que ce cryptage dynamique fait appel à des fonctions minimales. Une seconde clé, symétrique codée sur 56 bits contrôle ces échanges. C'est ce deuxième verrou que le GIE Cartes bancaires va renforcer d'urgence.