France braces for smart card fraud onslaught

It's out, how much will it cost, how fast can we upgrade?


Fear of consumer having their bank accounts debited via fraudulent smart card transactions has gripped France, but the potential victims of the cracking of the security code would be the French banks, and not individuals. Nevertheless, Gallic pride in the "puce" - or flea, as the French call the chips in their smart card  - has been damaged by Serge Humpich's proof that the system was not  "inviolate and inviolable", as was being claimed. Last night Roland Moreno, the French smart card inventor, offered a million francs to anyone who could get the code from three cards and a smart card reader. Moreno formulated the conditions of his challenge carefully, in an attempt to keep public confidence in the system, but he has had to admit that it is possible to crack the 320-bit (96-digit) RSI key and to make a fraudulent card that could be accepted by smart-card readers. Humpich says he did not post the key he cracked three years ago, and which appeared anonymously earlier this month in fr.misc.cryptologie - and which is now of course in many other sites. Fraudsters will only need to buy a smart-card reader (less than $400) and acquire a little knowledge, and they are potentially in business producing cards acceptable to any smart-card vending machine not permanently online to a bank computer. Authentication for smaller transactions is carried out by the smart-card reader, with the user keying-in a four digit PIN. Fraudulent cards could only be used for smaller purchases where there is no online or telephone authorisation. It has been suggested that not all ATM machines are directly connected to bank computers, so they could also be vulnerable. Other targets are likely to be petrol and railway ticket purchases, where data is transmitted to a central computer from the vending machine only once a day. It seems only a matter of time before French phone cards (télécartes) are compromised as well: bank cards can be used in telephone boxes in France. Jean-Louis Desvignes, head of the computer security branch of the Défence Nationale confirmed that "the banks must launch a wide-ranging action to improve the security of smart cards, which could imply replacing millions of smart card readers". Desvignes claims that bank card fraud in France is at the 0.02 per cent level, compared with 3-4 per cent in the US for magnetic stripe cards. The next generation of smart cards will be able to use a 2048-bit code, according to a French manufacturer, but its claim that this would give protection for "hundreds of years" is disputed by Paul Zimmermann, a mathematician at the Institut de Recherche en Information et en Automatique, who suggests that by 2023 such keys could be cracked. Robert Harley of INRIA noted that it now only takes a few days of computer time to factor the 320-bit code. The Groupement des Cartes Bancaires is in denial that its security is compromised, but the security claim now leans on the difficulty of faking the hologram, which only has some value in face-to-face transactions. The cards are of course widely used in Europe, with some 200 banks relying on the security integrity. All security experts are scornful at the arrogance of GCB in maintaining that security methods appropriate in 1980 could still be appropriate today. There is a move under way to use longer codes, but it may be too late to prevent fraud on a massive scale. The security problem does not affect the British and US magnetic stripe cards. There can sometimes be difficulties using such cards in France, and wise travellers are geared up to tell the merchant to telephone the authorisation centre to get the card accepted if it could not be read by the smart-card reader. It isn't yet meltdown time for the banks, but it could be later this year. They will presumably wait to see whether the anticipated wave of fraudulent card use becomes serious enough to make it essential to replace the POS machines earlier than planned. It could cost up to $5 billion, it has been estimated, to introduce a new generation of 2048-bit smart cards, but it would take time to manufacture and install the readers and to distribute the 34 million cards in use in France.  As long ago as 1983, it was suggested that the 96-digit code used in smart cards was not long enough, and that larger composite integers should be used. Cracking the RSA code (named after MIT researchers Rivest, Shamir & Adleman) is not exactly easy. We reported in The Register last August how an international effort co-ordinated by Herman te Riele at the Centrum voor Wiskunde en Informatica (National Research Institute for Mathematics and Computer Science) in Amsterdam broke the 512-bit RSA using distributed computing power. Humpich apparently used algorithms derived from a polynomial quadratic sieve for his 320-bit crack, and made the mistake of telling GCB. In a flash, his phone was tapped and he was fired from his job. He now acts as a consultant to Sony, designing digital video security devices, pending an appeal against his suspended prison sentence. ® Related stories: French credit card hacker convicted RSA-155 code cracked


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022