French banks panic at vulnerability of `smart cards' to electronic fraud


Ever since a Frenchman named Roland Moreno invented the carte a puces or "smart-card" in the late 1970s, France has been the global leader at inserting micro-chips into phone cards, credit cards and even a much vaunted but still unused "electronic coin purse". While most of the world continues to rely on magnetic strip credit cards and the user's signature for security, since the late 1980s, all of France's 34 million bank cards were converted to the micro-chip system.

Cardholders receive a four-digit code which they enter into a payment terminal instead of signing a receipt. If the micro-chip tells the terminal the code is correct, the purchase is authorised.

Nearly 200 French banks are members of the Groupement d'interet economique - Cartes Bancaires (GIB CB), which holds the monopoly on the supply of bank cards in France - an industry with £400 million (#508 million) in annual turnover. Until now, the French could boast that fraud on their "smart-cards" was only 0.02 per cent - compared to 0.1 to 0.4 per cent for the magnetic variety used in the US. And more than half of that 0.02 per cent involved fraudulent use of stolen card numbers on the Internet.

Suddenly French banks, businesses and consumers have learned that their bank cards - long claimed to be the best in the world - are no longer secure. Last month a 36-year-old unemployed computer programmer named Serge Humpich received a 10-month suspended prison sentence for counterfeiting. His crime: inventing a "yes-card" that French payment terminals accept no matter what four-digit code the user enters.

After Mr Humpich cracked GIB CB's 96-digit encryption, he contacted the company, offering to help it improve its security. But rather than hire the young man, the company called "a perverse do-it-yourselfer", GIB CB asked him to buy metro tickets to prove his invention, then pressed charges against him. In September 1998, 30 French policemen raided Mr Humpich's farmhouse. When he was convicted on February 25th, Mr Humpich told reporters that it was only a matter of time until someone repeated his discovery.

It didn't take long. On March 4th, an anonymous "cracker" posted the 96-digit code on the Internet, from a cyber cafe in the boulevard Saint-Michel. For about £300, French newspapers reported, computer whizzes could now order over the Internet everything they needed to make their own "yes-cards". So far, the GIB CB claims it has no evidence this has happened.

Even if it does, the company's spokesman Mr Herve de Lacotte keeps insisting, it will be the banks - not account holders - who will lose money. But experts point out that a "cracker" could use bank card numbers found on cast-off receipts to make real-fake credit cards whose purchases would be debited from real bank accounts.

The encryption of bank card codes is so crucial to the French economy that it falls under the purview of the defence ministry.

For the past 15 years, cryptologists had warned the GIE CB that its 320 bit, 96-digit code would be broken, that it needed to be longer. Last July the Banque de France expressed its concern that the group was using "obsolescent technology whose weakness is growing at the speed of progress in information technology". But the group did not want to alarm French businesses, which were already grumbling about having to take precautions against the "millennium bug" and convert to the euro.

Finally, in November, the GIE CB began replacing its 320 bit cards with more secure 792 bit cards - a process that will not be completed until 2004.

In the meantime, French consumer groups are demanding that GIE CB replace all old cards and payment terminals immediately - at a cost of more than £1.2 billion - and that the group be placed under government supervision. Comparing bank card security to France's AIDS-tainted blood scandal, an editorial in Liberation noted that "banking authorities were duly warned that the security of micro-chip cards was no longer what it had been, but silence ruled - so as not to frighten the user, upset businesses or discredit a national invention".