Smart card 'inventor' lands in jail

Serge Humpich, 36, told MSNBC on Wednesday that he only purchased 10 tickets for Paris' Metro subway system with his homemade smart cards -- plastic cards the size of a credit card that contain an embedded computer chip.

And Humpich said he did so only after representatives of the Cartes Bancaires bank consortium, which issued the smart cards he had mimicked, asked his attorney for proof that he had in fact cracked the network's elaborate security scheme.

"When you discover something very important, you cannot keep it for you," Humpich said of his attempt to sell his discovery to the bank group for 10 million francs (about $1.5 million). "You have two ways to go: You can steal everything or you can do something commercial. I think I did the right thing."

Instead of a reward, however, Humpich was arrested and charged with counterfeiting and fraudulent entry into an automated system. He faces a maximum sentence of seven years in jail and a fine of 5 million francs ($750,000) if he is convicted, though prosecutors recommended a suspended sentence of two years' probation and a fine of approximately $10,000 in his initial court appearance on Friday.

Card issuer denies major breach
Carinne Abou, a spokeswoman for Cartes Bancaires, an amalgamation of 176 banks or financial institutions, similar to Visa, denied Wednesday that Humpich had compromised the entire smart-card network, saying he had only been able to defeat two types of relatively low-security terminals used to dispense subway tickets.

Humpich's lawyer, Francois de Saint-Cyr, said his client deserved compensation for the four years of toil it took him to defeat the 640-bit encryption key used to verify the "digital signature" -- unique identifying information used to authenticate electronic documents or transactions -- used on the smart cards. The cards are primarily used in point-of-sale terminals in retail establishments and rarely can be used for cash withdrawals.

"It is an invention," Saint-Cyr said, noting that Humpich had patented his discovery before contacting the bank group.

Humpich, who has an engineering degree, said he accomplished his "hack" after determining that the retail terminals were the weak link in the security chain. He purchased serveral of the point-of-sale terminals -- similar to the credit-card and debit-card readers used by U.S. retailers -- and took them apart to see how they work. He eventually devised a way for his card to "fool" the terminal by responding affirmatively when queried as to whether the PIN (personal identification number) that had been entered was correct.

"I thought the smart card was correctly done and I had to say the wrong things to the terminal to make it lie to it," he said.

Tricked into transaction?
He said that he had no intention of stealing using the cards and instead dispatched his lawyer to negotiate with Cartes Bancaires. But he said company officials tricked him into making the fraudulent purchase of subway tickets, valued at a total of $63.40, when after lengthy discussions and preparation of a proposed contract they asked for proof that he could beat the system.

"We had a lot of discussions, and at one point they sent me a few cards, asking me if I could reproduce them," Humpich said. "(Then) they had a big panic."

Abou, the Cartes Bancaires spokeswoman, denied Humpich's contention that officials of the company negotiated with him and then double-crossed him by filing criminal charges.

"Once we knew who he was, we sued him as we would have done with any other hackers who break or pretend to break our security," she said.

Humpich said he lost his job as a computer programmer after his case was publicized, quoting his boss as telling him that he could not jeopardize future jobs in the banking sector by keeping him on staff.

"It's a question of power that you have when you are a big firm," he said. "I am just alone."

The coming wave
Smart cards are widely regarded to be more secure than credit cards because encryption and PINs can be built-in to protect them from misuse. While they are widely used in Europe and Asia, the United States has been slow to adopt them, in large part because credit cards and terminals had already been deployed when smart cards appeared on the scene in the early 1980s.

But that is expected to change within the next few years, as banks follow the lead of U.S. government agencies, including the military, and begin issuing smart cards to replace magnetic-stripe credit cards. American Express already has launched its first smart card in the U.S. market, known as "Blue," with a massive publicity campaign.

While acknowledging that Humpich's apparent compromise of the French smart cards was a "PR black eye," smart-card advocates say it won't dampen enthusiasm for the new technology.

"Anything that man can build, man can take apart, and we've always stressed that smart cards are tamper-resistant, not tamper-proof," said Charles Cagliostro, executive director of the Smart Card Industry Association.

And Arlen Richard Lessin, chairman of Smart Card International and a consultant to the French government on smart cards, said the experience in other countries shows the cards are far less susceptible to fraud than credit cards.

"There is no technology that has gone through more testing of its integrity," Lessin said. "Certainly in the 1980s it was in an embryonic phase and had to undergo refinements, but we're now well into a decade of very consistent and relatively fault-free usage."

Lessin compared Humpich's compromise of the French system with "being able to crack a network one time" and said it will be relatively easy for the system's administrators to close the security hole.

"The reality is I don't think the threat is worth the concern," he said. "This isn't even small potatoes; it's no more than sprouts."