Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Try saying "hacking the national banking system" out loud. An image of an international hacker group that carefully plans and carries out attacks of the highest technical complexity immediately arises in the mind. And somehow it does not occur to me that one person can be behind such a hack, who, in general, has never thought about a hacking career before. This is exactly what happened in 1997, when the middle-aged software engineer Serge Humpich put the largest credit institutions in France on their ears, coming up with an original way to pay for purchases with cards, even without a bank account.
Serge was born in 1963 in the French commune of Mulhouse in Alsace: his mother taught sewing at a local college, and his father was engaged in collecting potash. After graduating from high school, Humpich entered the INSA College of Engineering in Lyon, where he received a bachelor's degree, and devoted the next 12 years of his life to software development. Namely, he wrote programs for managing the orders of stock traders. That's when he immersed himself in the architecture of financial software, which required the study of large amounts of technical documentation. Another hobby of Serge Humpich was the study of the security of various electronic devices.
Blue Card
In the mid-1990s, credit and debit cards were becoming increasingly important in France. The Carte Bleue system, used since the late 1960s, was considered extremely reliable and efficient. It was launched in 1967 by a consortium of French banks that included the Banque Nationale de Paris (BNP), Société Générale, Credit Lyonnais, and several others. The idea behind Carte Bleue was to create a single payment method in stores, public places, and transportation that would simplify cashless transactions and reduce citizens' reliance on cash and checks.
In the 1960s, France, like many other European countries, experienced a consumption boom, and with it came the need for more efficient payment systems. Cash and checks were considered the primary means of payment, but they carried significant security risks for both consumers and merchants. And banks, in an effort to track customer transactions and reduce overhead costs, dreamed of a safer and more convenient payment method. This is how the Carte Bleue interbank plastic card with a magnetic stripe was born.
Carte Bleue, which means "Blue Card", quickly gained popularity. Initially, these cards worked primarily as credit cards, allowing holders to make purchases that they could repay over time. Banks used such short-term loans to make a profit through interest on deferred payments. Debit card functions were connected to Carte Bleue a little later: they began to be directly linked to bank accounts, allowing customers to make payments in real time, while funds were debited from the card immediately. Here we should make a small remark, or rather, two. Firstly, Carte Bleue was a national payment system, that is, such cards did not work outside of France (over time, French banks began to issue an international version called Carte Bleue Internationale, but it was just a branded Visa). Secondly, unlike atax cards of international payment systems such as Visa and MasterCard, Carte Bleue made it possible to make transactions without the need for authorization on the side of the issuing bank.
In 1992, the French decided to follow the trends of technological progress, and added a built-in chip to their Carte Bleue cards in addition to the magnetic stripe. At the same time, it was still possible to make purchases with such cards without confirmation from the bank: in any French store, the Carte Bleue holder had to use a PIN code, and the microchip on the card confirmed and certified the transaction. Micropayments, such as fare or parking, were made without PIN confirmation at all. The introduction of this system was motivated by the need to combat fraud, which was increasingly becoming a problem with magnetic stripe cards. The chip, unlike the magnetic stripe, was much more difficult to read and clone. Combined with the requirement to enter an identification code to authorize transactions, the new system provided a much higher level of security for both cardholders and merchants. At least, it seemed so to the French bankers.
White hacker
In 1997, Serge Humpich bought a payment terminal for Carte Bleue from a merchant he knew, disassembled it, and then dumped and disassembled the firmware. He carefully analyzed each step of the smart card payment procedure and recreated the algorithm for generating a 96-digit private key that was used to authenticate transactions. This allowed Humpitch to produce a fake card that was not linked to a bank account, which was nevertheless accepted by Carte Bleue payment terminals and allowed for purchases. In fact, Humpich was convinced that any other computer scientist could do the same thing, and then issue as many of these cards as he wanted, for example, to sell them to attackers.
Many hackers, having made such a discovery, would probably rush to buy goods using fake cards, with the aim of reselling them. But Serge Humpich decided to avoid the risk of becoming the main character of the crime chronicle in the evening news, and began to act in what he considered to be more legal methods. By and large, Humpich was the founder and discoverer of the phenomenon that later became known as "White Hat Hacking", that is, "ethical hacking", which is done by information security specialists in order to help companies eliminate identified vulnerabilities.
In the summer of 1998, Humpitch hired an industrial lawyer and two corporate property experts to draft a petition for a consortium of banks that operated the Carte Bleue payment system. In the document, he described in detail the actions he performed, demonstrated the results of his research and attached a card he had made, which allowed him to pay for anything in France even without a bank account. What's more: Humpic said he knows how to fix a defect in the private key algorithm used by the Carte Bleue system so that attackers can no longer exploit this vulnerability. For his work, he asked bankers for a small fee, which he later called a form of professional recognition of his work. In the process of hacking Carte Bleue, Humpitch usedIn fact, he broke the basic logic of the Carte Bleue system, proving that even the most modern digital security mechanisms can be used by attackers to their own advantage.
Banks did not respond to Humpic's appeal, and then he held a public demonstration of his discovery, presenting, as they would say now, proof-of-concept. With the help of ten fake Carte Bleue cards, he bought ten metro tickets from ticket machines at the Balard and Charles Michels stations of the Paris metro. The result of this action was the arrest, search and seizure of all electronic equipment found in his house.
Crime and punishment
On February 25, 2000, a trial was held, at which Serge Humpich was charged with forgery of bank cards and fraudulent entry into an automated processing system. The banks to which Humpich sent his report also charged him with extortion, but his court ultimately rejected it, ruling that the "white hat hacker" did not demand money from the bankers, but only offered to voluntarily pay for the information provided.
In the courtroom, Humpich's argument boiled down to the fact that he was doing banks a valuable service by exposing the shortcomings of the technologies they used. However, the French court viewed his actions through a stricter lens, focusing on the potential consequences of his hacking, which could have undermined public confidence in the country's banking system.
Arguments that if Humpich had not told the consortium about his discovery, but published it in the public domain on the Internet, it would have caused hundreds of millions of dollars in damage to the French banking system, did not work: bankers persistently called Humpich a blackmailer, and ten metro tickets he bought - irreparable damage to the French economy. In the end, the court agreed with them: Humpich was found guilty, sentenced to 10 months in prison and fined 12,000 francs, which at the current exchange rate is about 1,900 euros. In addition, he was ordered to pay 1 franc to the banking consortium as compensation for moral damage for the mental suffering experienced by the bankers. In addition, he, who became a criminal, was fired from his job. Despite the fact that the punishment was relatively lenient compared to the possible maximum sentences, this case raised serious ethical questions about the fine line between "white" hacking and real cybercrime.
"My intention has always been to discuss the results of this study," Humpich told The Register, "my mistake was that I was dealing with such a formidable opponent. If I had known their true intentions, no one would have ever heard a word about all this."
After serving his sentence, Serge Humpich disappeared from public view for some time. In 2001, his book "Le cerveau bleu" (Blue Brain) was published, in which Humpich told the story of the hacking of the Carte Bleue payment system and his trial. Later, he went to the United States, founded a technology startup there, but did not succeed and returned to France, where he was hired by Bearstech.
The case of Serge Humpich is often mentioned in discussions about how governments and corporations should treat hackers who disclose vulnerabilities without resorting to malicious actions. His decision to hack into the nation's banking system in order to identify weaknesses remains a turning point in the history of cybersecurity, thanks in part to the fact that the field of information security has matured. Many companies and institutions now offer "bug bounty" programs, inviting hackers to report vulnerabilities in exchange for a financial reward. In some ways, Humpich was ahead of his time—his actions anticipated these modern initiatives, even though they brought him to the dock. He may not have achieved the recognition he had hoped for, but he changed his attitude towards independent researchers like him.
Serge was born in 1963 in the French commune of Mulhouse in Alsace: his mother taught sewing at a local college, and his father was engaged in collecting potash. After graduating from high school, Humpich entered the INSA College of Engineering in Lyon, where he received a bachelor's degree, and devoted the next 12 years of his life to software development. Namely, he wrote programs for managing the orders of stock traders. That's when he immersed himself in the architecture of financial software, which required the study of large amounts of technical documentation. Another hobby of Serge Humpich was the study of the security of various electronic devices.
Blue Card
In the mid-1990s, credit and debit cards were becoming increasingly important in France. The Carte Bleue system, used since the late 1960s, was considered extremely reliable and efficient. It was launched in 1967 by a consortium of French banks that included the Banque Nationale de Paris (BNP), Société Générale, Credit Lyonnais, and several others. The idea behind Carte Bleue was to create a single payment method in stores, public places, and transportation that would simplify cashless transactions and reduce citizens' reliance on cash and checks.
In the 1960s, France, like many other European countries, experienced a consumption boom, and with it came the need for more efficient payment systems. Cash and checks were considered the primary means of payment, but they carried significant security risks for both consumers and merchants. And banks, in an effort to track customer transactions and reduce overhead costs, dreamed of a safer and more convenient payment method. This is how the Carte Bleue interbank plastic card with a magnetic stripe was born.
Carte Bleue, which means "Blue Card", quickly gained popularity. Initially, these cards worked primarily as credit cards, allowing holders to make purchases that they could repay over time. Banks used such short-term loans to make a profit through interest on deferred payments. Debit card functions were connected to Carte Bleue a little later: they began to be directly linked to bank accounts, allowing customers to make payments in real time, while funds were debited from the card immediately. Here we should make a small remark, or rather, two. Firstly, Carte Bleue was a national payment system, that is, such cards did not work outside of France (over time, French banks began to issue an international version called Carte Bleue Internationale, but it was just a branded Visa). Secondly, unlike atax cards of international payment systems such as Visa and MasterCard, Carte Bleue made it possible to make transactions without the need for authorization on the side of the issuing bank.
In 1992, the French decided to follow the trends of technological progress, and added a built-in chip to their Carte Bleue cards in addition to the magnetic stripe. At the same time, it was still possible to make purchases with such cards without confirmation from the bank: in any French store, the Carte Bleue holder had to use a PIN code, and the microchip on the card confirmed and certified the transaction. Micropayments, such as fare or parking, were made without PIN confirmation at all. The introduction of this system was motivated by the need to combat fraud, which was increasingly becoming a problem with magnetic stripe cards. The chip, unlike the magnetic stripe, was much more difficult to read and clone. Combined with the requirement to enter an identification code to authorize transactions, the new system provided a much higher level of security for both cardholders and merchants. At least, it seemed so to the French bankers.
White hacker
In 1997, Serge Humpich bought a payment terminal for Carte Bleue from a merchant he knew, disassembled it, and then dumped and disassembled the firmware. He carefully analyzed each step of the smart card payment procedure and recreated the algorithm for generating a 96-digit private key that was used to authenticate transactions. This allowed Humpitch to produce a fake card that was not linked to a bank account, which was nevertheless accepted by Carte Bleue payment terminals and allowed for purchases. In fact, Humpich was convinced that any other computer scientist could do the same thing, and then issue as many of these cards as he wanted, for example, to sell them to attackers.
Many hackers, having made such a discovery, would probably rush to buy goods using fake cards, with the aim of reselling them. But Serge Humpich decided to avoid the risk of becoming the main character of the crime chronicle in the evening news, and began to act in what he considered to be more legal methods. By and large, Humpich was the founder and discoverer of the phenomenon that later became known as "White Hat Hacking", that is, "ethical hacking", which is done by information security specialists in order to help companies eliminate identified vulnerabilities.
In the summer of 1998, Humpitch hired an industrial lawyer and two corporate property experts to draft a petition for a consortium of banks that operated the Carte Bleue payment system. In the document, he described in detail the actions he performed, demonstrated the results of his research and attached a card he had made, which allowed him to pay for anything in France even without a bank account. What's more: Humpic said he knows how to fix a defect in the private key algorithm used by the Carte Bleue system so that attackers can no longer exploit this vulnerability. For his work, he asked bankers for a small fee, which he later called a form of professional recognition of his work. In the process of hacking Carte Bleue, Humpitch usedIn fact, he broke the basic logic of the Carte Bleue system, proving that even the most modern digital security mechanisms can be used by attackers to their own advantage.
Banks did not respond to Humpic's appeal, and then he held a public demonstration of his discovery, presenting, as they would say now, proof-of-concept. With the help of ten fake Carte Bleue cards, he bought ten metro tickets from ticket machines at the Balard and Charles Michels stations of the Paris metro. The result of this action was the arrest, search and seizure of all electronic equipment found in his house.
Crime and punishment
On February 25, 2000, a trial was held, at which Serge Humpich was charged with forgery of bank cards and fraudulent entry into an automated processing system. The banks to which Humpich sent his report also charged him with extortion, but his court ultimately rejected it, ruling that the "white hat hacker" did not demand money from the bankers, but only offered to voluntarily pay for the information provided.
In the courtroom, Humpich's argument boiled down to the fact that he was doing banks a valuable service by exposing the shortcomings of the technologies they used. However, the French court viewed his actions through a stricter lens, focusing on the potential consequences of his hacking, which could have undermined public confidence in the country's banking system.
Arguments that if Humpich had not told the consortium about his discovery, but published it in the public domain on the Internet, it would have caused hundreds of millions of dollars in damage to the French banking system, did not work: bankers persistently called Humpich a blackmailer, and ten metro tickets he bought - irreparable damage to the French economy. In the end, the court agreed with them: Humpich was found guilty, sentenced to 10 months in prison and fined 12,000 francs, which at the current exchange rate is about 1,900 euros. In addition, he was ordered to pay 1 franc to the banking consortium as compensation for moral damage for the mental suffering experienced by the bankers. In addition, he, who became a criminal, was fired from his job. Despite the fact that the punishment was relatively lenient compared to the possible maximum sentences, this case raised serious ethical questions about the fine line between "white" hacking and real cybercrime.
"My intention has always been to discuss the results of this study," Humpich told The Register, "my mistake was that I was dealing with such a formidable opponent. If I had known their true intentions, no one would have ever heard a word about all this."
After serving his sentence, Serge Humpich disappeared from public view for some time. In 2001, his book "Le cerveau bleu" (Blue Brain) was published, in which Humpich told the story of the hacking of the Carte Bleue payment system and his trial. Later, he went to the United States, founded a technology startup there, but did not succeed and returned to France, where he was hired by Bearstech.
The case of Serge Humpich is often mentioned in discussions about how governments and corporations should treat hackers who disclose vulnerabilities without resorting to malicious actions. His decision to hack into the nation's banking system in order to identify weaknesses remains a turning point in the history of cybersecurity, thanks in part to the fact that the field of information security has matured. Many companies and institutions now offer "bug bounty" programs, inviting hackers to report vulnerabilities in exchange for a financial reward. In some ways, Humpich was ahead of his time—his actions anticipated these modern initiatives, even though they brought him to the dock. He may not have achieved the recognition he had hoped for, but he changed his attitude towards independent researchers like him.
