Try saying out loud: "hacking the national banking system". The image of an international hacker group, carefully planning and carrying out attacks of the highest technical complexity, immediately comes to mind. And somehow it does not occur to you that one person, who, in general, has never thought about a career as a hacker, could be behind such a hack. This is exactly what happened in 1997, when an already elderly software engineer Serge Humpiche turned the largest credit organizations in France upside down by inventing an original way to pay for purchases with cards, even without a bank account.
Serge was born in 1963 in the French commune of Mulhouse in Alsace: his mother taught sewing at a local college, and his father was a potash collector. After finishing school, Humpich entered the engineering college INSA in Lyon, where he received a bachelor's degree, and devoted the next 12 years of his life to software development. Namely, he wrote programs to manage the orders of stock traders. It was then that he plunged headlong into the architecture of financial software, the creation of which required studying large volumes of technical documentation. Another passion of Serge Humpich was the study of the security of various electronic devices.
Blue Card
In the mid-1990s, credit and debit cards were becoming increasingly important in France. The Carte Bleue system, which had been in use since the late 1960s, was considered extremely reliable and efficient. It was launched in 1967 by a consortium of French banks that included Banque Nationale de Paris (BNP), Societe Generale, Credit Lyonnais, and several others. The idea behind Carte Bleue was to create a single payment method in stores, public places, and on transport that would simplify cashless transactions and reduce citizens’ reliance on cash and cheques.
In the 1960s, France, like many other European countries, was experiencing a consumer boom, and with it came a need for more efficient payment systems. Cash and cheques were considered the primary means of payment, but they carried significant security risks for both consumers and merchants. And banks, in an effort to track customer transactions and reduce overhead costs, dreamed of a safer and more convenient way to pay. And so the interbank plastic card with a magnetic strip, Carte Bleue, was born.
Carte Bleue, which means “Blue Card,” quickly gained popularity. Initially, these cards worked mainly as credit cards, allowing holders to make purchases that they could pay off over time. Banks used such short-term loans to make a profit from interest on deferred payments. Debit card functions were connected to Carte Bleue a little later: they began to be linked directly to bank accounts, allowing customers to make payments in real time, with funds debited from the card immediately. Here, a small remark is necessary, or rather, two. Firstly, Carte Bleue was a national payment system, meaning that such cards did not work outside France (over time, French banks began to issue an international version called Carte Bleue Internationale, but it was just a branded Visa). Secondly, unlike similar cards of international payment systems such as Visa and MasterCard, Carte Bleue allowed transactions to be made without the need for authorization on the part of the issuing bank.
In 1992, the French decided to follow the trends of technological progress and added a built-in chip to their Carte Bleue cards in addition to the magnetic strip. At the same time, it was still possible to make purchases with such cards without confirmation from the bank: in any French store, the Carte Bleue holder had to use a PIN code, and the microchip on the card confirmed and authenticated the transaction. Micropayments such as paying for travel or parking were made without PIN code confirmation at all. The introduction of this system was explained by the need to combat fraud, which was increasingly becoming a problem with cards with a magnetic strip. The chip, unlike the magnetic strip, was much more difficult to read and clone. Combined with the requirement to enter an identification code to authorize transactions, the new system provided a much higher level of security for both cardholders and merchants. At least, that's how it seemed to French bankers.
White hat hacker
In 1997, Serge Humpich bought a Carte Bleue payment terminal from a fellow merchant, took it apart, and then dumped and disassembled the firmware. He carefully analyzed every step of the smart card payment process and recreated the algorithm for generating the 96-digit private key used to authenticate transactions. This allowed Humpich to create a counterfeit card that was not linked to a bank account, but which was nonetheless accepted by Carte Bleue payment terminals and allowed purchases to be made. Moreover, Humpich was convinced that any other computer specialist could do the same thing and then issue as many of these cards as he wanted, for example, to sell them to criminals.
Many hackers, having made such a discovery, would probably rush to buy goods using counterfeit cards with the aim of subsequently reselling them. But Serge Humpiche decided to avoid the risk of becoming the main character of a crime chronicle on the evening news, and began to act in a more legal way, as he believed. By and large, Humpiche was the founder and discoverer of the phenomenon that was later called "White Hat Hacking", that is, "ethical hacking", which is carried out by information security specialists in order to help companies eliminate the vulnerabilities identified.
In the summer of 1998, Humpiche hired a lawyer specializing in industrial law and two experts in corporate property, with whose help he drew up an appeal to the consortium of banks that managed the Carte Bleue payment system. In the document, he described in detail the actions he had carried out, demonstrated the results of his research and attached a card he had made that allowed you to pay for anything in France without even having a bank account. Moreover, Humpic reported that he knew how to fix the flaw in the private key generation algorithm used by the Carte Bleue system, so that attackers could no longer exploit this vulnerability. For his work, he asked the bankers for a small reward, which he later described as a form of professional recognition for his work. In the process of hacking Carte Bleue, Humpic used his deep knowledge of cryptography and banking protocols, in essence, he hacked the core logic of the Carte Bleue system, proving that even the most modern digital security mechanisms can be used by attackers for their own interests.
The banks did not respond to Humpic's appeal, so he then held a public demonstration of his discovery, presenting, as they would say today, a proof-of-concept. Using ten counterfeit Carte Bleue cards, he bought ten metro tickets from the ticket machines at the Balard and Charles Michels stations of the Paris metro. This action resulted in an arrest, search, and seizure of all electronic equipment found in his home.
Crime and Punishment
On February 25, 2000, Serge Humpich was charged with counterfeiting bank cards and fraudulently entering an automated processing system. The banks to which Humpich had sent his report also brought charges of extortion against him, but the court ultimately dismissed them, ruling that the “white hat” hacker had not demanded money from the bankers, but had merely offered to pay them voluntarily for the information he provided.
In court, Humpich’s arguments were that he was providing a valuable service to the banks by exposing the flaws in their technology. However, the French court viewed his actions through a more rigorous lens, focusing on the potential impact of his hack on public confidence in the country’s banking system.
The arguments that if Humpich had not told the consortium about his discovery, but had published it freely on the Internet, it would have caused damage to the French banking system by hundreds of millions of dollars, did not work: the bankers stubbornly called Humpich a blackmailer, and the ten metro tickets he bought were irreparable damage to the French economy. In the end, the court agreed with them: Humpich was found guilty, sentenced to 10 months of suspended imprisonment and a fine of 12,000 francs, which at the current exchange rate is approximately 1,900 euros. In addition, he was obliged to pay 1 franc to the banking consortium as compensation for moral damages for the mental suffering experienced by the bankers. In addition, he, having become a criminal offender, was fired from his job. Although the sentence was relatively lenient compared to the maximum possible prison terms, the case raised serious ethical questions about the fine line between white hat hacking and true cybercrime.
“My intention was always to discuss the results of this research,” Humpich told The Register. “My mistake was to deal with such a formidable adversary. If I had known their true intentions, no one would have heard a word about all this.” After serving his sentence, Serge Humpich disappeared from public view for a while. In 2001, his book Le cerveau bleu (The Blue Brain) was published, in which Humpich told the story of the Carte Bleue hack and his trial. He later moved to the United States, founded a tech startup there, but was unsuccessful and returned to France, where he joined Bearstech.
The case of Serge Humpich is often mentioned in discussions about how governments and corporations should treat hackers who disclose vulnerabilities without malicious intent. His decision to hack into the nation’s banking system to expose weaknesses remains a turning point in the history of cybersecurity – partly because of it, the field has matured. Many companies and institutions now offer “bug bounty” programs, inviting hackers to report vulnerabilities in exchange for a financial reward. In some ways, Humpich was ahead of his time – his actions pre-dated these modern initiatives, even though they landed him in the dock. He may not have received the recognition he was hoping for, but he changed the way independent researchers like him are treated.
Source
