 |
| CNN WEB SITES: |
|
| TIME INC. SITES: |
| MORE SERVICES: |
| video on demand |
| video archive |
| audio on demand |
| news email services |
| free email accounts |
| desktop headlines |
| pointcast |
| pagenet |
| DISCUSSION: |
| message boards |
| chat |
| feedback |
| SITE GUIDES: |
| help |
| contents |
| search |
| FASTER ACCESS: |
| europe |
| japan |
| WEB SERVICES: |
From...
German court ruling another blow to U.S. encryption standard
September 23, 1998
Web posted at 2:10 PM EDT
by Mary Lisbeth D'Amico
(IDG)
-- MUNICH – A German district court has ordered a bank in Frankfurt to
repay a customer 4,543 marks (US $2,699) for money withdrawn from her
bank account after her bank card was stolen.
The decision, made public Monday, again points to the holes in the 56-bit encryption technology used in Eurocheque cards, called EC Cards, according to the Chaos Computer Club, a German hackers group.
Calling the encryption technology for the EC bank cards "out-of-date and not safe enough," a Frankfurt District Court held the bank responsible for the amount stolen from the 72-year old plaintiff in February 1997. Neither the bank's name or that of the plaintiff were revealed.
An EC card is like a bank card which can be used at bank automats and point-of-sale terminals throughout Europe. The cards feature the U.S. government's data encryption standard, which uses 56-bit encrypted code to scramble the security information.
|
|
||
|---|---|---|
 |
IDG.net home page | |
| Industry Standard home page | ||
| Industry Standard email newsletters | ||
| Industry Standard daily Media Grok | ||
| Industry Standard financial news | ||
| Industry Standard e-commerce stories | ||
| Computerworld "Emmerce" | ||
|
Fusion
financial report Free registration required to access this site |
||
| InfoWorld Internet commerce section | ||
| Reviews & in-depth info at IDG.net | ||
| IDG.net's personal news page | ||
| Questions about computers? Let IDG.net's editors help you | ||
|
Search IDG.net in 12 languages |
||
| Subscribe to IDG.net's free daily newsletter for computer industry cognoscenti | ||
| News Radio | ||
 |
Fusion audio primers | |
|
|
Computerworld Minute | |
Andy Muller-Maguhn, a Chaos Computer Club member, told the German press agency (dpa) today that the decision shows that customers are not sufficiently protected from criminal misuse of the EC card. Muller-Maguhn offered expert testimony in the case.
The plaintiff's EC card was stolen out of her purse in February 1997, and withdrawals were made from a number of banks throughout Germany until she noticed the theft and froze the card.
The banks tried to argue that the plaintiff should bear the burden of at least part of the amount stolen, saying the 72-year-old retired dentist had been careless with her PIN, according to the text of the Court's decision. They argued that it is impossible for the thieves to have withdrawn the money from a series of different banks without access to the PIN.
But the woman argued that she had treated the PIN properly, locking it in a file at home, and had, in fact, never used it in connection with the card, meaning that no one could have read it from her as she was using it at a bank automat.
The Frankfurt District Court decided that the bank was responsible, after hearing expert testimony that it is possible for the PIN number to be cracked with only the EC card. It said that it must assume either that the PIN code was cracked or guessed by the thieves.
The bank argued that the PIN can only be cracked with the use of the bank's own DES key, not with the information on the card – and assumed it would be impossible as there would be 70 billion different possibilities using the 56-bit algorithms.
In July, a U.S. hackers organization also demonstrated how a 56-bit DES key could be unscrambled within 56 hours.
The Chaos Computer Club already warned last year of the lack of sufficient security for EC cards. Banks should take responsibility for the security holes in the EC Card system, rather than blaming customers for negligence with the PIN or even inferring that they had criminal intentions, according to a statement from the Chaos Computer Club.
Mary Lisbeth D'Amico writes for the IDG News Service in Munich.