
The story of Serge Humpich, a software engineer who in 1997 discovered a critical vulnerability in the system of Carte Bleue, France’s national banking network. The article describes the path from his research to the court, as well as the key points that made him one of the first figures in the field of ethical hacking. Learn how a hacker was able to create a card for transactions without a bank account, and how his actions helped shape today’s security standards.
Say out loud: “hacking the country’s banking system.” One immediately imagines an international hacker group that carefully plans complex cyberattacks. However, it is hard to imagine that only one person could be behind this, who did not even aspire to become a hacker. But that’s exactly what happened in 1997, when an experienced programmer, Serge Humpich, surprised French banks by finding a way to pay for purchases with cards without a bank account.
Serge was born in 1963 in the city of Mulhouse in Alsace. His mother taught at a college, and his father worked in industry. After studying at the INSA College in Lyon, where he received an engineering degree, Serge spent 12 years creating software for stock traders. Delving into financial systems, he also became interested in the security of various electronic devices.
In the 1990s, credit and debit cards began to be widely used in France, and the Carte Bleue system became particularly popular. It was introduced back in 1967 by leading French banks such as BNP, Societe Generale and Credit Lyonnais. The goal was to create a universal payment method in shops, public places and on transport, which would greatly facilitate cashless transactions and reduce dependence on cash.
In the 1960s, amid the consumer boom, there was a need for more secure payment systems, as cash and checks not only carried security risks, but also made it difficult for banks to monitor financial transactions. That is why the Carte Bleue interbank card with a magnetic strip was created, which was the answer to the challenges of that time.
Carte Bleue, which translates as “Blue Card”, quickly became popular among the French. It was originally used as a credit card, allowing holders to buy goods and pay off their value gradually, with banks profiting from the interest on such deferred payments. The system was later adapted for debit cards that were linked directly to bank accounts, allowing customers to instantly debit funds upon payment. It is important to note that Carte Bleue was a purely national system, so it could not be used outside of France. At the same time, it had a significant advantage over other international systems, such as Visa or MasterCard: transactions did not require authorization from the issuing bank.
In 1992, French banks introduced a microchip on Carte Bleue cards, which increased the level of security and allowed to confirm transactions using a PIN code. This made it much harder for fraudsters to clone cards and created a new level of protection for both buyers and sellers, which at the time seemed like a solid solution.
In 1997, Serge Humpich bought a payment terminal for the Carte Bleue system from an acquaintance, after which he disassembled it, extracted the firmware and disassembled it. He studied in detail each step of paying with a smart card and was able to recreate the algorithm for generating the 96-digit private key used to authenticate transactions. This allowed him to create a fake card that was not linked to a bank account, but was accepted by Carte Bleue terminals and allowed to make purchases. Humpich was sure that any computer specialist could do the same, and also produce an unlimited number of such cards to sell to criminals.
Many hackers, having made such a discovery, would probably immediately start using fake cards to buy goods with the aim of reselling them later. However, Serge Humpich decided to avoid the risk of becoming the hero of criminal news and chose another path, which he considered legitimate. In fact, Humpich became one of the first representatives of what later became known as White Hat Hacking — “ethical hacking.” Ethical hackers search for vulnerabilities in systems in order to fix them to improve security.
In 1998, Humpich turned to a lawyer and two corporate property experts to prepare a detailed appeal to the banks that operated the Carte Bleue system. In his letter, he explained how he carried out the hack, included the results of his research and a fake card that allowed him to pay for purchases without having a bank account. Humpich also proposed a solution to the problem with the private key generation algorithm, which could prevent further attacks. He asked for a small reward for this work, calling it professional recognition.
When the banks ignored his appeal, Humpich decided to hold a public demonstration. Using ten fake cards, he bought ten tickets on the Paris Metro. This action ended with his arrest, search and seizure of all electronic devices from his home.
On February 25, 2000, the trial of Serge Humpich took place, where he was accused of forging bank cards and unauthorized access to an automated processing system. The banks to which Humpich had previously sent his report also tried to accuse him of extortion. However, the court rejected this accusation, deciding that the “white hacker” did not demand money, but only offered a voluntary reward for discovered vulnerabilities.
In court, Humpich claimed he was helping the banks by pointing out the flaws in their technology. But the court took a much tougher view, focusing on the fact that such a hack could undermine public confidence in France’s banking system, even if its intentions were ethical.
Defense arguments that if Serge Humpich had published his discovery on the Internet, the losses for the French banking system could amount to hundreds of millions of dollars, did not influence the court. The bankers continued to claim that Humpich’s actions were blackmail, and the ten subway tickets he bought were called serious damage to the country’s economy. In the end, the court supported the position of the banks: Humpich was found guilty and sentenced to 10 months of suspended imprisonment, as well as a fine of 12,000 francs (approximately 1,900 euros). In addition, he had to pay a symbolic compensation of 1 franc to the banking consortium for non-pecuniary damage. In addition, Humpich was fired from his job and his reputation was destroyed. Although the punishment was relatively light, the case sparked important debates about the line between white-collar hacking aimed at improving security and actual cybercrime.
“My intention was always to discuss the results of this study,” Humpich said in an interview with The Register, “my mistake was that I was dealing with such a tough opponent. If I had known their true intentions, no one would ever have heard a word of all this.”
After serving his sentence, Serge Humpich withdrew from public life for a while. In 2001, he published a book called “The Blue Brain” (Le cerveau bleu), detailing his hacking of the Carte Bleue payment system and the events of the trial. Later, he left for the US, where he tried to found a technology startup, but without success. After returning to France, Humpich found a job at Bearstech.
His case is often mentioned in discussions of how governments and corporations should deal with hackers who discover vulnerabilities without malicious intent. Humpicham’s breach of the French banking system was a major milestone in the history of cyber security, which helped the industry grow. Many companies today implement “bug bounty” programs, where hackers are offered rewards for finding vulnerabilities. In this sense, Humpich was one step ahead of his time, although his actions led to the trial. He did not achieve the recognition he had hoped for, but his contributions changed the way independent researchers were treated in the field of cybersecurity.