[3366] in cryptography@c2.net mail archive
RE: German court: DES is no good
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Thu Sep 24 16:22:10 1998
Date: Thu, 24 Sep 1998 15:14:31 -0400
To: cryptography@c2.net, cryptography@c2.net
From: Robert Hettinga <rah@shipwright.com>
--- begin forwarded text
X-Server-Uuid: b0fe6c76-9e59-11d1-b373-00805fa7c2de
From: "Muller, John D." <JMuller@brobeck.com>
To: "'Phillip Hallam-Baker'" <hallam@ai.mit.edu>,
"Robert Hettinga"
<rah@shipwright.com>, <dcsb@ai.mit.edu>
Subject: RE: German court: DES is no good
Date: Thu, 24 Sep 1998 11:49:56 -0700
MIME-Version: 1.0
X-WSS-ID: 1A144B10530225-01-02
Here are excerpts from the Industry Standard story on the German court
decision,
http://www.thestandard.net/articles/article_print/0,1454,1780,00.html
"A German district court has ordered a bank in Frankfurt to repay a customer
4,543 marks (US$2,699) for money withdrawn from her bank account after her
bank card was stolen.
The decision, made public Monday, again points to the holes in the 56-bit
encryption technology used in Eurocheque cards, called EC Cards, according
to the Chaos Computer Club, a German hackers group.
Calling the encryption technology for the EC bank cards 'out-of-date and not
safe enough,' a Frankfurt District Court held the bank responsible for the
amount stolen from the 72-year old plaintiff in February 1997. Neither the
bank's name or that of the plaintiff were revealed. . . .
The plaintiff's EC card was stolen out of her purse in February 1997, and
withdrawals were made from a number of banks throughout Germany until she
noticed the theft and froze the card.
The banks tried to argue that the plaintiff should bear the burden of at
least part of the amount stolen, saying the 72-year-old retired dentist had
been careless with her PIN, according to the text of the Court's decision.
They argued that it is impossible for the thieves to have withdrawn the
money from a series of different banks without access to the PIN.
But the woman argued that she had treated the PIN properly, locking it in a
file at home, and had, in fact, never used it in connection with the card,
meaning that no one could have read it from her as she was using it at a
bank automat.
The Frankfurt District Court decided that the bank was responsible, after
hearing expert testimony that it is possible for the PIN number to be
cracked with only the EC card. It said that it must assume either that the
PIN code was cracked or guessed by the thieves.
The bank argued that the PIN can only be cracked with the use of the bank's
own DES key, not with the information on the card - and assumed it would be
impossible as there would be 70 billion different possibilities using the
56-bit algorithms."
John Muller
Brobeck, Phleger & Harrison LLP
One Market Plaza
San Francisco, CA 94105
(415) 442-1314
jmuller@brobeck.com
http://www.brobeck.com
> -----Original Message-----
> From: Phillip Hallam-Baker [SMTP:hallam@ai.mit.edu]
> Sent: Wednesday, September 23, 1998 8:22 PM
> To: Robert Hettinga; dcsb@ai.mit.edu
> Subject: RE: German court: DES is no good
>
> It seems unlikely that the loss was due to breaking DES.
> Was this the only grounds the court found for finding in
> the woman's favour?
>
>
> Phill
>
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
