The swiss german news paper «Sonntagszeitung» reports that the swiss Postcard (a kind of credit card from the swiss Postfinance) has been cracked.
The article states claims that it is possible to create and sign a new postcard with a valid card number and arbitrary account data. This is said to be due to the fact that the Postcard is signed with a 320-bit RSA private key, which, if true, is easy to reverse engineer. In 1996, when Bruce Schneier published his «Applied Cryptography», he stated that it would be easily possible to break a 512-bit RSA key within a reasonable amount of time. Also, the amount of additional work to be invested when breaking a larger RSA key is not linear, so in fact it is several orders of magnitude easier to break a 320 bit RSA key. Also, quite a lot of time has passed since 1995. Nowadays, RSA is mostly used with keys that are at least 2048 Bit.
Back to the Postcard: It is also possible to create a copy of a Post card which has an additional «feature» which allows you to type in any PIN that you like. The PIN is used soleily for storing transaction logs on the Postcard itself and is not used in any way for authenticating the card. If appending to the log fails, the terminal aborts the transaction manually. This means that it's not necessary to know the PIN of a person whose Postcard you get hold of (e.g. because he put it into your card reader in your little store, thinking it would be a terminal). You can just make transactions without it.
However, the Postfinance decided to deny the existence of these security holes in their Postcard. Thus, Fix announced to make a public demonstration of the technique on television using soleily data of customers who have given their consent to participate in the demonstration. If there is indeed a security hole, the Postfinance is not going to be looking forward to the next few monthes...
Article: http://www.sonntagszeitung.ch/dyn/news/multimedia/743744.html
More information: http://www.postcard-sicherheit.ch/