This $10 gadget can guess American Express credit card number and pin even before you have received it
When legendary hacker Samy Kamkar received replacement of its American Express card lost last August, he noticed something disturbing about the pattern of the final digits on the new card.
Where U.S. is still struggling to fight with card fraud, Kamkar has built a new device for just $10 that questions the security of payment cards.
Dubbed as MagSpoof, Kamkar’s device is about the size of a U.S. quarter and a hacker’s dream. The device can store more than a hundred credit card numbers and emit an electromagnetic field strong enough to hit a credit card reader’s sensor from close proximity, sending a signal that imitates a credit card being swiped.
Based on a cancelled card’s number, MagSpoof can predict the new American Express card number. Similarly, based on the date when replacement card was requested, the new expiration date can also be predicted.
“The day that card is cancelled, as soon it gets rejected, two seconds later I know what your new number and expiration date will be,” Kamkar says. “If I were doing fraud, that would be pretty useful.”
It can also fool point-of-sale readers into accepting payment from cards that are supposed to have a microchip with advanced cryptographic capabilities that are created to prevent fraud, a system known as chip-and-PIN, but do not.
He noticed that the AmEx cards that he cancelled in the past seemed to have a relationship with the replacement card’s number. To figure out how the number was calculated, Kamkar matched up to 40 cards and replacement cards that were provided to him by his friends for his research.
In a phone interview on Tuesday, Kamkar said “One hundred percent of them followed my predictions”. The card generation algorithm “is not very random.”
Kamkar said he only needs the old card number and the expiration date to do the calculation.
The danger, of course, is that cybercriminals with access to the old card’s details could figure out the new card number before the victim has even received it. The fraudster can go shopping, once the card is active.
Kamkar says that he notified the company in August, who assured him the predictable card numbers weren’t a serious security risk. He said that American Express clearly has other anti-fraud measures that could potentially stop abuse, which is its extra protections like an extra security code embedded in its magstripe data and the chip-and-PIN technology rolling out across the United States now, which requires a chip in the card to be read to make a purchase.
“Simply knowing a card number wouldn’t allow a fraudster to complete a purchase face-to-face because a card product would need to dipped at many of the stores with EMV chip portals, or swiped. In addition, the security code embedded in the card product would need to be verified. For both EMV chip and magnetic stripe cards, the security code changes with the card number and is impossible to predict,” wrote AmEx spokesperson Ashley Tufts to WIRED. She also noted that the company uses other security measures that it refused to disclose.
The American Express number prediction capability isn’t the only interesting feature built into MagSpoof. Kamkar did an intensive study of the magnetic stripe on the back of payment cards.
He found the stripe has a service code that is used to transmit information such as whether a card can be used overseas, if it can be used by an ATM or if it’s a chip-and-PIN card.
Kamkar argues that even chip-and-PIN protections on a victim’s card may not work to protect against his MagSpoof attack. He says the presence or absence of that extra chip in the card as a safeguard is noted in the card’s communications with the reader. He further says that by spoofing a “no-chip” signal to the point of sale terminal, he can fool the reader into accepting a stolen chip-and-PIN card number, as if it were chipless.
In order to accommodate chip-and-PIN, U.S. retailers have been upgrading their systems, because if their systems are not upgraded, card companies are holding them more accountable for fraud now.
For more than a decade now, areas such as Europe have been using Chip-and-PIN, which is also known as EMV. The payment cards have security features that make them difficult to clone, and transactions are authorized in part by a cryptographic microchip.
These days if someone goes to Target with a chip-enabled card and swipes their card’s magnetic stripe, the point-of-sale system will see the service code and know that it’s a chip card and ask for it to be inserted into a reader, Kamkar said.
“But I discovered that if I can modify the service code, or create a new card with a different magstripe with the same data but just flip that bit, I can essentially disable that requirement for the chip,” he said.
When Kamkar modified the service code, he was able to purchase something by swiping a card when it should have been a chip-and-PIN transaction.
“I was flabbergasted,” he said.
Kamkar has released the software and schematics for MagSpoof. However, he is not releasing the information that would allow the generation of American Express card numbers nor the code that would allow the disabling of chip-and-PIN. His blog also states that MagSpoof only be used with payment cards someone is authorized to use and is intended for research purposes only.
In spite of Kamkar’s discretion, American Express needs to fix the problem before other hackers exploit the technique or restrict the damage from those who already have, he argues.
Talking of his card number prediction technique, Kamkar says “It’s not like I cracked some crazy pseudorandom number generator. This is really obvious. I’ve never heard of anyone finding this, but I’d be surprised if someone hadn’t figured it out.”