Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

This gizmo knows your Amex card number before you've received it

Jeremy Kirk | Nov. 25, 2015
American Express appears to have used a weak algorithm to generate new card numbers.

magspoof
A small device called MagSpoof can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Credit: Samy Kamkar

A device built by legendary hacker Samy Kamkar calls into question the security of payment cards as the U.S. continues to grapples with card fraud.

Kamkar's device, nicknamed MagSpoof, is about the size of a U.S. quarter, and it's safe to say it would be a fraudster's dream.

MagSpoof can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

It can also trick point-of-sale readers into accepting payment from cards that are supposed to have a microchip with advanced cryptographic capabilities designed to deter fraud, a system known as chip-and-PIN, but do not.

He noticed that the replacement card's number appeared to have a relationship with other Amex cards he'd had in the past. Kamkar worked out a formula for how the number was calculated, which matched up to 40 cards and replacement cards shared with him by his friends for his research.

"One hundred percent of them followed my predictions," Kamkar said in a phone interview Tuesday. The card generation algorithm "is not very random."

To do the calculation, Kamkar said he just needs the old card number and the expiration date. 

The danger, of course, is that cybercriminals with access to the old card's details could figure out the new card number before the victim has even received it. Once the card is active, the fraudster can go shopping.

American Express officials could not be immediately reached for comment on Monday. Kamkar says he notified them in August, but the company told him they didn't think it was a major issue.

Kamkar said American Express clearly has other anti-fraud measures that could potentially stop abuse, but it's not guaranteed those would stop every fraudulent purchase.

The American Express number prediction capability isn't the only interesting feature built into MagSpoof. Kamkar did an intensive study of the magnetic stripe on the back of payment cards.

credit card
Iron oxide filings reveal how a credit card's magnetic stripe is encoded: two solid stripes represent a "1," and a stripe followed by a space represents a "0." Credit: Samy Kamkar

He found the stripe contains a service code that is used to transmit information such as whether a card can be used overseas, if it can be used by an ATM or if it's a chip-and-PIN card.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.