U.S. retailers have been upgrading their systems to accommodate chip-and-PIN as card companies are now holding them more accountable for fraud if systems are not upgraded.
Chip-and-PIN, also known as EMV, has been used in areas such as Europe for more than a decade. The payment cards have security features that make them difficult to clone, and transactions are authorized in part by a cryptographic microchip.
If someone with a chip-enabled card goes to Target these days and swipes their card's magnetic stripe, the point-of-sale system will see the service code and know that it's a chip card and ask for it to be inserted into a reader, Kamkar said.
"But I discovered that if I can modify the service code, or create a new card with a different magstripe with the same data but just flip that bit, I can essentially disable that requirement for the chip," he said.
Kamkar modified the service code and was able to buy something by swiping a card when it should have been a chip-and-PIN transaction.
"I was flabbergasted," he said.
When asked if it was Target, Kamkar laughed and said it "was a major retailer."
Kamkar has released the schematics and software for MagSpoof. He is not, however, releasing the information that would allow the generation of American Express card numbers. He's also not releasing the code that would allow the disabling of chip-and-PIN.
MagSpoof is an interesting little piece of hardware. It can store many credit card numbers. It emulates the magnetic field that is generated by a card's magnetic stripe and can project a payment card's details from up to two inches away from a magnetic stripe reader.
On his blog, Kamkar wrote that MagSpoof is intended for research purposes and should only be used with payment cards someone is authorized to use.
Sign up for CIO Asia eNewsletters.