When Samy Kamkar lost his American Express card last August and received its replacement in the mail, something about the final digits on the new card set off an alert in the hacker lobe of his brain. He compared the numbers with those of his previous three American Express cards—as a universally curious security researcher and serial troublemaker, he’d naturally recorded them all—and a pattern emerged.
So Kamkar sent out a message to his friends on Facebook, asking them to send him the final digits of all of their current and most recently canceled AmEx cards. Ten friends responded, and the same disturbing pattern applied to every number he checked: With any given card, Kamkar found he could apply his trick and predict the full number of the next card they’d received.
Kamkar immediately saw the potential for a nasty fraud technique: Any hacker who’d compromised a card number could predict the card’s replacement as soon as it was reported stolen—and then, using the date of the previous card’s cancellation, figure out the replacement’s expiration date too. “The day that card is canceled, as soon it gets rejected, two seconds later I know what your new number and expiration date will be,” Kamkar says. “If I were doing fraud, that would be pretty useful.” The trick could be applied again and again, stealing new card numbers as fast as American Express could generate them.
The trick could be applied again and again, stealing new card numbers as fast as American Express could generate them.
Three months later, Kamkar has built a device for just $10 that’s designed to prove the danger of that number-predicting vulnerability and to convince American Express to fix it. His watch-sized gadget, which he calls MagSpoof, can store more than a hundred credit card numbers and emit an electromagnetic field that’s strong enough to hit a credit card reader’s sensor from close proximity, sending a signal that imitates a credit card being swiped. Kamkar’s device also includes a button that implements his prediction algorithm; if a criminal using MagSpoof were to find that a credit card he or she tried to spoof had been canceled, the device could immediately generate the victim’s next card number. A week or so later, when the fraudster could be fairly sure a new card had been freshly activated, he or she could steal it again. “As soon as the card gets declined, you press a button and it switches to the next number,” Kamkar says. “It sucks for [Amex users], because they could have their new credit card stolen almost instantly.”
Kamkar admits that his attack can’t, however, access the victim’s four-digit CVV from the back of the card, which reduces the number of businesses where it can be used. And the MagSpoof hardware doesn’t look like a credit card, so a thief couldn’t convincingly hand it to a cashier or waiter. But Kamkar points out (and demonstrates in the video below) that he can use a digital credit card device like Coin to store the numbers that his device creates, a technique that would make his number-prediction trick much less suspect. “If you don’t want to hand someone this thing, you can just hand them a Coin instead,” he says.
Coin responded to Kamkar’s video by arguing its devices can’t easily be used for fraud. “We require several security steps before a credit card can be used with a Coin payment device,” Coin spokesperson Kayla Abbassi wrote to Wired in a statement. “These steps allow us to verify identity, as well as the validity and ownership of each card, based on information such as the last four digits of the cardholder’s social security number and billing zip code.” Kamkar admits that he’s only loaded predicted numbers for his own cards onto a Coin device and hasn’t tried anyone else’s. But he suggests that Coin’s security measures can be defeated, and points to an upcoming talk describing how to circumvent them scheduled for later this month at the Kiwicon security conference in New Zealand.
As for American Express’ more fundamental problem that its card numbers can be predicted, Kamkar says he contacted the company several times and finally had an hourlong discussion with an engineer who assured him the predictable card numbers weren’t a serious security risk—at least not one that it planned to fix. An American Express representative followed up with Wired to point out that AmEx users would still be protected from Kamkar’s card prediction trick by its extra protections like an extra security code embedded in its magstripe data and the chip-and-PIN technology rolling out across the United States now, which requires a chip in the card to be read to make a purchase.
“Simply knowing a card number wouldn’t allow a fraudster to complete a purchase face to face because a card product would need to dipped at many of the stores with EMV chip portals or swiped. In addition, the security code embedded in the card product would need to be verified. For both EMV chip and magnetic stripe cards, the security code changes with the card number and is impossible to predict,” writes AmEx spokesperson Ashley Tufts. She also noted that the company uses other security measures that it declined to detail.
Kamkar confirms that AmEx’s extra security magstripe code does seem to block his prediction attack in some cases. He’s still not sure exactly at which points of sale the trick works. But he’s found, for instance, that he was able to use predicted card numbers at two different restaurants—one fast-food joint and one high-end place where he spent more than $100—without a problem. He demonstrates a successful MagSpoof transaction at the fast-food venue in the video above. (He only tested the technique with his own cards, of course.)
Even chip-and-PIN protections on a victim’s card may not work to protect against his MagSpoof attack, Kamkar argues. The presence or absence of that extra chip in the card as a safeguard is noted in the card’s communications with the reader, he says. By spoofing a “no-chip” signal to the point of sale terminal, Kamkar says he can trick the reader into accepting a stolen chip-and-PIN card number as if it were chipless.
Kamkar says he built his MagSpoof prototype out of little more than a programmable Atmel ATtiny microcontroller, a battery, an LED, a capacitor, a resistor, and some copper wire. In fact, the setup is simple enough that he’s not planning to release its prediction algorithm—or even any hints of how the prediction works, for fear that it might fuel real fraud. But he argues that despite his discretion, American Express nonetheless needs to fix the problem before other hackers exploit the technique—or to limit the damage from those who already have. “It’s not like I cracked some crazy pseudorandom number generator. This is really obvious,” Kamkar says of his card number prediction technique. “I’ve never heard of anyone finding this, but I’d be surprised if someone hadn’t figured it out.”
Also in Wired: