American Express appears to have used a weak algorithm to generate new card numbers.
A device built by legendary hacker Samy Kamkar calls into question the security of payment cards as the U.S. continues to grapples with card fraud.
Kamkar's device, nicknamed MagSpoof, is about the size of a U.S. quarter, and it's safe to say it would be a fraudster's dream.
MagSpoof can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.
It can also trick point-of-sale readers into accepting payment from cards that are supposed to have a microchip with advanced cryptographic capabilities designed to deter fraud, a system known as chip-and-PIN, but do not.
He noticed that the replacement card's number appeared to have a relationship with other Amex cards he'd had in the past. Kamkar worked out a formula for how the number was calculated, which matched up to 40 cards and replacement cards shared with him by his friends for his research.
"One hundred percent of them followed my predictions," Kamkar said in a phone interview Tuesday. The card generation algorithm "is not very random."
To do the calculation, Kamkar said he just needs the old card number and the expiration date.
The danger, of course, is that cybercriminals with access to the old card's details could figure out the new card number before the victim has even received it. Once the card is active, the fraudster can go shopping.
American Express officials could not be immediately reached for comment on Monday. Kamkar says he notified them in August, but the company told him they didn't think it was a major issue.
Kamkar said American Express clearly has other anti-fraud measures that could potentially stop abuse, but it's not guaranteed those would stop every fraudulent purchase.
The American Express number prediction capability isn't the only interesting feature built into MagSpoof. Kamkar did an intensive study of the magnetic stripe on the back of payment cards.
Iron oxide filings reveal how a credit card's magnetic stripe is encoded: two solid stripes represent a "1," and a stripe followed by a space represents a "0."
He found the stripe contains a service code that is used to transmit information such as whether a card can be used overseas, if it can be used by an ATM or if it's a chip-and-PIN card.
U.S. retailers have been upgrading their systems to accommodate chip-and-PIN as card companies are now holding them more accountable for fraud if systems are not upgraded.
Chip-and-PIN, also known as EMV, has been used in areas such as Europe for more than a decade. The payment cards have security features that make them difficult to clone, and transactions are authorized in part by a cryptographic microchip.
If someone with a chip-enabled card goes to Target these days and swipes their card's magnetic stripe, the point-of-sale system will see the service code and know that it's a chip card and ask for it to be inserted into a reader, Kamkar said.
"But I discovered that if I can modify the service code, or create a new card with a different magstripe with the same data but just flip that bit, I can essentially disable that requirement for the chip," he said.
Kamkar modified the service code and was able to buy something by swiping a card when it should have been a chip-and-PIN transaction.
"I was flabbergasted," he said.
When asked if it was Target, Kamkar laughed and said it "was a major retailer."
Kamkar has released the schematics and software for MagSpoof. He is not, however, releasing the information that would allow the generation of American Express card numbers. He's also not releasing the code that would allow the disabling of chip-and-PIN.
MagSpoof is an interesting little piece of hardware. It can store many credit card numbers. It emulates the magnetic field that is generated by a card's magnetic stripe and can project a payment card's details from up to two inches away from a magnetic stripe reader.
On his blog, Kamkar wrote that MagSpoof is intended for research purposes and should only be used with payment cards someone is authorized to use.