When Samy Kamkar lost his American Express card last August and received his replacement in the mail, something on the final figures of the new card triggered an alarm in the hacker lobe of his brain. He compared the numbers with those of his previous three American Express cards – as a universally curious security researcher and a serial spoiler, he had naturally recorded them all – and a model emerged.
So Kamkar sent a message to his friends on Facebook, asking them to send him the last digits of all their current and recently deleted AmEx cards. Ten friends answered and the same disquieting pattern applied to all the numbers checked: with each card, Kamkar discovered that he could apply his trick and predict the complete number of the next card they had received.
Kamkar has immediately seen the potential for a bad ugly technique: any hacker who compromised a card number could provide for the card to be replaced as soon as the theft was reported, and then, using the card cancellation date previous, calculate the expiration date of the replacement also "The day on which the card is canceled, as soon as it is rejected, two seconds later I know what your new number and expiration date will be," says Kamkar. "If I did fraud, it would be very useful." The trick could be applied over and over, stealing the new card numbers at the same rate at which American Express could generate them.
The trick could be applied over and over, stealing new card numbers as fast as American Express could generate them.
Three months later, Kamkar built a device for only $ 10 designed to demonstrate the danger of that vulnerability that predicts the number and to convince American Express to solve it. His watch gadget, which he calls MagSpoof, can store more than a hundred credit card numbers and emit an electromagnetic field powerful enough to hit the sensor of a credit card reader closely, sending a signal that mimics a credit card. credit. The Kamkar device also includes a button that implements its prediction algorithm; if a criminal using MagSpoof were to discover that a credit card that tried to forge was canceled, the device could immediately generate the next card number of the victim. A week later, when the scammer was quite sure that a new card had just been activated, he could steal it again. "As soon as the card is rejected, you press a button and go to the next number," says Kamkar. "It sucks [Amex users]because they could steal their new credit card almost instantly. "
Kamkar admits that his attack can not, however, access the victim's four-digit CVV from the back of the card, which reduces the number of companies in which it can be used. And MagSpoof hardware does not look like a credit card, so a thief could not deliver it to a cashier or a waiter convincingly. But Kamkar emphasizes (and demonstrates in the video below) that he can use a digital credit card device like Coin to store the numbers created by his device, a technique that would make his prediction trick of numbers much less suspicious. "If you do not want to give someone this thing, you can just give him a coin," he says.1
Coin responded to Kamkar's video claiming that his devices can not be easily used for fraud. "We require several security measures before a credit card can be used with a Coin payment device," Kayla Abbassi's spokeswoman told WIRED in an interview. "These steps allow us to verify the identity, as well as the validity and ownership of each card, based on information such as the last four digits of the cardholder's tax identification number and billing code." Kamkar admits that he only loaded the numbers provided for his cards on a Coin device and did not try any other. But it suggests that Coin security measures can be defeated and refers to an upcoming speech that describes how to circumvent them scheduled for the end of this month at the Kiwicon security conference in New Zealand.2
As for the most important issue of American Express that his card numbers can be predicted, Kamkar says he has contacted the company several times and finally had a discussion of an hour with an engineer who assured him that the predictable numbers of cards were not a serious security risk at least not one that planned to adjust. An American Express spokesperson followed WIRED to report that AmEx users would still be protected by Kamkar's card-prediction trick with its extra protection as an additional security code embedded in its magstripe data and chip technology. e-PIN spread in the United States States now, requiring a chip in the card to be read to make a purchase.
"Simply knowing a card number would not allow a scammer to complete a face-to-face purchase because a card product would be immersed in many of the EMV chip or swipe portals stores, plus the security code embedded in the card product. it should be verified, both for the EMV chip and for the magnetic stripe cards, the security code changes with the card number and it is impossible to predict it, "writes AmEx spokesman Ashley Tufts. He also noted that the company uses other security measures that he refused to detail.
Kamkar confirms that AmEx's extra security magstripe code seems to block his prediction attack in some cases. It is not yet certain on which outlets the trick works. But he discovered, for example, that he was able to use the card numbers provided in two different restaurants: a fast food restaurant and a high-end one where he spent more than $ 100 without problems. Demonstrate a successful MagSpoof transaction at the fast-food venue in the video above. (He just tried the technique with his cards, of course).
Even the chip-and-PIN protections on a victim's card may not work to protect against his MagSpoof attack, says Kamkar. The presence or absence of that extra chip in the card as a safeguard is noted in the card communications with the reader, he says. By smashing a "chipless" signal at the point of sale, Kamkar says it can trick the reader into accepting a stolen chip-and-PIN card number as if it were chipless.
Kamkar says he built his MagSpoof prototype a little more than a programmable Atmel ATtiny microcontroller, a battery, an LED, a capacitor, a resistor and a copper wire. In fact, the configuration is simple enough not to predict releasing its prediction algorithm, nor any suggestion of how the prediction works, lest it feed true fraud. But he claims that, despite his discretion, American Express still needs to solve the problem before other hackers take advantage of the technique, or to limit the damage of those who already have it. "It's not like I broke a crazy pseudo-random number generator, which is very obvious," says Kamkar of his card-prediction technique. "I've never heard anyone who found it, but I'd be surprised if someone did not understand it."
1Correction 11/24/2015 4:00 PM EST: A previous version of the story mentioned the three-digit CVV codes of the AmEx cards, when it actually uses four-digit codes.
2Updated 11/30/2015 at 9:20 EST to include a Coin response.