When Samy Kamkar lost his American Express card last August and received his replacement by post, something about the final figures of the new card triggered an alarm in the hacker lobe of his brain. He compared the numbers with those of his previous three American Express cards – as a universally curious security researcher and a serial spoiler, he had naturally recorded them all – and a model emerged.
So Kamkar sent a message to his friends on Facebook, asking them to send him the last digits of all their current and recently deleted AmEx cards. Ten friends answered and the same disquieting pattern applied to all the numbers checked: with each card, Kamkar discovered that he could apply his trick and predict the complete number of the next card they had received.
Kamkar has immediately seen the potential for a bad ugly technique: any hacker who compromised a card number could provide for the card to be replaced as soon as the theft was reported, and then, using the card cancellation date previous, calculate the expiration date of the replacement also "The day on which the card is canceled, as soon as it is rejected, two seconds later I know what your new number and expiration date will be," says Kamkar. "If I did fraud, it would be very useful." The trick could be applied over and over, stealing the new card numbers at the same rate at which American Express could generate them.
The trick could be applied over and over, stealing new card numbers as fast as American Express could generate them.
Three months later, Kamkar built a device for only $ 10 designed to demonstrate the danger of that vulnerability that predicts the number and to convince American Express to solve it. His watch gadget, which he calls MagSpoof, can store more than a hundred credit card numbers and emit an electromagnetic field powerful enough to hit the sensor of a credit card reader closely, sending a signal that mimics a credit card. credit. The Kamkar device also includes a button that implements its prediction algorithm; if a criminal using MagSpoof were to discover that a credit card that attempted to counterfeit was erased, the device could immediately generate the next card number of the victim. A week later, when the scammer was quite sure that a new card had just been activated, he or she could steal it again. "As soon as the card is rejected, you press a button and go to the next number," says Kamkar. "It sucks [Amex users]because they could steal their new credit card almost instantly. "
Kamkar admits that his attack can not, however, access the victim's four-digit CVV from the back of the card, which reduces the number of companies in which it can be used. And MagSpoof hardware does not look like a credit card, so a thief could not deliver it to a cashier or a waiter convincingly. But Kamkar emphasizes (and demonstrates in the video below) that he can use a digital credit card device like Coin to store the numbers created by his device, a technique that would make his prediction trick of numbers much less suspicious. "If you do not want to give someone this thing, you can just give him a coin," he says.
Coin responded to Kamkar's video claiming that his devices can not be easily used for fraud. "We require various security measures before a credit card can be used with a Coin payment device," he told Kayla Abbassi, a spokesman for Coin. wired in a statement. "These steps allow us to verify the identity, as well as the validity and ownership of each card, based on information such as the last four digits of the cardholder's tax identification number and billing code." Kamkar admits that he only uploaded the numbers provided for his cards on a Coin device and did not try any other. But it suggests that Coin security measures can be defeated and refers to an upcoming speech that describes how to circumvent them scheduled for the end of this month at the Kiwicon security conference in New Zealand.
Regarding the most important issue of American Express, its number of cards can be expected, Kamkar says he has contacted the company several times and eventually had a long discussion with an engineer who assured him that the numbers predictable cards were not a serious security risk, at least not one who planned to adjust. An American Express representative followed wired to emphasize that AmEx users would still be protected by Kamkar's card-prediction trick with its extra protections as an additional security code embedded in its magstripe data and the chip-and-PIN technology that is spreading in the US , which requires a chip to be read to make a purchase.
"Just knowing a card number would not allow a scammer to complete a face-to-face purchase because a card product would have to be immersed in many of the EMV chip-based or crawled portals stores, plus the security code embedded in the card product. it should be verified, both for the EMV chip and for the magnetic stripe cards, the security code changes with the card number and it is impossible to predict it, "writes AmEx spokesman Ashley Tufts. He also noted that the company uses other security measures that he refused to detail.
Kamkar confirms that AmEx's extra security magstripe code seems to block his prediction attack in some cases. It is not yet certain on which outlets the trick works. But he discovered, for example, that he was able to use the card numbers provided in two different restaurants: a fast food restaurant and a high-end one where he spent more than $ 100 without problems. Demonstrate a successful MagSpoof transaction at the fast-food venue in the video above. (He just tried the technique with his cards, of course).
Even the chip-and-PIN protections on a victim's card may not work to protect against his MagSpoof attack, says Kamkar. The presence or absence of that extra chip in the card as a safeguard is noted in the card communications with the reader, he says. By smashing a "chipless" signal at the point of sale, Kamkar says it can trick the reader into accepting a stolen chip-and-PIN card number as if it were chipless.
Kamkar says he built his MagSpoof prototype a little more than a programmable Atmel ATtiny microcontroller, a battery, an LED, a capacitor, a resistor and a copper wire. In fact, the configuration is simple enough not to predict releasing its prediction algorithm, nor any suggestion of how the prediction works, lest it feed true fraud. But he claims that, despite his discretion, American Express still needs to solve the problem before other hackers take advantage of the technique, or to limit the damage of those who already have it. "It's not like I broke a crazy pseudo-random number generator, which is very obvious," says Kamkar of his card-prediction technique. "I've never heard anyone who found it, but I'd be surprised if someone did not understand it."
Also in Wired:
SecureDrop Leak Tool produces a huge package of prison documents
How the "Lowline" underground park in New York will actually function
The YouTube music app may change all streaming services
His code got humans on the moon and invented the software itself
Teen Who Hacked The CIA Director's email tells how he did it