This Gizmo Knows Your Amex Card Number Before You've Received It (csoonline.com) 68
itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.
Holy crap ... (Score:2)
That sounds pretty damned broken to me.
Are these guys not even trying?
Re: (Score:2)
Doubly so because it was "new" 20 years ago, and people are already starting to look to replace it.
Re: Holy crap ... (Score:2)
People told us to replace chip and pin before it was even used in the EU a decade ago because it was broken then. We don't need chip and pin, we need to keep magstripes, implement a method of out-of-band authorization and keep banks liable for their hacks.
Re: (Score:2)
I'm pretty sure I've got a credit card here in the UK. What's the difference between US credit cards and European ones?
Re: (Score:2)
Re: (Score:2)
It's 2015 and the US is still trying (and apparently failing) to implement chip-and-pin. So no, clearly they are not trying.
NO they are not. Most US card issuers are implementing Chip-and-Signature, which is NOT the same thing as Chip-and-Pin. The cards LOOK the same and have the same chip but this method happens to be far less secure. What a surprise. Does the US ever do anything with high security?
The only thing Chip-and-Sig does is crack down on fake mag stripe cards because copying the chip is harder to do. But for the signature part, almost nobody ever actually looks at or checks signatures much less asks for ID.
Only a
Re: (Score:2)
The security difference between chip-and-signature and chip-and-PIN matters in only one case, and that is if your physical card is stolen from your wallet. Skimmers, data breaches, shoulder-surfing, all the hacking attacks won't yield the secret key inside the chip, preventing it from being counterfeited. If you don't like the security of your chip-and-signature card because you're afraid your card might be stolen, ask your bank to issue you a chip-and-PIN card instead. If your bank won't, there are plen
Re: (Score:2)
Every card issuer has a set prefix that belongs to them. The first four digits of any card number indicate who issued it. This applies to every kind of card from credit cards you can use anywhere but also things like branded gas station credit cards only good at that one chain, and so on.
This leaves only so many additional digits for card numbers, and from that pool of course some are active. Others have been issued to other cardholders but replaced, so those card numbers are also off the available list.
Not too hard (Score:4, Insightful)
This isn't exactly an amazing product. The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit. There's really no excuse for that kind of triviality, a replacement card should have a complete new number unrelated to the old one.
Re:Not too hard (Score:5, Insightful)
This isn't exactly an amazing product.
I think that's rather the point of the story.
Re: (Score:3)
If one guy and a sample size of 40 cards can do this with 100% accuracy ... then I assume a better funded and more malicious entity could do it on a FAR larger scale.
I think the fact that it IS so trivial is kind of the point.
You would hope it wouldn't be even possible to predict the next card and that the numbers come from a big pool and should be unrelated. But apparently that's not true.
Re: (Score:1)
I'm sorry, the check digit is trivially easy to calculate based on the other numbers. It's just a Mod 10
I once had a simple excel spreadsheet that would randomly generate new card numbers for MC, VISA, and Amex and it's not difficult.
The fact that you guys don't have chip n pin in the US is the real issue. If you don't have a chip in your card, you shouldn't be using it, period.
Re: (Score:2)
I think the parent meant the CVC / CSC / CVV / etc....
Re: (Score:3)
From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.
Re: (Score:2)
Indeed, the signing part is the security flaw. Card numbers on European cards are fairly predictable, usually being only a few digits different to your old card. It doesn't matter though because you can't buy anything without a PIN number or the chip part, or if online without the CVV code on the back which isn't predictable.
Re: (Score:2)
At the moment, the big US banks are rolling out "chip and sign", where you slide the card into a reader, but sign with a digital pen rather than enter a PIN. From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.
No, it's much better than the magstripe system because you can't clone a chip card, whereas its trivial to clone a magstripe card (e.g., using a skimmer). Magstripe: something you have, except it's easy to copy, so the bad guys might have it too. Chip and sign: something you have. Chip and PIN: something you have and something you know.
Sure, chip and PIN is more secure, but it's not true that chip and sign is "no better than the mag-swipe and sign".
Re: (Score:2)
The EMV chips have been compromised for years. Typically it only takes a couple of weeks to break the latest version. The reason chip-and-PIN sounds so good is the European rules changes that accompanied it: if the transaction was done using chip-and-PIN then it's presumed valid and it's up to the cardholder to prove otherwise which is extremely difficult short of having absolute undeniable proof that you were physically at a different location at the time of the transaction (eg. timestamped video showing y
Re: (Score:2)
The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit.
Not too hard: https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
So far as I've ever heard, all credit card numbers are generated according to an algorithm that can be fairly easily reverse-engineered, so this 'news' really isn't a surprise at all to me. Other than that he's doing more-or-less a brute-force attack on PoS terminals by tossing 'up to 40 (fake) cards' at them. I think in the end the only thing that will be impressive about this is what AmEx may do to him legally (criminal or civil) first for creating this device, then revealing it publicly; he gave enough details already that anyone moderately competent should be able to duplicate it and go on a fraud-spree.
Judging by the number of times I have seen people posting online "my card was compromised before I got it in the mail" or "before first use" ALL of the CC issuers have the same problem.
If the card gets compromised once, it's replacement is relatively easy to compromise as well.
Re: (Score:2)
True. It's a simple algorithm, and guessing the next in sequence is entirely trivial. I used to be able to do it in my head, no super-secret gizmo required, but I'm out of practice. Usually they increment the next-to-last digit and then change the final number to whatever is then required for the Mod10 algorithm, a function that is easily found online for use in form validation. (Ever wonder how they can tell you mistyped your number before submitting it to the bank? They're doing a Mod10 check. Most typos
Re: (Score:2)
No.
For example, for the (virtual) card numbers we issued (I was CTO of a virtual card company) we selected the card numbers using a cryptographically secure RNG within our BIN range(s). We went out of our way to make the numbers of newly-issued cards unguessable/unpredictable, and it was a significant element of our security.
Rgds
Damon
Can I predict mine though? (Score:1)
Re:Can I predict mine though? (Score:5, Insightful)
Think out the implications of this. You have an Amex card, and your information gets comprised when a retailer's system is hacked. The standard response is for the credit card card companies to cancel your existing card and issue you a new one with a different account number.
Issuing you a new card is pointless if the new account number can be predicted by anyone who has the old one. The new expiration date is also predictable based on when the card was replaced, which should be pretty easy to guess in the case of mass replacements due to a hack.
Re: (Score:2)
I had a different problem with Amex.
I had closed my account, but they still kept accepting charges on the card a year it was closed.
The charges were for a product I never signed up to; and although I eventually had them all reversed, it took many months of wrangling.
Re: (Score:2)
I had this issue with a cancelled VISA card. It was even a recurring payment that was at one time legitimate.
I merely told the card provider that I had closed my account and if they wanted to keep giving money to that vendor then it was their choice as it was their money, as I'd clearly informed them that I was closing the account and that they shouldn't accept any payments on my behalf.
No idea whether they stopped the payments, but they did stop trying to bill me for them.
Re: (Score:2)
Well, if we know which kind of Amex you apply to get, we can predict with nearly 100% certainty what the first five digits will be. This means only 10 digits need to be predicted.
Legendary hacker (Score:3)
Re: (Score:2)
Is he not your hero?
Re: (Score:2)
I don't know Samy, but TFA says "he". Repeatedly.
Re: (Score:2)
I think he'd use the word mythical rather than legendary.
Why can't a girl have a glorious bushy beard?
Shocking (Score:2)
>The new expiration date can also be predicted based on when the replacement card was requested.
You don't say.
I'm not sure this is as bad as it sounds (Score:3)
0. Surprisingly, cards are compromised all the time.
1. Some issuers know that as many as 40% of their cards in force are actually compromised.
2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.
3. EMV (chip) cards add a significantly better authentication step by verifying the physical card is in fact being used. But this does little or nothing for card-not-present (cnp) transactions, like buying from Amazon or eBay.
4. American Express probably first does the usual fraud detection, spots fraud, disabled the card, and when a new one is issued might very well already have that account under greater scrutiny, at least for a while. Maybe.
5. Some fraud may even be 'ignored' to gather more information.
6. Most importantly, however, a replacement card must be activated, acknowledging receipt by the card holder. The fraudster must also break into that process or wait for the card holder. That's weak point maybe.
7. And purchases can leave a trail.
I'm being this is not such a big deal as it seems, at and easily fixed.
Re:I'm not sure this is as bad as it sounds (Score:4, Insightful)
2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.
How would anyone know? Maybe people performing the fraud are getting better at not being detected, by either, the card company or the owner of the card. For example a small transaction over may cards maybe totally unnoticeable. If it is never reported as fraud, then it would never go into the bucket of undetected fraud. It is not like the criminals publish their proceeds from fraud somewhere.
That is why I don't like payment without pin, (this includes online payment, but that is another rant 8-)) because it allows, small payments without any secret I know. First it is quite possible I could miss a small charge, secondly if my children use my card, (still fraud) I am very unlikely to report them. If they are so confident in their fraud detection, and security of pin-less payment, remove the cap, I WILL notice $1000 dollars extra on my bill.
Re: (Score:2)
For example a small transaction over may cards maybe totally unnoticeable.
Also wouldn't be economical for the criminals. Stealing card details or buying them on black markets is not free. There is risk involved in every transaction, especially if it is made to look non-suspicious. Taking amounts small enough for people not to notice in a way that won't get you caught when a small percentage of them do flag it up will probably lose you money.
Re: (Score:2)
First, fraud by people to close to you, would not be covered.
Second, they may make more by small transactions, it really depends on the risks, since it is hard to judge what percentage of small transactions actually get detected, because you need to know which ones don't. Only a criminal who is actually doing this can tell. That being said I don't know how much stollen credit card goes for but this article says $3.50 http://www.bloomberg.com/news/... [bloomberg.com]
it wouldn't take many $5 transactions to make you money ba
I have often wondered about expiration dates (Score:1)
Expiration dates are indeed predictable. One common trick used by subscription services is to merely bump it the appropriate number of years during their auto-renew phase rather than complaining to the user (and therefore offering a reminder that it exists, thus possibly getting the service canceled, and that's lost revenue!).
Giving a random range of -1 to +4 months from the standard shouldn't harm anything (except the aforementioned squirrelly services?) and would offer a lot more protection. Consider g
AMEX security (Score:2)
I have a corporate AMEX card and compared to my personal Visa/Mastercard cards, security is unbelievably worse.
For Visa/Mastercard cards issues by a local bank, authentication and operations like changing the PIN is done by an IVR system with a preshared password. Sometimes for extra security a live person asks some basic questions like the passphrase or you last weeks' expenses. In fact the bank warns me that I should NEVER tell anyone the card details such as its number, expiration date and CVC code. They
Gizmo? (Score:2)
News for morons. Stuff that's dumbed down.
digital security (Score:1)