Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security The Almighty Buck

This Gizmo Knows Your Amex Card Number Before You've Received It (csoonline.com) 68

itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.
This discussion has been archived. No new comments can be posted.

This Gizmo Knows Your Amex Card Number Before You've Received It

Comments Filter:
  • He noticed that the replacement card's number appeared to have a relationship with other Amex cards he'd had in the past. Kamkar worked out a formula for how the number was calculated, which matched up to 40 cards and replacement cards shared with him by his friends for his research.

    That sounds pretty damned broken to me.

    Are these guys not even trying?

  • Not too hard (Score:4, Insightful)

    by Todd Knarr ( 15451 ) on Wednesday November 25, 2015 @04:11PM (#51004007) Homepage

    This isn't exactly an amazing product. The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit. There's really no excuse for that kind of triviality, a replacement card should have a complete new number unrelated to the old one.

    • Re:Not too hard (Score:5, Insightful)

      by wonkey_monkey ( 2592601 ) on Wednesday November 25, 2015 @04:14PM (#51004033) Homepage

      This isn't exactly an amazing product.

      I think that's rather the point of the story.

    • If one guy and a sample size of 40 cards can do this with 100% accuracy ... then I assume a better funded and more malicious entity could do it on a FAR larger scale.

      I think the fact that it IS so trivial is kind of the point.

      You would hope it wouldn't be even possible to predict the next card and that the numbers come from a big pool and should be unrelated. But apparently that's not true.

    • by Anonymous Coward

      I'm sorry, the check digit is trivially easy to calculate based on the other numbers. It's just a Mod 10

      I once had a simple excel spreadsheet that would randomly generate new card numbers for MC, VISA, and Amex and it's not difficult.

      The fact that you guys don't have chip n pin in the US is the real issue. If you don't have a chip in your card, you shouldn't be using it, period.

      • I think the parent meant the CVC / CSC / CVV / etc....

      • At the moment, the big US banks are rolling out "chip and sign", where you slide the card into a reader, but sign with a digital pen rather than enter a PIN.
        From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.
        • by AmiMoJo ( 196126 )

          Indeed, the signing part is the security flaw. Card numbers on European cards are fairly predictable, usually being only a few digits different to your old card. It doesn't matter though because you can't buy anything without a PIN number or the chip part, or if online without the CVV code on the back which isn't predictable.

        • by Dahan ( 130247 )

          At the moment, the big US banks are rolling out "chip and sign", where you slide the card into a reader, but sign with a digital pen rather than enter a PIN. From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.

          No, it's much better than the magstripe system because you can't clone a chip card, whereas its trivial to clone a magstripe card (e.g., using a skimmer). Magstripe: something you have, except it's easy to copy, so the bad guys might have it too. Chip and sign: something you have. Chip and PIN: something you have and something you know.

          Sure, chip and PIN is more secure, but it's not true that chip and sign is "no better than the mag-swipe and sign".

      • The EMV chips have been compromised for years. Typically it only takes a couple of weeks to break the latest version. The reason chip-and-PIN sounds so good is the European rules changes that accompanied it: if the transaction was done using chip-and-PIN then it's presumed valid and it's up to the cardholder to prove otherwise which is extremely difficult short of having absolute undeniable proof that you were physically at a different location at the time of the transaction (eg. timestamped video showing y

    • The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit.

      Not too hard: https://en.wikipedia.org/wiki/... [wikipedia.org]

    • So far as I've ever heard, all credit card numbers are generated according to an algorithm that can be fairly easily reverse-engineered, so this 'news' really isn't a surprise at all to me. Other than that he's doing more-or-less a brute-force attack on PoS terminals by tossing 'up to 40 (fake) cards' at them. I think in the end the only thing that will be impressive about this is what AmEx may do to him legally (criminal or civil) first for creating this device, then revealing it publicly; he gave enough d
      • by jafiwam ( 310805 )

        So far as I've ever heard, all credit card numbers are generated according to an algorithm that can be fairly easily reverse-engineered, so this 'news' really isn't a surprise at all to me. Other than that he's doing more-or-less a brute-force attack on PoS terminals by tossing 'up to 40 (fake) cards' at them. I think in the end the only thing that will be impressive about this is what AmEx may do to him legally (criminal or civil) first for creating this device, then revealing it publicly; he gave enough details already that anyone moderately competent should be able to duplicate it and go on a fraud-spree.

        Judging by the number of times I have seen people posting online "my card was compromised before I got it in the mail" or "before first use" ALL of the CC issuers have the same problem.

        If the card gets compromised once, it's replacement is relatively easy to compromise as well.

      • by reemul ( 1554 )

        True. It's a simple algorithm, and guessing the next in sequence is entirely trivial. I used to be able to do it in my head, no super-secret gizmo required, but I'm out of practice. Usually they increment the next-to-last digit and then change the final number to whatever is then required for the Mod10 algorithm, a function that is easily found online for use in form validation. (Ever wonder how they can tell you mistyped your number before submitting it to the bank? They're doing a Mod10 check. Most typos

      • by DamonHD ( 794830 )

        No.

        For example, for the (virtual) card numbers we issued (I was CTO of a virtual card company) we selected the card numbers using a cryptographically secure RNG within our BIN range(s). We went out of our way to make the numbers of newly-issued cards unguessable/unpredictable, and it was a significant element of our security.

        Rgds

        Damon

  • I've never had an amex card, and they mention only how one's replacement is related to one's previous card. I'd be more impressed if they could predict what my first card would be.
    • by Anonymous Coward on Wednesday November 25, 2015 @04:28PM (#51004151)

      Think out the implications of this. You have an Amex card, and your information gets comprised when a retailer's system is hacked. The standard response is for the credit card card companies to cancel your existing card and issue you a new one with a different account number.

      Issuing you a new card is pointless if the new account number can be predicted by anyone who has the old one. The new expiration date is also predictable based on when the card was replaced, which should be pretty easy to guess in the case of mass replacements due to a hack.

      • by labnet ( 457441 )

        I had a different problem with Amex.
        I had closed my account, but they still kept accepting charges on the card a year it was closed.
        The charges were for a product I never signed up to; and although I eventually had them all reversed, it took many months of wrangling.

        • by Cederic ( 9623 )

          I had this issue with a cancelled VISA card. It was even a recurring payment that was at one time legitimate.

          I merely told the card provider that I had closed my account and if they wanted to keep giving money to that vendor then it was their choice as it was their money, as I'd clearly informed them that I was closing the account and that they shouldn't accept any payments on my behalf.

          No idea whether they stopped the payments, but they did stop trying to bill me for them.

    • Well, if we know which kind of Amex you apply to get, we can predict with nearly 100% certainty what the first five digits will be. This means only 10 digits need to be predicted.

  • by losttoy ( 558557 ) on Wednesday November 25, 2015 @04:26PM (#51004129)
    Really? I mean, really?!
  • >The new expiration date can also be predicted based on when the replacement card was requested.

    You don't say.

  • by rickb928 ( 945187 ) on Wednesday November 25, 2015 @04:51PM (#51004357) Homepage Journal

    0. Surprisingly, cards are compromised all the time.
    1. Some issuers know that as many as 40% of their cards in force are actually compromised.
    2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.
    3. EMV (chip) cards add a significantly better authentication step by verifying the physical card is in fact being used. But this does little or nothing for card-not-present (cnp) transactions, like buying from Amazon or eBay.
    4. American Express probably first does the usual fraud detection, spots fraud, disabled the card, and when a new one is issued might very well already have that account under greater scrutiny, at least for a while. Maybe.
    5. Some fraud may even be 'ignored' to gather more information.
    6. Most importantly, however, a replacement card must be activated, acknowledging receipt by the card holder. The fraudster must also break into that process or wait for the card holder. That's weak point maybe.
    7. And purchases can leave a trail.

    I'm being this is not such a big deal as it seems, at and easily fixed.

    • by ewibble ( 1655195 ) on Wednesday November 25, 2015 @05:21PM (#51004561)

      2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.

      How would anyone know? Maybe people performing the fraud are getting better at not being detected, by either, the card company or the owner of the card. For example a small transaction over may cards maybe totally unnoticeable. If it is never reported as fraud, then it would never go into the bucket of undetected fraud. It is not like the criminals publish their proceeds from fraud somewhere.

      That is why I don't like payment without pin, (this includes online payment, but that is another rant 8-)) because it allows, small payments without any secret I know. First it is quite possible I could miss a small charge, secondly if my children use my card, (still fraud) I am very unlikely to report them. If they are so confident in their fraud detection, and security of pin-less payment, remove the cap, I WILL notice $1000 dollars extra on my bill.

      • by AmiMoJo ( 196126 )

        For example a small transaction over may cards maybe totally unnoticeable.

        Also wouldn't be economical for the criminals. Stealing card details or buying them on black markets is not free. There is risk involved in every transaction, especially if it is made to look non-suspicious. Taking amounts small enough for people not to notice in a way that won't get you caught when a small percentage of them do flag it up will probably lose you money.

        • First, fraud by people to close to you, would not be covered.

          Second, they may make more by small transactions, it really depends on the risks, since it is hard to judge what percentage of small transactions actually get detected, because you need to know which ones don't. Only a criminal who is actually doing this can tell. That being said I don't know how much stollen credit card goes for but this article says $3.50 http://www.bloomberg.com/news/... [bloomberg.com]
          it wouldn't take many $5 transactions to make you money ba

  • Expiration dates are indeed predictable. One common trick used by subscription services is to merely bump it the appropriate number of years during their auto-renew phase rather than complaining to the user (and therefore offering a reminder that it exists, thus possibly getting the service canceled, and that's lost revenue!).

    Giving a random range of -1 to +4 months from the standard shouldn't harm anything (except the aforementioned squirrelly services?) and would offer a lot more protection. Consider g

  • I have a corporate AMEX card and compared to my personal Visa/Mastercard cards, security is unbelievably worse.
    For Visa/Mastercard cards issues by a local bank, authentication and operations like changing the PIN is done by an IVR system with a preshared password. Sometimes for extra security a live person asks some basic questions like the passphrase or you last weeks' expenses. In fact the bank warns me that I should NEVER tell anyone the card details such as its number, expiration date and CVC code. They

  • News for morons. Stuff that's dumbed down.

  • The problem with digital security is that to have enough security you need so huge numbers that you can't remember what was the original one. If you can't remember the stuff how would you expect to validate something? Humans will loose to machines in every way, so it's easier to make humans secure instead of machines secure.

What this country needs is a dime that will buy a good five-cent bagel.

Working...