Hacker predicts AMEX card numbers, bypasses chip and PIN
Easy algorithm and US$10 bork-box mean fun for fraudsters
Brainiac hacker Samy Kamkar has developed a US$10 gadget that can predict and store hundreds of American Express credit cards and use them for wireless transactions, even at non-wireless payment terminals.
The mind-blowing feat is the result of Kamkar cracking how the card issuer picks replacement numbers, and in dissecting the functionality of magnetic stripe data.
It means criminals could use the tiny gadget to keep pillaging cash after cards have been cancelled at businesses that do not require the three or four -digit CVV numbers on the back of cards.
American Express has been notified and says it is working on a fix.
"Magspoof is a device that can spoof any mag stripe or credit card entirely wirelessly, can disable chip and PIN (EMV) protection, switch between different credit cards, and accurately predict the card number and expiration on American Express credit cards," Kamkar says.
"You can put it up to any traditional point of sales system and it will believe that a card is being swiped.
"I pulled up the numbers for several other AMEX cards I had and compared to more than 20 others and found a global pattern that allows me to accuracy predict replacement numbers" and expiration dates.
A .GIF of the device in action is yours for the viewing here.
The wireless function works by emitting a strong "electromagnetic field" that emulates that produced when physically swiping a card.
Interested criminals researchers can download the necessary code and follow instructions to build the device, but it will be somewhat neutered because Kamkar has removed the ability to deactivate EMV and has not released the AMEX prediction algorithm.
It will still emulate cards and help researchers better tinker in the field.
Kamkar says hackers can build their own versions of Samsung MST or Coin with additional features that the two popular applications lack.
They will require no more than a micro-controller, motor-driver, wire, a resistor, switch, LED, and a battery. ®
Sponsored: Global DDoS threat landscape report