Slashdot Mirror

← Back to Stories (view on slashdot.org)

This Gizmo Knows Your Amex Card Number Before You've Received It (csoonline.com)

Posted by samzenpus on from the lucky-number dept.

itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

68 comments

  1. Holy crap ... by gstoddart · · Score: 1

    He noticed that the replacement card's number appeared to have a relationship with other Amex cards he'd had in the past. Kamkar worked out a formula for how the number was calculated, which matched up to 40 cards and replacement cards shared with him by his friends for his research.

    That sounds pretty damned broken to me.

    Are these guys not even trying?

    --
    Lost at C:>. Found at C.
    1. Re:Holy crap ... by Anonymous Coward · · Score: 0

      Why try when there's no consequence from failing failing to try?

    2. Re:Holy crap ... by Anonymous Coward · · Score: 0

      It's 2015 and the US is still trying (and apparently failing) to implement chip-and-pin. So no, clearly they are not trying.

    3. Re:Holy crap ... by strstr · · Score: 0

      Something tells me AMEX does not care.

      Because it was by design.

      The only unique portion of the card will be the expiration date and the four digit unique code identifier.

      Other info such as address, and zip code also need to be known.

      AMEX understands that if a hacker could get all those codes lined up, the end owner of the account is not responsible and will be reimbursed.

      Thats why its not that big a deal.

      For those that don't know, AMEX assigns you an account number represented by the first xxxx-xxxxxx ten digits, and the next xxxxx five digits are all that change upon issuance of a new card number. And they don't change the last five digits that much, generally just shifting the combo slightly, making it easy to remember. The unique code is four digits long and changes completely and is more random. :)

      I think I am fine with AMEX approach. obamasweapon.com

    4. Re:Holy crap ... by gstoddart · · Score: 1

      It's 2015 and the US is still trying (and apparently failing) to implement chip-and-pin. So no, clearly they are not trying.

      Doubly so because it was "new" 20 years ago, and people are already starting to look to replace it.

      --
      Lost at C:>. Found at C.
    5. Re: Holy crap ... by Anonymous Coward · · Score: 0

      I don't have any cards in my wallet that have even been through a mag strip reader.
      Most of the time they are used with nfc, the rest of the time it's inserted into a chip reader.

    6. Re:Holy crap ... by Anonymous Coward · · Score: 0

      the next xxxxx five digits are all that change upon issuance of a new card number

      Actually it's only 4 digits, because the last one is a checksum digit.

    7. Re: Holy crap ... by Anonymous Coward · · Score: 0

      Yea but you could still have a hard time proving you didn't make the purchauses

    8. Re:Holy crap ... by Anonymous Coward · · Score: 0

      Nope they are NOT trying.

      When it comes to corporate cards, they usually keep the same #, just change the expiration (easy to figure out, aka 2yrs) and CCV code. Hence why corporate accounts are usually hacked a lot.

      Legendary hacking usually involves a breakdown of the system. Like most of his hacks (i.e. not legendary), it's just a timing exploit + simple algo... it's more important for the system to detect a hack and response to it. Otherwise, we'd all be losing money.

    9. Re:Holy crap ... by mark-t · · Score: 1

      The only thing that keeps chip and pin from being secure is that the banks keep allowing non-chip-and-pin transactions instead of forcing vendors to upgrade or not use the service at all.

      --
      File under 'M' for 'Manic ranting'
    10. Re: Holy crap ... by strstr · · Score: 0

      Maybe but probably not. AMEX rarely questions the customer on a dispute and usually sides with the customer.

      I even won a dispute for $1300 on a laptop because HP had promised to replace it when it arrived with dead pixels, but then never did so. Got the money back and HP didn't even bother to ask for the laptop back.

      And through countless extended warranty claims on hardware, AMEX always pays no issue.

      And through a couple of thefts, always reimbursed.

      I had a couple of new purchases stolen weeks after purchase, AMEX fully reimbursed the purchase price on each one.

      Never have I been dissatisfied with AMEX service.

    11. Re:Holy crap ... by strstr · · Score: 0

      I went ahead and read the article. This hack works best for making fake cards and stuff at the actual teller, for use in store. The cards themselves have several flaws making it easy to do, apparently without the unique code identifier or the new chip in the newer cards.

      If a person changes their account number, they can easily guess the new number, and continue using the account.

      Won't work online because thats when they verify other details of the card such as unique code, billing info, and all that.

      Use at your own risk because doing this in store will lead to security video, possible finger prints, and other info good to put tou away for along time when caught.

    12. Re:Holy crap ... by Anonymous Coward · · Score: 0

      I always assumed they would generate new CC numbers randomly from the pool of valid and unused numbers. Anything else seems fairly silly.
      Any reason why this is wouldn't work?

    13. Re:Holy crap ... by RubberDogBone · · Score: 1

      It's 2015 and the US is still trying (and apparently failing) to implement chip-and-pin. So no, clearly they are not trying.

      NO they are not. Most US card issuers are implementing Chip-and-Signature, which is NOT the same thing as Chip-and-Pin. The cards LOOK the same and have the same chip but this method happens to be far less secure. What a surprise. Does the US ever do anything with high security?

      The only thing Chip-and-Sig does is crack down on fake mag stripe cards because copying the chip is harder to do. But for the signature part, almost nobody ever actually looks at or checks signatures much less asks for ID.

      Only a handful of US card issuers are actually doing Chip-and-Pin, mainly small banks and a couple credit unions.

      --
      Sig for hire.
    14. Re:Holy crap ... by RubberDogBone · · Score: 1

      Every card issuer has a set prefix that belongs to them. The first four digits of any card number indicate who issued it. This applies to every kind of card from credit cards you can use anywhere but also things like branded gas station credit cards only good at that one chain, and so on.

      This leaves only so many additional digits for card numbers, and from that pool of course some are active. Others have been issued to other cardholders but replaced, so those card numbers are also off the available list. Stolen card numbers are also off the avail list. The end result is that there are only so many possible unused card numbers.

      It is also important to remember that not all cards are issued the same: Amex issues most of its cards itself. They have only a few prefix numbers. But card issuers like Visa and Mastercard use thousands of member banks and credit unions to issue cards and each of those issuers will usually have their own prefix numbers.

      In other words, most Amex cards start with 37***. This leaves 10 digits for individual cards for the entirety of Amex customers, past, present, black listed, all of them. Amex segregates different types of cards based on the first five digits so not all combinations are possible and available to issue.

      But your Chase Visa card will have 5678 and your Bank of America Visa will have 6789 (not their real numbers) which are unique to each bank. This means EACH of these banks has 11 digits they can use even if the other banks also use the same 11 digits for a card. It won't matter because the prefix is different.

      Amex and the other banks can have more than one prefix. There are public lists of which bank is which.

      http://www.stevemorse.org/ssn/...

      --
      Sig for hire.
    15. Re: Holy crap ... by guruevi · · Score: 1

      People told us to replace chip and pin before it was even used in the EU a decade ago because it was broken then. We don't need chip and pin, we need to keep magstripes, implement a method of out-of-band authorization and keep banks liable for their hacks.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    16. Re:Holy crap ... by plover · · Score: 1

      The security difference between chip-and-signature and chip-and-PIN matters in only one case, and that is if your physical card is stolen from your wallet. Skimmers, data breaches, shoulder-surfing, all the hacking attacks won't yield the secret key inside the chip, preventing it from being counterfeited. If you don't like the security of your chip-and-signature card because you're afraid your card might be stolen, ask your bank to issue you a chip-and-PIN card instead. If your bank won't, there are plenty of other banks who will, and who will be grateful for your business.

      Visa and the retailers originally figured U.S. customers would prefer chip-and-signature because it makes selling things "easy". But that's a pretty stupid attitude, because lots of people (including you and me) are wary about identity theft. Customers need to complain to their banks so that they learn we'd rather have PINs than signatures.

      Overall credit card security will still remain terrible for a long time to come because static mag stripes still exist, and online card-not-present transactions still use static authentication data like CVV2 codes. What really needs to happen to actually improve security is that mag stripes and static numbers like CVV2 need to be flat-out outlawed. The recent "liability shift" is the opening salvo in the conversion, but we're probably still a decade away from actual security.

      --
      John
    17. Re: Holy crap ... by Anonymous Coward · · Score: 0

      Chip-and-pin ... broken ? Then tell me why fraud rate in EU is much lower than in the US (and actually mainly related to non-pin usage).

      Why isn't that implemented everywhere ? Because it is less convenient. It has been enforced in Europe a long time ago, when only a fraction of the population used debit cards (there are no credit cards in EU, even if called credit cards) insead of checks. In the US, it is too late. You'll have to wait for the next generation of secure transactions.

    18. Re:Holy crap ... by Anonymous Coward · · Score: 0

      It's just a number. You know what else is predictable? My age next year if you know my current age.

    19. Re: Holy crap ... by cyber-vandal · · Score: 1

      I'm pretty sure I've got a credit card here in the UK. What's the difference between US credit cards and European ones?

  2. Not too hard by Todd+Knarr · · Score: 3, Insightful

    This isn't exactly an amazing product. The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit. There's really no excuse for that kind of triviality, a replacement card should have a complete new number unrelated to the old one.

    1. Re:Not too hard by wonkey_monkey · · Score: 5, Insightful

      This isn't exactly an amazing product.

      I think that's rather the point of the story.

      --
      systemd is Roko's Basilisk.
    2. Re:Not too hard by gstoddart · · Score: 2

      If one guy and a sample size of 40 cards can do this with 100% accuracy ... then I assume a better funded and more malicious entity could do it on a FAR larger scale.

      I think the fact that it IS so trivial is kind of the point.

      You would hope it wouldn't be even possible to predict the next card and that the numbers come from a big pool and should be unrelated. But apparently that's not true.

      --
      Lost at C:>. Found at C.
    3. Re:Not too hard by Anonymous Coward · · Score: 1

      I'm sorry, the check digit is trivially easy to calculate based on the other numbers. It's just a Mod 10

      I once had a simple excel spreadsheet that would randomly generate new card numbers for MC, VISA, and Amex and it's not difficult.

      The fact that you guys don't have chip n pin in the US is the real issue. If you don't have a chip in your card, you shouldn't be using it, period.

    4. Re:Not too hard by twotacocombo · · Score: 1

      The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit.

      Not too hard: https://en.wikipedia.org/wiki/...

    5. Re:Not too hard by cheater512 · · Score: 1

      I think the parent meant the CVC / CSC / CVV / etc....

    6. Re:Not too hard by kheldan · · Score: 1

      So far as I've ever heard, all credit card numbers are generated according to an algorithm that can be fairly easily reverse-engineered, so this 'news' really isn't a surprise at all to me. Other than that he's doing more-or-less a brute-force attack on PoS terminals by tossing 'up to 40 (fake) cards' at them. I think in the end the only thing that will be impressive about this is what AmEx may do to him legally (criminal or civil) first for creating this device, then revealing it publicly; he gave enough details already that anyone moderately competent should be able to duplicate it and go on a fraud-spree.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    7. Re:Not too hard by Anonymous Coward · · Score: 0

      "The fact that you guys don't have chip n pin in the US is the real issue."
      1) What real issue? How does your chip help with online purchases?
      2) We have EMV cards. All my Visa and MC credit cards (I have ~15 cards across ~7 different issuers) have been reissued with EMV (chip+signature priority but some also have PIN online/offline auth). The last non-EMV card left is AMEX issued card. I expect it to be reissued in near future too.

    8. Re:Not too hard by Anonymous Coward · · Score: 0

      but... but... the guy is a legendary hacker!

    9. Re:Not too hard by jafiwam · · Score: 1

      So far as I've ever heard, all credit card numbers are generated according to an algorithm that can be fairly easily reverse-engineered, so this 'news' really isn't a surprise at all to me. Other than that he's doing more-or-less a brute-force attack on PoS terminals by tossing 'up to 40 (fake) cards' at them. I think in the end the only thing that will be impressive about this is what AmEx may do to him legally (criminal or civil) first for creating this device, then revealing it publicly; he gave enough details already that anyone moderately competent should be able to duplicate it and go on a fraud-spree.

      Judging by the number of times I have seen people posting online "my card was compromised before I got it in the mail" or "before first use" ALL of the CC issuers have the same problem.

      If the card gets compromised once, it's replacement is relatively easy to compromise as well.

    10. Re:Not too hard by RealGene · · Score: 2

      At the moment, the big US banks are rolling out "chip and sign", where you slide the card into a reader, but sign with a digital pen rather than enter a PIN.
      From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.

      --
      Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
    11. Re:Not too hard by Todd+Knarr · · Score: 1

      The EMV chips have been compromised for years. Typically it only takes a couple of weeks to break the latest version. The reason chip-and-PIN sounds so good is the European rules changes that accompanied it: if the transaction was done using chip-and-PIN then it's presumed valid and it's up to the cardholder to prove otherwise which is extremely difficult short of having absolute undeniable proof that you were physically at a different location at the time of the transaction (eg. timestamped video showing you at that other location at that time). So if the EMV chip in your card is compromised and cloned, the fraudulent transactions run up on the fake card are presumed not fraudulent and attempts to dispute them as fraudulent will be denied absent you having extraordinary proof. That skews the fraud statistics considerably.

      The reason European cardholders don't raise a fuss about this is that 95+% of card fraud these days is done online using card-not-present transactions where chip-and-PIN isn't a factor. That won't change whether the US adopts chipped cards or not.

    12. Re:Not too hard by reemul · · Score: 1

      True. It's a simple algorithm, and guessing the next in sequence is entirely trivial. I used to be able to do it in my head, no super-secret gizmo required, but I'm out of practice. Usually they increment the next-to-last digit and then change the final number to whatever is then required for the Mod10 algorithm, a function that is easily found online for use in form validation. (Ever wonder how they can tell you mistyped your number before submitting it to the bank? They're doing a Mod10 check. Most typos will fail, the accidental entry won't be a valid credit card number.) Everyone should be aware of it and reject out of hand a replacement card that has the next number in the sequence because it is exactly as broken as the one that came before. Call your bank and demand that they send you a card not in the immediate order. Yes, that means they'll run out of numbers faster, but the failure is theirs, not yours, so you shouldn't have to deal with a card that is insecure while still in the mail.

      --
      You're just jealous 'cuz the voices talk to *me*
    13. Re:Not too hard by DamonHD · · Score: 1

      No.

      For example, for the (virtual) card numbers we issued (I was CTO of a virtual card company) we selected the card numbers using a cryptographically secure RNG within our BIN range(s). We went out of our way to make the numbers of newly-issued cards unguessable/unpredictable, and it was a significant element of our security.

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    14. Re:Not too hard by AmiMoJo · · Score: 1

      Indeed, the signing part is the security flaw. Card numbers on European cards are fairly predictable, usually being only a few digits different to your old card. It doesn't matter though because you can't buy anything without a PIN number or the chip part, or if online without the CVV code on the back which isn't predictable.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    15. Re:Not too hard by Anonymous Coward · · Score: 0

      please shut the fuck up.

    16. Re:Not too hard by Anonymous Coward · · Score: 0

      > absolute undeniable proof that you were physically at a different location at the time of the transaction

      This won't help. The banks will assume that since their systems are uncrackable, you must have given the PIN number to the bad guy.

    17. Re:Not too hard by Anonymous Coward · · Score: 0

      This won't help. You demand a card with non-sequential numbers and get that. The sequential card simply goes to someone else then, who inherits the "compromized number" problem. The bad guys bill stuff to it anyway.

    18. Re:Not too hard by Dahan · · Score: 1

      At the moment, the big US banks are rolling out "chip and sign", where you slide the card into a reader, but sign with a digital pen rather than enter a PIN. From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.

      No, it's much better than the magstripe system because you can't clone a chip card, whereas its trivial to clone a magstripe card (e.g., using a skimmer). Magstripe: something you have, except it's easy to copy, so the bad guys might have it too. Chip and sign: something you have. Chip and PIN: something you have and something you know.

      Sure, chip and PIN is more secure, but it's not true that chip and sign is "no better than the mag-swipe and sign".

  3. Can I predict mine though? by damn_registrars · · Score: 0

    I've never had an amex card, and they mention only how one's replacement is related to one's previous card. I'd be more impressed if they could predict what my first card would be.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Can I predict mine though? by Anonymous Coward · · Score: 5, Insightful

      Think out the implications of this. You have an Amex card, and your information gets comprised when a retailer's system is hacked. The standard response is for the credit card card companies to cancel your existing card and issue you a new one with a different account number.

      Issuing you a new card is pointless if the new account number can be predicted by anyone who has the old one. The new expiration date is also predictable based on when the card was replaced, which should be pretty easy to guess in the case of mass replacements due to a hack.

    2. Re:Can I predict mine though? by labnet · · Score: 1

      I had a different problem with Amex.
      I had closed my account, but they still kept accepting charges on the card a year it was closed.
      The charges were for a product I never signed up to; and although I eventually had them all reversed, it took many months of wrangling.

      --
      46137
    3. Re:Can I predict mine though? by RubberDogBone · · Score: 1

      Well, if we know which kind of Amex you apply to get, we can predict with nearly 100% certainty what the first five digits will be. This means only 10 digits need to be predicted.

      --
      Sig for hire.
    4. Re:Can I predict mine though? by Cederic · · Score: 1

      I had this issue with a cancelled VISA card. It was even a recurring payment that was at one time legitimate.

      I merely told the card provider that I had closed my account and if they wanted to keep giving money to that vendor then it was their choice as it was their money, as I'd clearly informed them that I was closing the account and that they shouldn't accept any payments on my behalf.

      No idea whether they stopped the payments, but they did stop trying to bill me for them.

  4. Legendary hacker by losttoy · · Score: 2

    Really? I mean, really?!

    1. Re:Legendary hacker by threephaseboy · · Score: 2

      Is he not your hero?

      --
      .
    2. Re:Legendary hacker by Anonymous Coward · · Score: 0

      she, not he. just FYI.

    3. Re:Legendary hacker by 93+Escort+Wagon · · Score: 1

      I don't know Samy, but TFA says "he". Repeatedly.

      --
      #DeleteChrome
    4. Re:Legendary hacker by Anonymous Coward · · Score: 0

      He.

    5. Re:Legendary hacker by Anonymous Coward · · Score: 0

      He's supposedly a legendary hacker. No way that'd be a girl. His wikipedia page also indicates Samy is either a dude or a girl who really, really, should trim her beard.

    6. Re:Legendary hacker by Anonymous Coward · · Score: 0

      Why can't a girl be a legendary hacker?
      http://xkcd.com/342/

    7. Re:Legendary hacker by Cederic · · Score: 1

      I think he'd use the word mythical rather than legendary.

      Why can't a girl have a glorious bushy beard?

  5. Shocking by tehlinux · · Score: 1

    >The new expiration date can also be predicted based on when the replacement card was requested.

    You don't say.

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
  6. How are those not completely random yet? by Anonymous Coward · · Score: 0

    Safe for an embedded checksum to prevent typos and to enable "is this a credit card number or something else" algorithms, is there any reason at all for credit card numbers to not be completely and truly random numbers?

  7. I'm not sure this is as bad as it sounds by rickb928 · · Score: 2

    0. Surprisingly, cards are compromised all the time.
    1. Some issuers know that as many as 40% of their cards in force are actually compromised.
    2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.
    3. EMV (chip) cards add a significantly better authentication step by verifying the physical card is in fact being used. But this does little or nothing for card-not-present (cnp) transactions, like buying from Amazon or eBay.
    4. American Express probably first does the usual fraud detection, spots fraud, disabled the card, and when a new one is issued might very well already have that account under greater scrutiny, at least for a while. Maybe.
    5. Some fraud may even be 'ignored' to gather more information.
    6. Most importantly, however, a replacement card must be activated, acknowledging receipt by the card holder. The fraudster must also break into that process or wait for the card holder. That's weak point maybe.
    7. And purchases can leave a trail.

    I'm being this is not such a big deal as it seems, at and easily fixed.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:I'm not sure this is as bad as it sounds by ewibble · · Score: 3, Insightful

      2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.

      How would anyone know? Maybe people performing the fraud are getting better at not being detected, by either, the card company or the owner of the card. For example a small transaction over may cards maybe totally unnoticeable. If it is never reported as fraud, then it would never go into the bucket of undetected fraud. It is not like the criminals publish their proceeds from fraud somewhere.

      That is why I don't like payment without pin, (this includes online payment, but that is another rant 8-)) because it allows, small payments without any secret I know. First it is quite possible I could miss a small charge, secondly if my children use my card, (still fraud) I am very unlikely to report them. If they are so confident in their fraud detection, and security of pin-less payment, remove the cap, I WILL notice $1000 dollars extra on my bill.

    2. Re:I'm not sure this is as bad as it sounds by AmiMoJo · · Score: 1

      For example a small transaction over may cards maybe totally unnoticeable.

      Also wouldn't be economical for the criminals. Stealing card details or buying them on black markets is not free. There is risk involved in every transaction, especially if it is made to look non-suspicious. Taking amounts small enough for people not to notice in a way that won't get you caught when a small percentage of them do flag it up will probably lose you money.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:I'm not sure this is as bad as it sounds by ewibble · · Score: 1

      First, fraud by people to close to you, would not be covered.

      Second, they may make more by small transactions, it really depends on the risks, since it is hard to judge what percentage of small transactions actually get detected, because you need to know which ones don't. Only a criminal who is actually doing this can tell. That being said I don't know how much stollen credit card goes for but this article says $3.50 http://www.bloomberg.com/news/...
      it wouldn't take many $5 transactions to make you money back.

  8. I have often wondered about expiration dates by Khopesh · · Score: 1

    Expiration dates are indeed predictable. One common trick used by subscription services is to merely bump it the appropriate number of years during their auto-renew phase rather than complaining to the user (and therefore offering a reminder that it exists, thus possibly getting the service canceled, and that's lost revenue!).

    Giving a random range of -1 to +4 months from the standard shouldn't harm anything (except the aforementioned squirrelly services?) and would offer a lot more protection. Consider googling 4147 visa for example; you'll find a few expired credit cards. Now bump the expiration dates by 2 or 4 years. (Slashdot covered this two years ago.)

    --
    Use my userscript to add story images to Slashdot. There's no going back.
  9. I smell bullshit. by Anonymous Coward · · Score: 0

    which matched up to 40 cards and replacement cards shared with him by his friends

    He knew 40 people who needed a replacement Amex card? I smell bollocks.

    I've had an Amex account for 15 years and never had my card lost/stolen. Subsequent cards just have date updated predictably and CID updated unpredictably, but the 15-digit number stays the same. My secondary cards are very similar number to original too. What is the problem?

    1. Re:I smell bullshit. by Anonymous Coward · · Score: 0

      the weasel words "up to" could mean that he matched between zero and forty cards as well as zero and forty replacement cards.

  10. Someone needs to ask... by Anonymous Coward · · Score: 0

    When can I buy a full-featured version on the darknet?

  11. Regularity by Anonymous Coward · · Score: 0

    Recall 6 digits are bank id number, last digit is checksum. Only 10 digits (only!) can vary.
    However it is perfectly feasible they could be assigned sequentially...each card issued is 10 more than the previous one.
    That would of course tend to be hard to predict, but if some pattern like that were used for each account, there are
    enough digits to allow it. Knowing this, and knowing how long cards tend to be good for, could get you an idea of
    card number and expiration. It will not help you guess CVV2 though, or good old CVV, or dCVV or CVC3 or ... (on into
    the night).

    I suspect too, given the news, that the digit selection patterns may be tweaked in lots of places to make
    this kind of prediction less accurate.

  12. AMEX security by zlogic · · Score: 1

    I have a corporate AMEX card and compared to my personal Visa/Mastercard cards, security is unbelievably worse.
    For Visa/Mastercard cards issues by a local bank, authentication and operations like changing the PIN is done by an IVR system with a preshared password. Sometimes for extra security a live person asks some basic questions like the passphrase or you last weeks' expenses. In fact the bank warns me that I should NEVER tell anyone the card details such as its number, expiration date and CVC code. They rely on other details for authentication, which means if an unreliable bank employee or an eavesdropper records all this info, they will be unable to use it to spend your money.

    When I activated my AMEX card, the customer rep asked me for all information printed on the card (including the number, all codes, expiration date etc.), and even was helpful enough to set the PIN retrieval number to the batch code of the card (printed clearly on the front of the card)!

    Also, it appears they have no SecureCode/3DSecure system. Sometimes (but not always) online charges ask for your ZIP code (but not a one-time password like other banks do).

    AMEX security looks like it was designed by a first-year student. Maybe it's a common thing for US banks to put convenience before security. European merchants frown upon chipless cards and ask for proper ID, and almost all online purchases require 3dSecure/SecureCode authentication with a one-time password (usually sent by SMS or a hardware token).

    1. Re:AMEX security by Anonymous Coward · · Score: 0

      Try doing the same thing with AmEx from a phone number they don't have on file and see if the results are the same. I'm pretty sure they won't be.

  13. Gizmo? by cyber-vandal · · Score: 1

    News for morons. Stuff that's dumbed down.

  14. digital security by fkodama · · Score: 1

    The problem with digital security is that to have enough security you need so huge numbers that you can't remember what was the original one. If you can't remember the stuff how would you expect to validate something? Humans will loose to machines in every way, so it's easier to make humans secure instead of machines secure.