This Gizmo Knows Your Amex Card Number Before You've Received It (csoonline.com)

← Back to Stories (view on slashdot.org)

This Gizmo Knows Your Amex Card Number Before You've Received It (csoonline.com)

Posted by samzenpus on Wednesday November 25, 2015 @08:06AM from the lucky-number dept.

itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

4 of 68 comments (clear)

Min score:

Reason:

Sort:

Not too hard by Todd+Knarr · 2015-11-25 08:11 · Score: 3, Insightful

This isn't exactly an amazing product. The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit. There's really no excuse for that kind of triviality, a replacement card should have a complete new number unrelated to the old one.
1. Re:Not too hard by wonkey_monkey · 2015-11-25 08:14 · Score: 5, Insightful
  
  This isn't exactly an amazing product.
  I think that's rather the point of the story.
  
  --
  systemd is Roko's Basilisk.
Re:Can I predict mine though? by Anonymous Coward · 2015-11-25 08:28 · Score: 5, Insightful

Think out the implications of this. You have an Amex card, and your information gets comprised when a retailer's system is hacked. The standard response is for the credit card card companies to cancel your existing card and issue you a new one with a different account number.
Issuing you a new card is pointless if the new account number can be predicted by anyone who has the old one. The new expiration date is also predictable based on when the card was replaced, which should be pretty easy to guess in the case of mass replacements due to a hack.
Re:I'm not sure this is as bad as it sounds by ewibble · 2015-11-25 09:21 · Score: 3, Insightful

2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.
How would anyone know? Maybe people performing the fraud are getting better at not being detected, by either, the card company or the owner of the card. For example a small transaction over may cards maybe totally unnoticeable. If it is never reported as fraud, then it would never go into the bucket of undetected fraud. It is not like the criminals publish their proceeds from fraud somewhere.
That is why I don't like payment without pin, (this includes online payment, but that is another rant 8-)) because it allows, small payments without any secret I know. First it is quite possible I could miss a small charge, secondly if my children use my card, (still fraud) I am very unlikely to report them. If they are so confident in their fraud detection, and security of pin-less payment, remove the cap, I WILL notice $1000 dollars extra on my bill.