Slashdot Mirror

← Back to Stories (view on slashdot.org)

This Gizmo Knows Your Amex Card Number Before You've Received It (csoonline.com)

Posted by samzenpus on from the lucky-number dept.

itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

39 of 68 comments (clear)

  1. Holy crap ... by gstoddart · · Score: 1

    He noticed that the replacement card's number appeared to have a relationship with other Amex cards he'd had in the past. Kamkar worked out a formula for how the number was calculated, which matched up to 40 cards and replacement cards shared with him by his friends for his research.

    That sounds pretty damned broken to me.

    Are these guys not even trying?

    --
    Lost at C:>. Found at C.
    1. Re:Holy crap ... by gstoddart · · Score: 1

      It's 2015 and the US is still trying (and apparently failing) to implement chip-and-pin. So no, clearly they are not trying.

      Doubly so because it was "new" 20 years ago, and people are already starting to look to replace it.

      --
      Lost at C:>. Found at C.
    2. Re:Holy crap ... by mark-t · · Score: 1

      The only thing that keeps chip and pin from being secure is that the banks keep allowing non-chip-and-pin transactions instead of forcing vendors to upgrade or not use the service at all.

      --
      File under 'M' for 'Manic ranting'
    3. Re:Holy crap ... by RubberDogBone · · Score: 1

      It's 2015 and the US is still trying (and apparently failing) to implement chip-and-pin. So no, clearly they are not trying.

      NO they are not. Most US card issuers are implementing Chip-and-Signature, which is NOT the same thing as Chip-and-Pin. The cards LOOK the same and have the same chip but this method happens to be far less secure. What a surprise. Does the US ever do anything with high security?

      The only thing Chip-and-Sig does is crack down on fake mag stripe cards because copying the chip is harder to do. But for the signature part, almost nobody ever actually looks at or checks signatures much less asks for ID.

      Only a handful of US card issuers are actually doing Chip-and-Pin, mainly small banks and a couple credit unions.

      --
      Sig for hire.
    4. Re:Holy crap ... by RubberDogBone · · Score: 1

      Every card issuer has a set prefix that belongs to them. The first four digits of any card number indicate who issued it. This applies to every kind of card from credit cards you can use anywhere but also things like branded gas station credit cards only good at that one chain, and so on.

      This leaves only so many additional digits for card numbers, and from that pool of course some are active. Others have been issued to other cardholders but replaced, so those card numbers are also off the available list. Stolen card numbers are also off the avail list. The end result is that there are only so many possible unused card numbers.

      It is also important to remember that not all cards are issued the same: Amex issues most of its cards itself. They have only a few prefix numbers. But card issuers like Visa and Mastercard use thousands of member banks and credit unions to issue cards and each of those issuers will usually have their own prefix numbers.

      In other words, most Amex cards start with 37***. This leaves 10 digits for individual cards for the entirety of Amex customers, past, present, black listed, all of them. Amex segregates different types of cards based on the first five digits so not all combinations are possible and available to issue.

      But your Chase Visa card will have 5678 and your Bank of America Visa will have 6789 (not their real numbers) which are unique to each bank. This means EACH of these banks has 11 digits they can use even if the other banks also use the same 11 digits for a card. It won't matter because the prefix is different.

      Amex and the other banks can have more than one prefix. There are public lists of which bank is which.

      http://www.stevemorse.org/ssn/...

      --
      Sig for hire.
    5. Re: Holy crap ... by guruevi · · Score: 1

      People told us to replace chip and pin before it was even used in the EU a decade ago because it was broken then. We don't need chip and pin, we need to keep magstripes, implement a method of out-of-band authorization and keep banks liable for their hacks.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    6. Re:Holy crap ... by plover · · Score: 1

      The security difference between chip-and-signature and chip-and-PIN matters in only one case, and that is if your physical card is stolen from your wallet. Skimmers, data breaches, shoulder-surfing, all the hacking attacks won't yield the secret key inside the chip, preventing it from being counterfeited. If you don't like the security of your chip-and-signature card because you're afraid your card might be stolen, ask your bank to issue you a chip-and-PIN card instead. If your bank won't, there are plenty of other banks who will, and who will be grateful for your business.

      Visa and the retailers originally figured U.S. customers would prefer chip-and-signature because it makes selling things "easy". But that's a pretty stupid attitude, because lots of people (including you and me) are wary about identity theft. Customers need to complain to their banks so that they learn we'd rather have PINs than signatures.

      Overall credit card security will still remain terrible for a long time to come because static mag stripes still exist, and online card-not-present transactions still use static authentication data like CVV2 codes. What really needs to happen to actually improve security is that mag stripes and static numbers like CVV2 need to be flat-out outlawed. The recent "liability shift" is the opening salvo in the conversion, but we're probably still a decade away from actual security.

      --
      John
    7. Re: Holy crap ... by cyber-vandal · · Score: 1

      I'm pretty sure I've got a credit card here in the UK. What's the difference between US credit cards and European ones?

  2. Not too hard by Todd+Knarr · · Score: 3, Insightful

    This isn't exactly an amazing product. The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit. There's really no excuse for that kind of triviality, a replacement card should have a complete new number unrelated to the old one.

    1. Re:Not too hard by wonkey_monkey · · Score: 5, Insightful

      This isn't exactly an amazing product.

      I think that's rather the point of the story.

      --
      systemd is Roko's Basilisk.
    2. Re:Not too hard by gstoddart · · Score: 2

      If one guy and a sample size of 40 cards can do this with 100% accuracy ... then I assume a better funded and more malicious entity could do it on a FAR larger scale.

      I think the fact that it IS so trivial is kind of the point.

      You would hope it wouldn't be even possible to predict the next card and that the numbers come from a big pool and should be unrelated. But apparently that's not true.

      --
      Lost at C:>. Found at C.
    3. Re:Not too hard by Anonymous Coward · · Score: 1

      I'm sorry, the check digit is trivially easy to calculate based on the other numbers. It's just a Mod 10

      I once had a simple excel spreadsheet that would randomly generate new card numbers for MC, VISA, and Amex and it's not difficult.

      The fact that you guys don't have chip n pin in the US is the real issue. If you don't have a chip in your card, you shouldn't be using it, period.

    4. Re:Not too hard by twotacocombo · · Score: 1

      The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit.

      Not too hard: https://en.wikipedia.org/wiki/...

    5. Re:Not too hard by cheater512 · · Score: 1

      I think the parent meant the CVC / CSC / CVV / etc....

    6. Re:Not too hard by kheldan · · Score: 1

      So far as I've ever heard, all credit card numbers are generated according to an algorithm that can be fairly easily reverse-engineered, so this 'news' really isn't a surprise at all to me. Other than that he's doing more-or-less a brute-force attack on PoS terminals by tossing 'up to 40 (fake) cards' at them. I think in the end the only thing that will be impressive about this is what AmEx may do to him legally (criminal or civil) first for creating this device, then revealing it publicly; he gave enough details already that anyone moderately competent should be able to duplicate it and go on a fraud-spree.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    7. Re:Not too hard by jafiwam · · Score: 1

      So far as I've ever heard, all credit card numbers are generated according to an algorithm that can be fairly easily reverse-engineered, so this 'news' really isn't a surprise at all to me. Other than that he's doing more-or-less a brute-force attack on PoS terminals by tossing 'up to 40 (fake) cards' at them. I think in the end the only thing that will be impressive about this is what AmEx may do to him legally (criminal or civil) first for creating this device, then revealing it publicly; he gave enough details already that anyone moderately competent should be able to duplicate it and go on a fraud-spree.

      Judging by the number of times I have seen people posting online "my card was compromised before I got it in the mail" or "before first use" ALL of the CC issuers have the same problem.

      If the card gets compromised once, it's replacement is relatively easy to compromise as well.

    8. Re:Not too hard by RealGene · · Score: 2

      At the moment, the big US banks are rolling out "chip and sign", where you slide the card into a reader, but sign with a digital pen rather than enter a PIN.
      From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.

      --
      Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
    9. Re:Not too hard by Todd+Knarr · · Score: 1

      The EMV chips have been compromised for years. Typically it only takes a couple of weeks to break the latest version. The reason chip-and-PIN sounds so good is the European rules changes that accompanied it: if the transaction was done using chip-and-PIN then it's presumed valid and it's up to the cardholder to prove otherwise which is extremely difficult short of having absolute undeniable proof that you were physically at a different location at the time of the transaction (eg. timestamped video showing you at that other location at that time). So if the EMV chip in your card is compromised and cloned, the fraudulent transactions run up on the fake card are presumed not fraudulent and attempts to dispute them as fraudulent will be denied absent you having extraordinary proof. That skews the fraud statistics considerably.

      The reason European cardholders don't raise a fuss about this is that 95+% of card fraud these days is done online using card-not-present transactions where chip-and-PIN isn't a factor. That won't change whether the US adopts chipped cards or not.

    10. Re:Not too hard by reemul · · Score: 1

      True. It's a simple algorithm, and guessing the next in sequence is entirely trivial. I used to be able to do it in my head, no super-secret gizmo required, but I'm out of practice. Usually they increment the next-to-last digit and then change the final number to whatever is then required for the Mod10 algorithm, a function that is easily found online for use in form validation. (Ever wonder how they can tell you mistyped your number before submitting it to the bank? They're doing a Mod10 check. Most typos will fail, the accidental entry won't be a valid credit card number.) Everyone should be aware of it and reject out of hand a replacement card that has the next number in the sequence because it is exactly as broken as the one that came before. Call your bank and demand that they send you a card not in the immediate order. Yes, that means they'll run out of numbers faster, but the failure is theirs, not yours, so you shouldn't have to deal with a card that is insecure while still in the mail.

      --
      You're just jealous 'cuz the voices talk to *me*
    11. Re:Not too hard by DamonHD · · Score: 1

      No.

      For example, for the (virtual) card numbers we issued (I was CTO of a virtual card company) we selected the card numbers using a cryptographically secure RNG within our BIN range(s). We went out of our way to make the numbers of newly-issued cards unguessable/unpredictable, and it was a significant element of our security.

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    12. Re:Not too hard by AmiMoJo · · Score: 1

      Indeed, the signing part is the security flaw. Card numbers on European cards are fairly predictable, usually being only a few digits different to your old card. It doesn't matter though because you can't buy anything without a PIN number or the chip part, or if online without the CVV code on the back which isn't predictable.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:Not too hard by Dahan · · Score: 1

      At the moment, the big US banks are rolling out "chip and sign", where you slide the card into a reader, but sign with a digital pen rather than enter a PIN. From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.

      No, it's much better than the magstripe system because you can't clone a chip card, whereas its trivial to clone a magstripe card (e.g., using a skimmer). Magstripe: something you have, except it's easy to copy, so the bad guys might have it too. Chip and sign: something you have. Chip and PIN: something you have and something you know.

      Sure, chip and PIN is more secure, but it's not true that chip and sign is "no better than the mag-swipe and sign".

  3. Legendary hacker by losttoy · · Score: 2

    Really? I mean, really?!

    1. Re:Legendary hacker by threephaseboy · · Score: 2

      Is he not your hero?

      --
      .
    2. Re:Legendary hacker by 93+Escort+Wagon · · Score: 1

      I don't know Samy, but TFA says "he". Repeatedly.

      --
      #DeleteChrome
    3. Re:Legendary hacker by Cederic · · Score: 1

      I think he'd use the word mythical rather than legendary.

      Why can't a girl have a glorious bushy beard?

  4. Re:Can I predict mine though? by Anonymous Coward · · Score: 5, Insightful

    Think out the implications of this. You have an Amex card, and your information gets comprised when a retailer's system is hacked. The standard response is for the credit card card companies to cancel your existing card and issue you a new one with a different account number.

    Issuing you a new card is pointless if the new account number can be predicted by anyone who has the old one. The new expiration date is also predictable based on when the card was replaced, which should be pretty easy to guess in the case of mass replacements due to a hack.

  5. Shocking by tehlinux · · Score: 1

    >The new expiration date can also be predicted based on when the replacement card was requested.

    You don't say.

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
  6. I'm not sure this is as bad as it sounds by rickb928 · · Score: 2

    0. Surprisingly, cards are compromised all the time.
    1. Some issuers know that as many as 40% of their cards in force are actually compromised.
    2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.
    3. EMV (chip) cards add a significantly better authentication step by verifying the physical card is in fact being used. But this does little or nothing for card-not-present (cnp) transactions, like buying from Amazon or eBay.
    4. American Express probably first does the usual fraud detection, spots fraud, disabled the card, and when a new one is issued might very well already have that account under greater scrutiny, at least for a while. Maybe.
    5. Some fraud may even be 'ignored' to gather more information.
    6. Most importantly, however, a replacement card must be activated, acknowledging receipt by the card holder. The fraudster must also break into that process or wait for the card holder. That's weak point maybe.
    7. And purchases can leave a trail.

    I'm being this is not such a big deal as it seems, at and easily fixed.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:I'm not sure this is as bad as it sounds by ewibble · · Score: 3, Insightful

      2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.

      How would anyone know? Maybe people performing the fraud are getting better at not being detected, by either, the card company or the owner of the card. For example a small transaction over may cards maybe totally unnoticeable. If it is never reported as fraud, then it would never go into the bucket of undetected fraud. It is not like the criminals publish their proceeds from fraud somewhere.

      That is why I don't like payment without pin, (this includes online payment, but that is another rant 8-)) because it allows, small payments without any secret I know. First it is quite possible I could miss a small charge, secondly if my children use my card, (still fraud) I am very unlikely to report them. If they are so confident in their fraud detection, and security of pin-less payment, remove the cap, I WILL notice $1000 dollars extra on my bill.

    2. Re:I'm not sure this is as bad as it sounds by AmiMoJo · · Score: 1

      For example a small transaction over may cards maybe totally unnoticeable.

      Also wouldn't be economical for the criminals. Stealing card details or buying them on black markets is not free. There is risk involved in every transaction, especially if it is made to look non-suspicious. Taking amounts small enough for people not to notice in a way that won't get you caught when a small percentage of them do flag it up will probably lose you money.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:I'm not sure this is as bad as it sounds by ewibble · · Score: 1

      First, fraud by people to close to you, would not be covered.

      Second, they may make more by small transactions, it really depends on the risks, since it is hard to judge what percentage of small transactions actually get detected, because you need to know which ones don't. Only a criminal who is actually doing this can tell. That being said I don't know how much stollen credit card goes for but this article says $3.50 http://www.bloomberg.com/news/...
      it wouldn't take many $5 transactions to make you money back.

  7. I have often wondered about expiration dates by Khopesh · · Score: 1

    Expiration dates are indeed predictable. One common trick used by subscription services is to merely bump it the appropriate number of years during their auto-renew phase rather than complaining to the user (and therefore offering a reminder that it exists, thus possibly getting the service canceled, and that's lost revenue!).

    Giving a random range of -1 to +4 months from the standard shouldn't harm anything (except the aforementioned squirrelly services?) and would offer a lot more protection. Consider googling 4147 visa for example; you'll find a few expired credit cards. Now bump the expiration dates by 2 or 4 years. (Slashdot covered this two years ago.)

    --
    Use my userscript to add story images to Slashdot. There's no going back.
  8. Re:Can I predict mine though? by labnet · · Score: 1

    I had a different problem with Amex.
    I had closed my account, but they still kept accepting charges on the card a year it was closed.
    The charges were for a product I never signed up to; and although I eventually had them all reversed, it took many months of wrangling.

    --
    46137
  9. Re:Can I predict mine though? by RubberDogBone · · Score: 1

    Well, if we know which kind of Amex you apply to get, we can predict with nearly 100% certainty what the first five digits will be. This means only 10 digits need to be predicted.

    --
    Sig for hire.
  10. Re:Can I predict mine though? by Cederic · · Score: 1

    I had this issue with a cancelled VISA card. It was even a recurring payment that was at one time legitimate.

    I merely told the card provider that I had closed my account and if they wanted to keep giving money to that vendor then it was their choice as it was their money, as I'd clearly informed them that I was closing the account and that they shouldn't accept any payments on my behalf.

    No idea whether they stopped the payments, but they did stop trying to bill me for them.

  11. AMEX security by zlogic · · Score: 1

    I have a corporate AMEX card and compared to my personal Visa/Mastercard cards, security is unbelievably worse.
    For Visa/Mastercard cards issues by a local bank, authentication and operations like changing the PIN is done by an IVR system with a preshared password. Sometimes for extra security a live person asks some basic questions like the passphrase or you last weeks' expenses. In fact the bank warns me that I should NEVER tell anyone the card details such as its number, expiration date and CVC code. They rely on other details for authentication, which means if an unreliable bank employee or an eavesdropper records all this info, they will be unable to use it to spend your money.

    When I activated my AMEX card, the customer rep asked me for all information printed on the card (including the number, all codes, expiration date etc.), and even was helpful enough to set the PIN retrieval number to the batch code of the card (printed clearly on the front of the card)!

    Also, it appears they have no SecureCode/3DSecure system. Sometimes (but not always) online charges ask for your ZIP code (but not a one-time password like other banks do).

    AMEX security looks like it was designed by a first-year student. Maybe it's a common thing for US banks to put convenience before security. European merchants frown upon chipless cards and ask for proper ID, and almost all online purchases require 3dSecure/SecureCode authentication with a one-time password (usually sent by SMS or a hardware token).

  12. Gizmo? by cyber-vandal · · Score: 1

    News for morons. Stuff that's dumbed down.

  13. digital security by fkodama · · Score: 1

    The problem with digital security is that to have enough security you need so huge numbers that you can't remember what was the original one. If you can't remember the stuff how would you expect to validate something? Humans will loose to machines in every way, so it's easier to make humans secure instead of machines secure.