Slashdot Mirror

← Back to Stories (view on slashdot.org)

This Gizmo Knows Your Amex Card Number Before You've Received It (csoonline.com)

Posted by samzenpus on from the lucky-number dept.

itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

9 of 68 comments (clear)

  1. Not too hard by Todd+Knarr · · Score: 3, Insightful

    This isn't exactly an amazing product. The way Amex generates replacement card numbers is utterly trivial, the hardest part of it's calculating the new check digit. There's really no excuse for that kind of triviality, a replacement card should have a complete new number unrelated to the old one.

    1. Re:Not too hard by wonkey_monkey · · Score: 5, Insightful

      This isn't exactly an amazing product.

      I think that's rather the point of the story.

      --
      systemd is Roko's Basilisk.
    2. Re:Not too hard by gstoddart · · Score: 2

      If one guy and a sample size of 40 cards can do this with 100% accuracy ... then I assume a better funded and more malicious entity could do it on a FAR larger scale.

      I think the fact that it IS so trivial is kind of the point.

      You would hope it wouldn't be even possible to predict the next card and that the numbers come from a big pool and should be unrelated. But apparently that's not true.

      --
      Lost at C:>. Found at C.
    3. Re:Not too hard by RealGene · · Score: 2

      At the moment, the big US banks are rolling out "chip and sign", where you slide the card into a reader, but sign with a digital pen rather than enter a PIN.
      From a security standpoint, it's no better than the mag-swipe and sign system, as nobody verifies the signature anyway.

      --
      Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
  2. Legendary hacker by losttoy · · Score: 2

    Really? I mean, really?!

    1. Re:Legendary hacker by threephaseboy · · Score: 2

      Is he not your hero?

      --
      .
  3. Re:Can I predict mine though? by Anonymous Coward · · Score: 5, Insightful

    Think out the implications of this. You have an Amex card, and your information gets comprised when a retailer's system is hacked. The standard response is for the credit card card companies to cancel your existing card and issue you a new one with a different account number.

    Issuing you a new card is pointless if the new account number can be predicted by anyone who has the old one. The new expiration date is also predictable based on when the card was replaced, which should be pretty easy to guess in the case of mass replacements due to a hack.

  4. I'm not sure this is as bad as it sounds by rickb928 · · Score: 2

    0. Surprisingly, cards are compromised all the time.
    1. Some issuers know that as many as 40% of their cards in force are actually compromised.
    2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.
    3. EMV (chip) cards add a significantly better authentication step by verifying the physical card is in fact being used. But this does little or nothing for card-not-present (cnp) transactions, like buying from Amazon or eBay.
    4. American Express probably first does the usual fraud detection, spots fraud, disabled the card, and when a new one is issued might very well already have that account under greater scrutiny, at least for a while. Maybe.
    5. Some fraud may even be 'ignored' to gather more information.
    6. Most importantly, however, a replacement card must be activated, acknowledging receipt by the card holder. The fraudster must also break into that process or wait for the card holder. That's weak point maybe.
    7. And purchases can leave a trail.

    I'm being this is not such a big deal as it seems, at and easily fixed.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:I'm not sure this is as bad as it sounds by ewibble · · Score: 3, Insightful

      2. All issuers employ fraud detection systems intended to identify the first fraudulent transaction. They aren't 100% effective, but getting better.

      How would anyone know? Maybe people performing the fraud are getting better at not being detected, by either, the card company or the owner of the card. For example a small transaction over may cards maybe totally unnoticeable. If it is never reported as fraud, then it would never go into the bucket of undetected fraud. It is not like the criminals publish their proceeds from fraud somewhere.

      That is why I don't like payment without pin, (this includes online payment, but that is another rant 8-)) because it allows, small payments without any secret I know. First it is quite possible I could miss a small charge, secondly if my children use my card, (still fraud) I am very unlikely to report them. If they are so confident in their fraud detection, and security of pin-less payment, remove the cap, I WILL notice $1000 dollars extra on my bill.