In the age when merchant breaches are an alarmingly common part of consumer life, among the few comforts available is that once a card has been compromised and the problem identified, fixing the problem is as easy as canceling the card in question and having it reissued.
But for American Express customers, it looks like, going forward, things many not be so easy.
According to recent reports, security researcher Samy Kamkar managed to crack the code on how Amex generates replacement card numbers and was thus able to build a device to generate a new card number from an old one.
After doing some research with his own replacement card numbers — and those of some friends found via Facebook — Kamkar realized that any hacker who saw the same pattern would be able to use a stolen card to predict what its replacement card number would be — down to the new card’s expiration data.
“The day that card is canceled, as soon it gets rejected, two seconds later, I know what your new number and expiration date will be,” Kamkar says. “If I were doing fraud, that would be pretty useful.”
Kamkar also noted the trick works in sequence and can generate as many new numbers as American Express can generate cards.
A few months later, after a $10 investment, Kamkar built a watch-sized gadget capable of stealing as many as 100 card numbers from any card reader sensor within close proximity by sending a signal as a card is swiped. Kamkar even built his fraud tool with a button that uses his algorithm to generate a new card number once the previous card is canceled.
“As soon as the card gets declined, you press a button, and it switches to the next number,” Kamkar says. “It sucks for [Amex users], because they could have their new credit card stolen almost instantly.”
The attack is limited by its inability to access the four-digit CVV code, and the mag spoof device does not resemble a credit card and would be harder to use in a physical store. But Kamkar also noted that he could use his device to store cards in a digital credit card device like Coin to make the stolenness much less apparent.
“If you don’t want to hand someone this thing, you can just hand them a Coin instead,” he says.
Coin noted using its device would not be quite so easy.
“We require several security steps before a credit card can be used with a Coin payment device,” Coin spokesperson Kayla Abbassi wrote to Wired in a statement. “These steps allow us to verify identity, as well as the validity and ownership of each card, based on information such as the last four digits of the cardholder’s Social Security number and billing zip code.”
Kamkar notes that Coin security measures have been proven to be beatable.
Kamkar noted his attempts to alert American Express to the issue have not yielded any promises to fix the problem. Kamkar stated that Amex told him it did not pose a significant security risk.
“Simply knowing a card number wouldn’t allow a fraudster to complete a purchase face to face, because a card product would need to [be] dipped at many of the stores with EMV chip portals or swiped. In addition, the security code embedded in the card product would need to be verified. For both EMV chip and magnetic stripe cards, the security code changes with the card number and is impossible to predict,” wrote Amex spokesperson Ashley Tufts. She also noted that the company uses other security measures that it declined to detail.
Kamkar confirms that Amex’s extra security magstripe code does seem to block his prediction attack in some cases, but he argues American Express nonetheless needs to fix the problem before other hackers find a clever way to use it.
“It’s not like I cracked some crazy pseudorandom number generator. This is really obvious,” Kamkar says of his card number prediction technique. “I’ve never heard of anyone finding this, but I’d be surprised if someone hadn’t figured it out.”