American Express may want to reconsider the algorithm it uses to generate new card numbers.
As Wired reported yesterday (Nov. 24), security researcher Samy Kamkar was able to crack the code used by Amex to assign new card numbers after a customer’s card is lost or stolen, ultimately giving him the ability to predict what a person’s new card number will be based on the pattern that emerged in the number assignments.
Kamkar realized that if he was able to apply this trick to predict newly generated card numbers, hackers probably could, too. If fraudsters were to compromise an Amex card, they could then identify the replacement number right after it was reported stolen and use the date of the old card’s expiration to determine the new expiration date as well, Wired explained.
“The day that card is cancelled, as soon it gets rejected, two seconds later, I know what your new number and expiration date will be,” Kamkar told Wired. “If I were doing fraud, that would be pretty useful.”
Months later, Kamkar created a $10 gadget that contains the ability to launch a cyberattack based on the card prediction vulnerability.
The device, called MagSpoof, can reportedly store more than 100 card numbers, emit an electromagnetic field to reach card reader sensors at a close range and deploy Kamkar’s prediction algorithm at the push of a button.
As Wired pointed out, MagSpoof falling into the wrong hands could be disastrous, ultimately resulting in the ability for fraudsters to steal newly generated credit card numbers as quickly as American Express is able to assign them.
“As soon as the card gets declined, you press a button, and it switches to the next number,” Kamkar said. “It sucks for [Amex users], because they could have their new credit card stolen almost instantly.”
While Kamkar has communicated the vulnerability to Amex, the company has determined that the prediction algorithm is not a serious security risk.
Amex spokeswoman Ashley Tufts assured Wired that customers are protected from Kamkar’s device via the company’s additional security measures, such as an extra security code embedded in the card’s magnetic stripe and the newer chip-and-PIN card technology.
“Simply knowing a card number wouldn’t allow a fraudster to complete a purchase face to face because a card product would need to [be] dipped at many of the stores with EMV chip portals, or swiped. In addition, the security code embedded in the card product would need to be verified. For both EMV chip and magnetic stripe cards, the security code changes with the card number and is impossible to predict,” Tufts explained.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More