MagSpoof device ‘capable of predicting Amex credit card numbers’

The ever creative white hat hacker Samy Kamkar, who came up with the universe remote that can unlock most state-of-the-art cars, has come up with another novel invention – MagSpoof.

This innovative device, which cost just $10 to build, can wirelessly “spoof/emulate any magnetic stripe or credit card”. It achieves this through creating a “strong electromagnetic field” that mimics a typical magnetic stripe card.

According to the expert, MagSpoof can be used as a one-stop shop for all your cards, disable chip and PIN functionality and, fascinatingly, has the ability to “predict” American Express credit card numbers and expiration dates.

The last point in an important one, as the development of this particular functionality serves as the principal source of inspiration for the device.

In an article on his website, Mr. Kamkar explained how, on losing his Amex card and receiving a new one, he noticed that many of the digits were similar. He then compared this to other Amex cards and found a similar pattern.

As a result of his investigation into this, the ethical hacker can now “accurately predict American Express card numbers by knowing a full card number, even if already reported lost or stolen”.

“If I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number.”

“This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number,” he continued.

“I also know the new expiration date as the expiration date is fixed based on when the new card was requested, and you can determine if the new card has been requested by performing an auth on the existing card.”

Mr Kamkar has highlighted this to American Express, Wired reported, but was told that this wasn’t a “serious security risk”.

Ashley Tufts, director of corporate affairs and communications/risk and information management at the company, later clarified by stating that additional security features, such as an “extra security code embedded in [card’s] magstripe data”, protects its customers from this ‘predictive’ type of fraud.

She added: “Simply knowing a card number wouldn’t allow a fraudster to complete a purchase face-to-face because a card product would need to dipped at many of the stores with EMV chip portals, or swiped.”

For more information, see the video below:

Author , We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.