Hardware hacker/security researcher Samy Kamkar is legendary for his legion of playful, ha-ha-only-serious gadgets that show how terrible information security is, and now he's turned his attention to the American Express company, which turns out to be a goddamned train-wreck.
When you cancel an Amex card as lost or stolen, the company generates your new number using an easy-to-derive algorithm based on your old card and expiration date. That means that if an attacker knows about your old Amex number (say, because it was extracted from a hacked reader and posted, along with millions of others, on a carding site), they can say, with certainty, what your new Amex number is, even before Amex mails your replacement card to you.
Kamkar's tiny, open source hardware Magspoof gadget will trick any credit-card reader into thinking that a card with any number and characteristics you've specified has just been swiped through it. It's a smaller, more flexible version of Coin, a kickstarted credit-card-shaped gadget that can be programmed to simulate all of your own credit and debit cards.
But when you combine this with Amex's poor information security, it means that an attacker could use Magspoof or Coin to commit fraud against cards, even after they're canceled. What's more, Kamkar has found a bit in the Amex magstripe that turns off chip-and-pin, so that you can spoof a chipped Amex and ensure that the reader does not ask you to "dip" your card and verify the chip.
Kamkar's release does not include the Amex-spoofing and chip-disabling sourcecode, because Magspoof is meant as a convenient card-replacement, not a fraud device. But in demonstrating the potential for fraud latent in all card-replacement technologies, Kamkar is taking the credit-card issuers to task for sloppy, lazy practices that put us all at risk.
I saw Kamkar demo this over lunch some time ago — he picked up the tab with a Coin that was programmed with the number of an Amex that replaced one he'd reported lost. Kamkar had never opened the envelope the replacement card came in. He'd derived its number using the Amex algorithm he'd figured out, programmed it into the Coin, and I can verify that the number worked and he was able to make the transaction. (Thanks for lunch, Samy!)
If someone with a chip-enabled card goes to Target these days and swipes their card's magnetic stripe, the point-of-sale system will see the service code and know that it's a chip card and ask for it to be inserted into a reader, Kamkar said.
"But I discovered that if I can modify the service code, or create a new card with a different magstripe with the same data but just flip that bit, I can essentially disable that requirement for the chip," he said.
Kamkar modified the service code and was able to buy something by swiping a card when it should have been a chip-and-PIN transaction.
"I was flabbergasted," he said.
When asked if it was Target, Kamkar laughed and said it "was a major retailer."
MagSpoof – "wireless" credit card/magstripe spoofer
[Samy Kamkar/Applied Hacking]
MagSpoof – credit card/magstripe spoofer
This gizmo knows your Amex card number before you've received it