Hacker predicts AMEX card numbers, bypasses chip and PIN Brainiac hacker Samy Kamkar has developed a US$10 gadget that can predict and store hundreds of American Express credit cards and use them for wireless transactions, even at non-wireless payment terminals. The mind-blowing feat is the result of Kamkar cracking how the card issuer picks replacement numbers, and in dissecting …
There is a bit of a love going on between the two mags
http://www.theregister.co.uk/2015/09/21/wired_uk_promo/
I just hope they're using suitable protection
There is a bit of a love going on between the two mags
Well, Wired needs all the love it can get. (Or a swift and merciful death, which would be fine by me.)
But perhaps the Reg has just built a machine that can predict stories that will appear in Wired. Doesn't seem like it would be hard.
"posting someone else's story with your own slant"
Also known as "99.999% of journalism."
Seriously, they're a tech rag, and this is a tech story. Which exactly would you prefer, that they ignore a story squarely in their domain simply because someone else already reported it, or that they copy it more precisely and don't add their own slant?
This post has been deleted by its author
Why would any card issue not change their PIN generator algorith on at least a semi regular basis?
AFAIK the only place that has to know it is the head office server.
If AMEX have never changed this algorith then in principal card issued decades ago could have their PIN's compromised.
How AMEX handle this will be a very interesting case study on how responsible card companies feel about their customers security.
The really scary thing is that their algorithm is predictable. From what I gather from the article, from a single card number, you can predict what the replacement card number and expiry date will be.
So all I have to do is steal your card, wait for it to be reported lost or stolen, and then I can quite happily start spending money on your replacement card. I don't even need to know the pin. I can just pretend to swipe a dummy card with that gadget in my palm and just put a signature down.
Whoever implemented that algorithm needs to be sentenced to life at an Amazon warehouse.
This all sounds odd to me.
Predicting a card number that is valid as a Visa/AmEx/MasterCard number is old hat, there have been websites around to do that for years. Predicting the replacement number for a stolen card shouldn't be possible, if AmEx do that algorithmically they deserve to be in trouble.
Predicting the expiry date doesn't seem that challenging, since it will generally be 2 or 3 years after the request is made. Ask for a new AmEx card in Dec 2015, there are good odds that the expiry date willl be Dec 2018 or maybe Jan 2019. A few trial runs woule establish that.
Also, whenever I've had a new AmEx card the first thing I have to do is phone AmEx and activate it, which takes a brief security exchange (DOB & name, for example), Simple, but even so, it would not help someone that has just pinched a stranger's card.
This all sounds to me like a script kiddie bigging himself up a bit.
first thing I have to do is phone AmEx and activate it, which takes a brief security exchange
that does not help. Since card number (and expiry date) of your new card can be predicted based on the old (compromised) card, this means the criminals can use your new card without having seen it, as soon as you have activated it. In other words, your new card is as compromised as the old one was, because its number and expiry date are predictable.
This post has been deleted by its author
Predicting the replacement number for a stolen card shouldn't be possible
My last three or four debit cards have had sequential numbers. (Allowing for the check digit at the end of the card number) I'm waiting to see if my next card continues the sequence.
Two or three appeared to have sequential CVV codes too - but that could just be coincidence.
This spurred me to look through my collection of expired cards (I zap the chips but keep the physical cards for use as filling spatulas for sealant etc around the home: From now on I will be destroying the cards, due to my findings, which are as follows:)
Barclays, 3 different accounts, 2 business, and one personal, sequence of 2 cards for each of the business accounts and 3 for the personal, including one issued as a replacement due to cancellation (the chip broke!)- all Card numbers sequential, excluding of course the check digit, CVV2 numbers NON sequential.
Halifax current account, personal. 3 cards (one missing from sequence), digit before check digit was 1, 2, and 4.. (accounting for the missing one). CVV2 again non-sequential
Nat West (belonging to another family member, sequence of 3 cards in date order, numbers totally different. CVV2s also different of course.
All cards were visa debit. Looks like Nat West actually win at this one. The finding is... disturbing
This isn't PIN but how to generate a new card number for an existing card member.
The issue is that you have an existing system that works... and there's a cost associated with changing the system, and that means developing a new system.
So until the current system is compromised and the potential damages exceed the cost of the new system, you wont see companies ... changing their existing system. Today Amex, tomorrow MC / Visa , etc ...
Could have jobbed for a day in a trendy coffee shop…
OTOH given the number of cards Americans generally have all he probably had to was ask a few friends.
Don't quite know about US liability but in the UK this will mean that AMEX (and probably others) can be expected to be held liable for card fraud until they can demonstrate they have a fix. They normally insure against fraud but I can imagine the insurers also turning them down. Of course, any losses they do incur will be recouped through higher charges but in the meantime it looks like there's money to be made.
My UK bank, who for the moment shall remain nameless, presented me with a predictable replacement card number which the original scammers tried to predict in a subsequent phishing e-mail.
All the bank did was increment the second-to-last digit and recompute the final Luhn check digit. Turns out that most card numbers are in the format AAAA BBBB BBBB BBCD where A is the issuing bank's range, B is the card account number, C is the (sequential) issue of the card and D is the check digit; i.e. the only thing that changed between cards was digit C being incremented.
Very, very uninspiring. Went into a bank branch with a pad and a pen to explain this to them and ended up on a videoconference to someone somewhere. End result was a completely new card number being issued, but it took a lot of shouting to get that done...
Checking past cards this doesn't just happen with one bank. At least two major banks operating in the UK do this for normal replacements, i.e. expiry date reached. At least one major credit card provider keeps the same number, similar behaviour to at least one now non existent UK bank.
Non of these were Lloyds.
Generally card number is linked to account number, and all you have is an incrementing issue indicator. If you want a new 'base' number, you need a new account. Honestly, all this guy seems to have done is figured out which digit is the issue indicator (such an achievement!), read the wiki article on the Luhn algorithm, and gobbed it all together with some sort of RFI thing that borks the chip reader.
So he's claiming credit for something the actual competent crims were doing a decade or more ago....
I thought since chip and pin came out here in the UK you could no longer swipe. I know there was a switch over period where you could do both, but are we not past that now? Are the systems backwards compatible for foreigners perhaps?
Does swipe still work anywhere in the UK?
AFAIR, in Switzerland, payment processors charge a higher fee for magstripe transactions than for chip & PIN because of the risk, so the merchant has an interest to use chip & PIN.
In the Netherlands, most magstripe reader slots in are blocked to prevent mistakes.
The vaunted Chip and Pin, in which so many show such charming trust, is of no use when buying online or over the phone, or at a flea market, or on a ferry with no WiFi.
The credit card credential is inherently insecure. The issue is that remote software views the card as the card owner. Marshall McLuhan's message is writ large in the implementation.
The larger implications of the "fix" for this will prevent it happening for many years in all probability.
>The vaunted Chip and Pin, ..., or on a ferry with no WiFi.
The point of the chip is that IT verifies the pin without a connection to the bank
>The credit card credential is inherently insecure
The chip is pretty secure.
Entering the pin on an untrusted keyboard supplied by the shop who also have a swipe of the magstripe isn't
The chip is pretty secure.
For sufficiently small values of "pretty", perhaps.
I'll grant it's a pretty good way for banks to transfer liability to customers, though.
Does swipe still work anywhere in the UK?
Most places I've been in the UK will use mag-stripe if the card isn't EMV, and often even if it is but there are problems with EMV.
US cards only started to get EMV recently (and even then, most of the ones I've received are "chip and signature", with no provision for a PIN). Until my most recent trip to the UK last month, I didn't have any EMV cards; but that's never been a problem.
"..that do not require the three or four -digit CVV numbers on the back of cards..."
Are there any?
I can't remember the last time I wasn't required to provide the CVV no. as well, when making a credit card payment online. It must have been several years ago. In fact, I'm always surprised that most online forms still have a "What is this?" popup near the CVV box –given that it's been in use for so long, World & Dog must know what it is, by now.
when making a credit card payment online
The device described by the article is designed to attack physical PoS terminals, not for online purchases.
Of course, the card-number-prediction algorithm is a vulnerability for online purchases, and as some others have noted, there are indeed merchants who don't require CVV for purchases.
Fifteen years ago I figured out how credit card numbers were issued to customers and how to determine a series without any difficulty. Credit card issuers need to change their ways as consumers are getting attacked from all directions.
U.S. authorities reported this week that in the past six months they have discovered a dramatic increase in credit card scanners placed inside gas station fuel pumps and convenient stores. These scanners that can be bought for less than $100 online either record the credit card data or transmit it to the perps. Either way credit cards as well as bank accounts can be cleaned out in an instant and they are. In most cases debit cards have no protection against illegal access where as credit cards often have a $50 maximum exposure depending on the c/c and company terms. It's only going to get worse because no one is guarding the money. Check you accounts weekly or suffer the consequences.
Indeed. We had a commidea integration pack back in 1998 complete with scanners, "fake" cards for testing etc. We had the SDKs and were very surprised at how easy it was to fake cards. Not every transaction was posted immediately back for testing, there were floor limits assigned and the commidea unit and if the limit wasn't broken then it would only phone home in batches - (we were a large PC retail outlet with hundred of stores), i.e. the local unit would pass small transactions. It was good fun "testing" but obviously we didn't want to try it for real...
Why is it that, when taking photographs of small stuff, people use coins for scale? It's likely that the majority of people (Certainly here on el Reg), might never have seen or at least not be intimately familiar with the dimensions of the currency in question. It seems like the perfect opportunity to implement some thing of a recognised international standard, like a ruler (preferably metric and imperial measurements) or perhaps a linguine, where everyone can recognised whether the item in question is an inch, or 60mm across.
(That's a 20 fl oz imperial pint, by the way)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
