back to article Hacker predicts AMEX card numbers, bypasses chip and PIN

Brainiac hacker Samy Kamkar has developed a US$10 gadget that can predict and store hundreds of American Express credit cards and use them for wireless transactions, even at non-wireless payment terminals. The mind-blowing feat is the result of Kamkar cracking how the card issuer picks replacement numbers, and in dissecting …

  1. jinx3y

    Great job Reg, for posting someone else's story with your own slant: http://www.wired.com/2015/11/samy-kamkar-10-dollar-tool-can-guess-and-steal-your-next-credit-card-number/

    1. AceRimmer

      There is a bit of a love going on between the two mags

      http://www.theregister.co.uk/2015/09/21/wired_uk_promo/

      I just hope they're using suitable protection

      1. Michael Wojcik Silver badge

        There is a bit of a love going on between the two mags

        Well, Wired needs all the love it can get. (Or a swift and merciful death, which would be fine by me.)

        But perhaps the Reg has just built a machine that can predict stories that will appear in Wired. Doesn't seem like it would be hard.

    2. Steve Knox
      Holmes

      "posting someone else's story with your own slant"

      Also known as "99.999% of journalism."

      Seriously, they're a tech rag, and this is a tech story. Which exactly would you prefer, that they ignore a story squarely in their domain simply because someone else already reported it, or that they copy it more precisely and don't add their own slant?

  2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Quiet please

    What's the point of that stupid music?

    1. Anonymous Coward
      Anonymous Coward

      Re: Quiet please

      There's no easy way to say this. It's in your head.

      1. Dwarf

        Re: Quiet please

        Or we all forgot how well the ad blockers work and it really is there on the real site

  4. John Smith 19 Gold badge
    FAIL

    Great job AMEX, because secuity by obscurity works so well

    Why would any card issue not change their PIN generator algorith on at least a semi regular basis?

    AFAIK the only place that has to know it is the head office server.

    If AMEX have never changed this algorith then in principal card issued decades ago could have their PIN's compromised.

    How AMEX handle this will be a very interesting case study on how responsible card companies feel about their customers security.

    1. Crisp

      Re: Great job AMEX, because secuity by obscurity works so well

      The really scary thing is that their algorithm is predictable. From what I gather from the article, from a single card number, you can predict what the replacement card number and expiry date will be.

      So all I have to do is steal your card, wait for it to be reported lost or stolen, and then I can quite happily start spending money on your replacement card. I don't even need to know the pin. I can just pretend to swipe a dummy card with that gadget in my palm and just put a signature down.

      Whoever implemented that algorithm needs to be sentenced to life at an Amazon warehouse.

      1. Anonymous Coward
        Anonymous Coward

        Re: Great job AMEX, because secuity by obscurity works so well

        This all sounds odd to me.

        Predicting a card number that is valid as a Visa/AmEx/MasterCard number is old hat, there have been websites around to do that for years. Predicting the replacement number for a stolen card shouldn't be possible, if AmEx do that algorithmically they deserve to be in trouble.

        Predicting the expiry date doesn't seem that challenging, since it will generally be 2 or 3 years after the request is made. Ask for a new AmEx card in Dec 2015, there are good odds that the expiry date willl be Dec 2018 or maybe Jan 2019. A few trial runs woule establish that.

        Also, whenever I've had a new AmEx card the first thing I have to do is phone AmEx and activate it, which takes a brief security exchange (DOB & name, for example), Simple, but even so, it would not help someone that has just pinched a stranger's card.

        This all sounds to me like a script kiddie bigging himself up a bit.

        1. Bronek Kozicki

          Re: Great job AMEX, because secuity by obscurity works so well

          first thing I have to do is phone AmEx and activate it, which takes a brief security exchange

          that does not help. Since card number (and expiry date) of your new card can be predicted based on the old (compromised) card, this means the criminals can use your new card without having seen it, as soon as you have activated it. In other words, your new card is as compromised as the old one was, because its number and expiry date are predictable.

          1. This post has been deleted by its author

        2. A Non e-mouse Silver badge

          Re: Great job AMEX, because secuity by obscurity works so well

          Predicting the replacement number for a stolen card shouldn't be possible

          My last three or four debit cards have had sequential numbers. (Allowing for the check digit at the end of the card number) I'm waiting to see if my next card continues the sequence.

          Two or three appeared to have sequential CVV codes too - but that could just be coincidence.

          1. Martin-73 Silver badge

            Re: Great job AMEX, because secuity by obscurity works so well

            This spurred me to look through my collection of expired cards (I zap the chips but keep the physical cards for use as filling spatulas for sealant etc around the home: From now on I will be destroying the cards, due to my findings, which are as follows:)

            Barclays, 3 different accounts, 2 business, and one personal, sequence of 2 cards for each of the business accounts and 3 for the personal, including one issued as a replacement due to cancellation (the chip broke!)- all Card numbers sequential, excluding of course the check digit, CVV2 numbers NON sequential.

            Halifax current account, personal. 3 cards (one missing from sequence), digit before check digit was 1, 2, and 4.. (accounting for the missing one). CVV2 again non-sequential

            Nat West (belonging to another family member, sequence of 3 cards in date order, numbers totally different. CVV2s also different of course.

            All cards were visa debit. Looks like Nat West actually win at this one. The finding is... disturbing

    2. Ian Michael Gumby
      Boffin

      Re: Great job AMEX, because secuity by obscurity works so well

      This isn't PIN but how to generate a new card number for an existing card member.

      The issue is that you have an existing system that works... and there's a cost associated with changing the system, and that means developing a new system.

      So until the current system is compromised and the potential damages exceed the cost of the new system, you wont see companies ... changing their existing system. Today Amex, tomorrow MC / Visa , etc ...

  5. parityerror
    Trollface

    The problem isn't that widespread because noone takes Amex

    1. James Hughes 1

      Tesco petrol stations do.

      1. Danny 14

        Barclaycard tried to fob an amex replacement card on me (I think it was originally an "egg" card). I thanked them as I'd forgotten about the Barclaycard and promptly cancelled it.

  6. Your alien overlord - fear me

    Either Amex is crap at thinking up numbers or Samy had access to more than just 20 other numbers. And how extactly did he obtain those ones?

    1. Charlie Clark Silver badge

      Could have jobbed for a day in a trendy coffee shop…

      OTOH given the number of cards Americans generally have all he probably had to was ask a few friends.

      Don't quite know about US liability but in the UK this will mean that AMEX (and probably others) can be expected to be held liable for card fraud until they can demonstrate they have a fix. They normally insure against fraud but I can imagine the insurers also turning them down. Of course, any losses they do incur will be recouped through higher charges but in the meantime it looks like there's money to be made.

  7. J__M__M

    All I know for sure is this guy, Samy Kamkar, is a better person than me.

  8. cantanko

    Don't think for a minute it's only AmEx...

    My UK bank, who for the moment shall remain nameless, presented me with a predictable replacement card number which the original scammers tried to predict in a subsequent phishing e-mail.

    All the bank did was increment the second-to-last digit and recompute the final Luhn check digit. Turns out that most card numbers are in the format AAAA BBBB BBBB BBCD where A is the issuing bank's range, B is the card account number, C is the (sequential) issue of the card and D is the check digit; i.e. the only thing that changed between cards was digit C being incremented.

    Very, very uninspiring. Went into a bank branch with a pad and a pen to explain this to them and ended up on a videoconference to someone somewhere. End result was a completely new card number being issued, but it took a lot of shouting to get that done...

    1. Roq D. Kasba

      Re: Don't think for a minute it's only AmEx...

      That'll be Lloyd's, then, I had the same. Or there's more than one at it. I hope you're conference call actually reaches someone senior enough to be furious and get it changed systematically.

      1. A Non e-mouse Silver badge

        @Roq D. Kasba Re: Don't think for a minute it's only AmEx...

        Trust me, it's not just Lloyds who do it...

      2. Martin-73 Silver badge

        Re: Don't think for a minute it's only AmEx...

        I hope so too, this is... very scary actually. As the reason for being issued with a replacement card (other than due to expiry) is VERY often that the previous one has been compromised.

    2. Anonymous Coward
      Anonymous Coward

      Re: Don't think for a minute it's only AmEx...

      Checking past cards this doesn't just happen with one bank. At least two major banks operating in the UK do this for normal replacements, i.e. expiry date reached. At least one major credit card provider keeps the same number, similar behaviour to at least one now non existent UK bank.

      Non of these were Lloyds.

      1. Trainee grumpy old ****
        FAIL

        Re: Don't think for a minute it's only AmEx...

        And it's not just replacement cards. At least one UK card provider issues add-on cards with the same number and CVV as the main account holder's card.

    3. Anonymous Coward
      Anonymous Coward

      Re: Don't think for a minute it's only AmEx...

      Generally card number is linked to account number, and all you have is an incrementing issue indicator. If you want a new 'base' number, you need a new account. Honestly, all this guy seems to have done is figured out which digit is the issue indicator (such an achievement!), read the wiki article on the Luhn algorithm, and gobbed it all together with some sort of RFI thing that borks the chip reader.

      So he's claiming credit for something the actual competent crims were doing a decade or more ago....

  9. Peter 26

    Is there anywhere in the UK that still allows just using the magnetic strip?

    I thought since chip and pin came out here in the UK you could no longer swipe. I know there was a switch over period where you could do both, but are we not past that now? Are the systems backwards compatible for foreigners perhaps?

    Does swipe still work anywhere in the UK?

    1. Wim Ton

      Re: Is there anywhere in the UK that still allows just using the magnetic strip?

      AFAIR, in Switzerland, payment processors charge a higher fee for magstripe transactions than for chip & PIN because of the risk, so the merchant has an interest to use chip & PIN.

      In the Netherlands, most magstripe reader slots in are blocked to prevent mistakes.

    2. Down not across

      Re: Is there anywhere in the UK that still allows just using the magnetic strip?

      Does swipe still work anywhere in the UK?

      Yes. The card terminals fall back to mag stripe if they have issue with the chip. I've had that happen quite recently.

    3. Stevie

      Re: Is there anywhere in the UK that still allows just using the magnetic strip?

      The vaunted Chip and Pin, in which so many show such charming trust, is of no use when buying online or over the phone, or at a flea market, or on a ferry with no WiFi.

      The credit card credential is inherently insecure. The issue is that remote software views the card as the card owner. Marshall McLuhan's message is writ large in the implementation.

      The larger implications of the "fix" for this will prevent it happening for many years in all probability.

      1. Yet Another Anonymous coward Silver badge

        Re: Is there anywhere in the UK that still allows just using the magnetic strip?

        >The vaunted Chip and Pin, ..., or on a ferry with no WiFi.

        The point of the chip is that IT verifies the pin without a connection to the bank

        >The credit card credential is inherently insecure

        The chip is pretty secure.

        Entering the pin on an untrusted keyboard supplied by the shop who also have a swipe of the magstripe isn't

        1. Danny 14

          Re: Is there anywhere in the UK that still allows just using the magnetic strip?

          morrisons self pay accept magstripe if the chip wont read. Plenty of self pay terminals say "swipe the side if you do not have a chip on your card" so that will probably work too.

        2. Michael Wojcik Silver badge

          Re: Is there anywhere in the UK that still allows just using the magnetic strip?

          The chip is pretty secure.

          For sufficiently small values of "pretty", perhaps.

          I'll grant it's a pretty good way for banks to transfer liability to customers, though.

    4. Michael Wojcik Silver badge

      Re: Is there anywhere in the UK that still allows just using the magnetic strip?

      Does swipe still work anywhere in the UK?

      Most places I've been in the UK will use mag-stripe if the card isn't EMV, and often even if it is but there are problems with EMV.

      US cards only started to get EMV recently (and even then, most of the ones I've received are "chip and signature", with no provision for a PIN). Until my most recent trip to the UK last month, I didn't have any EMV cards; but that's never been a problem.

  10. Quortney Fortensplibe
    Paris Hilton

    Payments... At Businesses...

    "..that do not require the three or four -digit CVV numbers on the back of cards..."

    Are there any?

    I can't remember the last time I wasn't required to provide the CVV no. as well, when making a credit card payment online. It must have been several years ago. In fact, I'm always surprised that most online forms still have a "What is this?" popup near the CVV box –given that it's been in use for so long, World & Dog must know what it is, by now.

    1. Bronek Kozicki

      Re: Payments... At Businesses...

      Actually in US it is very common to pay by swiping the magnetic stripe alone. Depending on shop or purchase value you may be asked for signature. At no point neither PIN nor CVV is verified. I was surprised by this, too.

      1. JamieL

        Re: Payments... At Businesses...

        on a recent trip to the US I was amazed that no retailers even looked at the card signature. Just as well really because (in an attempt to prevent fraud should my card be stolen) I'd written on my signature strip "NO SIGNATURE PIN ONLY"

    2. Anonymous Coward
      Anonymous Coward

      Re: Payments... At Businesses...

      You might be asked to provide it, doesn't mean it's required. We ask but don't forward to the payment processor because we get more failures due to cvv typos than we do due to fraud, so overall our payment rates are still higher.

      AC for obvious reasons.

    3. Anonymous Coward
      Anonymous Coward

      Re: Payments... At Businesses...

      Amazon do not require CVV

    4. Michael Wojcik Silver badge

      Re: Payments... At Businesses...

      when making a credit card payment online

      The device described by the article is designed to attack physical PoS terminals, not for online purchases.

      Of course, the card-number-prediction algorithm is a vulnerability for online purchases, and as some others have noted, there are indeed merchants who don't require CVV for purchases.

  11. Anonymous Coward
    Anonymous Coward

    A day in the life of a flux reversal

    I can't believe this article and the maker fail to reference this old gem from 1992, complete with ASCII graphics:

    http://phrack.org/issues/37/6.html

  12. JCF2009

    GIF site infected

    My Norton internet security program is flagging the site of that GIF (meter-small2.gif, linked to in the article) as infected and dangerous.

  13. NanoMeter

    To the horror of the world

    it seems to become easier and easier to hack, not the opposite.

  14. Rory B Bellows

    How i met your girlfriend

    Samy gave a great talk at Defcon 18 called "How I met your girlfriend"... it's on youtube and i'm sure the average Reg reader would enjoy it...

  15. Anonymous Coward
    Anonymous Coward

    This is not rocket science

    Fifteen years ago I figured out how credit card numbers were issued to customers and how to determine a series without any difficulty. Credit card issuers need to change their ways as consumers are getting attacked from all directions.

    U.S. authorities reported this week that in the past six months they have discovered a dramatic increase in credit card scanners placed inside gas station fuel pumps and convenient stores. These scanners that can be bought for less than $100 online either record the credit card data or transmit it to the perps. Either way credit cards as well as bank accounts can be cleaned out in an instant and they are. In most cases debit cards have no protection against illegal access where as credit cards often have a $50 maximum exposure depending on the c/c and company terms. It's only going to get worse because no one is guarding the money. Check you accounts weekly or suffer the consequences.

    1. Danny 14

      Re: This is not rocket science

      Indeed. We had a commidea integration pack back in 1998 complete with scanners, "fake" cards for testing etc. We had the SDKs and were very surprised at how easy it was to fake cards. Not every transaction was posted immediately back for testing, there were floor limits assigned and the commidea unit and if the limit wasn't broken then it would only phone home in batches - (we were a large PC retail outlet with hundred of stores), i.e. the local unit would pass small transactions. It was good fun "testing" but obviously we didn't want to try it for real...

  16. Stevie

    Bah!

    Wait ... people still use American Express?

    1. Yet Another Anonymous coward Silver badge

      Re: Bah!

      Well Americans .... perhaps

  17. A K Stiles
    Pint

    For scale

    Why is it that, when taking photographs of small stuff, people use coins for scale? It's likely that the majority of people (Certainly here on el Reg), might never have seen or at least not be intimately familiar with the dimensions of the currency in question. It seems like the perfect opportunity to implement some thing of a recognised international standard, like a ruler (preferably metric and imperial measurements) or perhaps a linguine, where everyone can recognised whether the item in question is an inch, or 60mm across.

    (That's a 20 fl oz imperial pint, by the way)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like