alexlukin - Fotolia

Amex credit card hack predicts replacement card number

Samy Kamkar found a weakness in the algorithm American Express uses to generate replacement card information and created a credit card hack as a proof-of-concept.

Hacker and researcher Samy Kamkar found a troubling weakness in the algorithm used by American Express which allowed him to predict replacement card information based on the old card info.

Kamkar said in a blog post that when he lost his Amex card, he noticed the new card number was very similar to the old one. He compared other Amex cards he had and those from friends and "found a global pattern that allows me to accurately predict American Express card numbers by knowing a full card number, even if already reported lost or stolen." Kamkar has turned this credit card hack into a proof-of-concept device called MagSpoof which can disable Chip and PIN security, store your credit card info, and be used wirelessly on traditional magstripe readers.

Kamkar told SearchSecurity that in order to make purchases with the predicted card info, an attacker would need the card security code (CSC), also known as either the CID or CVV2, but American Express was vulnerable there as well. Kamkar found that the CSC for the old card could still be used with the predicted new card number to make purchases.

Michael Taylor, applications and product development lead for Rook Security Inc. in Indianapolis, said this meant the most dangerous scenario is still when an attacker gains physical access to a card, but it does open up the door to fraud without the CSC.

"To actually perform the transaction without arousing suspicion, an attacker would be able to use a magstripe writer, or a device like MagSpoof, to 'load' the newly devised card information onto a card like Coin," Taylor said, referring to a device which behaves like a traditional payment card, but can store multiple credit cards and membership cards. "Coin itself does not actually verify the CID (CVV2), thus allowing an attacker to load data, and then use the Coin card in person without knowing the CID and exploiting these various issues, as well as disabling Chip and PIN."

Kamkar said he notified American Express about his credit card hack in August and promised to not release the algorithm he found to predict new card info, but Amex doesn't "quite consider it an issue," according to Kamkar.

Taylor said it may be a narrow attack vector that is a low priority for Amex's fraud department.

"This is also a new type of attack, so it could be that they have not yet seen the costs associated with it being exploited," Taylor said. "While the current researcher has stated that he will not be releasing the algorithm himself, attackers being made aware that it exists and understanding the method by which it was originally derived would make it more likely to be discovered and publicized."

Taylor also said that while American Express doesn't consider this credit card hack much of an issue, something needs to be done.

"Amex needs to examine their algorithm that generates replacement cards so that it is no longer predictable and does not utilize the existing account number/card number as a seed for the generation of the next card number," Taylor said. "They should also perform a review of their card replacement process to ensure that if a card was reported stolen, that they continue to examine the account for fraudulent activity after a replacement has been provisioned."

Next Steps

Learn if Chip and PIN technology will boost payment card transaction security.

Learn why Chip and PIN security may not be a panacea against payment card fraud.

Find out more ways to reduce payment card fraud.

Dig Deeper on Threats and vulnerabilities