A prominent hacker and security researcher has revealed a device that raises a number of security concerns for credit card companies. Samy Kamkar, responsible for one of the fastest spreading (harmless) computer viruses of all time, introduced his MagSpoof device in a post on his personal site. The capabilities of this device reveal a number of potential security issues for credit card companies and holders. Most notably, Kamkar was able to predict new American Express credit card numbers and expiration dates based on a customer's previous card number.

In his post, he states, “After losing a card and Amex quickly sending me a replacement, I noticed many of the digits were similar. I pulled up the numbers to several other Amex cards I had, and then compared against more than 20 other Amex cards and replacements and found a global pattern that allows me to accurately predict American Express card numbers by knowing a full card number, even if already reported lost or stolen.” Kamkar identified the formula used by American Express to generate new card information after the old card has been cancelled. Hypothetically, if your credit card information is stolen, this security flaw could allow criminals to calculate the number and expiratoin date of your new card.

Kamkar also examined the magnetic strip at the back of the card: “The service code within a credit card magstripe defines several attributes of the card, including whether the card can dispense cash, where it can work (nationally, internationally), and most interestingly, whether the card has a built in IC (Chip) and if it has a pin (Chip-and-PIN / EMV).” With regards to the chip-enabled cards, Kamkar discovered that he could bypass the chip requirement and disable this additional security feature by modifying the code or creating a new card with the same data. 

Kamkar notified American Express about the issue before going public. Furthermore, while he released the software and specifications for the device, he did not release the portion that would allow someone to generate new American Express numbers. Such research is intended to reveal potential security flaws in a pre-emptive, productive manner, in order to avoid similar exploits by cybercriminals in the future. It’s also a good reminder to remain vigilant about credit card use during the shopping season.