alexlukin - Fotolia
A new proof-of-concept attack demonstrated how an attacker can predict the number of a replacement American Express credit card, and then use the information to disable Chip and PIN protection. How does credit card hacking work? What are the implications for credit card companies and Chip and PIN security?
Security researcher Samy Kamkar discovered several weaknesses in Amex credit card security and decided to create a tool for wirelessly emulating credit card readers as a proof of concept. His tool, called MagSpoof, works by generating an electromagnetic field that emulates a traditional magnetic stripe card. When a card is swiped through a card reader, the reader uses electromagnetic sensors to read the data stored on the magnetic stripe. This allows the reader to decode the data and use it for the payment process. These same steps can be used for credit card hacking on pretty much any card with a magnetic stripe, including access control cards and loyalty cards.
Kamkar found that he could predict the set of numbers on the next credit card issued to a person based on their current credit card number. Amex also allowed the old CVV, or 4-digit security number, to be reused on the next card. The other piece of data necessary for a payment card transaction is expiration date, and the dates are relatively easy to predict at two to four years from when the card was issued. Also, encoded on the magnetic strip is information about whether the card supports chip and if it has a PIN set. These values can be changed without invalidating the magnetic stripe so that the person can avoid the requirement of using their Chip and PIN.
Credit card numbers on their own are relatively weak forms of authentication and their security has historically relied the need for the physical card to be swiped through a payment terminal, something that's no longer true in today's credit card hacking. Amex card numbers are 15 characters in length and must start with a three and the second character must be a four or seven. All payment card numbers need to pass the LUHN check to be valid and the first six digits are determined by the issuer. So, the range of possible numbers for an Amex number, or any credit card number, is relatively small even when including the security code and expiration date.
To prevent proof-of-concept attacks and this type of hacking, credit card companies should randomly assign new credit card numbers based on available numbers and not allow old security codes to be reused. The legacy support for magnetic stripes will continue to allow fraud through bypassing Chip and PIN security, and credit card companies will need to continue to monitor payment card transactions.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read more about Chip and PIN vulnerabilities
Investigate if your credit card merchant stores unencrypted card data
Find out if you are at risk for traffic-sniffing banking malware Emotet
Dig Deeper on Hacker tools and techniques: Underground hacking sites
Related Q&A from Nick Lewis
An iPhone phishing scam leads users to believe malicious incoming calls are from Apple Support. How can enterprises protect their employee against ... Continue Reading
Is GitHub's new private repositories service robust enough to serve the needs of enterprises? Nick Lewis examines what works -- and what doesn't. Continue Reading
The Vidar malvertising attack was part of a two-pronged intrusion that included the installation of ransomware in endpoints. How can enterprises ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.