alexlukin - Fotolia
A new proof-of-concept attack demonstrated how an attacker can predict the number of a replacement American Express credit card, and then use the information to disable Chip and PIN protection. How does credit card hacking work? What are the implications for credit card companies and Chip and PIN security?
Security researcher Samy Kamkar discovered several weaknesses in Amex credit card security and decided to create a tool for wirelessly emulating credit card readers as a proof of concept. His tool, called MagSpoof, works by generating an electromagnetic field that emulates a traditional magnetic stripe card. When a card is swiped through a card reader, the reader uses electromagnetic sensors to read the data stored on the magnetic stripe. This allows the reader to decode the data and use it for the payment process. These same steps can be used for credit card hacking on pretty much any card with a magnetic stripe, including access control cards and loyalty cards.
Kamkar found that he could predict the set of numbers on the next credit card issued to a person based on their current credit card number. Amex also allowed the old CVV, or 4-digit security number, to be reused on the next card. The other piece of data necessary for a payment card transaction is expiration date, and the dates are relatively easy to predict at two to four years from when the card was issued. Also, encoded on the magnetic strip is information about whether the card supports chip and if it has a PIN set. These values can be changed without invalidating the magnetic stripe so that the person can avoid the requirement of using their Chip and PIN.
Credit card numbers on their own are relatively weak forms of authentication and their security has historically relied the need for the physical card to be swiped through a payment terminal, something that's no longer true in today's credit card hacking. Amex card numbers are 15 characters in length and must start with a three and the second character must be a four or seven. All payment card numbers need to pass the LUHN check to be valid and the first six digits are determined by the issuer. So, the range of possible numbers for an Amex number, or any credit card number, is relatively small even when including the security code and expiration date.
To prevent proof-of-concept attacks and this type of hacking, credit card companies should randomly assign new credit card numbers based on available numbers and not allow old security codes to be reused. The legacy support for magnetic stripes will continue to allow fraud through bypassing Chip and PIN security, and credit card companies will need to continue to monitor payment card transactions.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read more about Chip and PIN vulnerabilities
Investigate if your credit card merchant stores unencrypted card data
Find out if you are at risk for traffic-sniffing banking malware Emotet
Dig Deeper on Hacker tools and techniques: Underground hacking sites
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading