MagSpoof, how to predict American Express card numbers

MagSpoof is a tiny device that can spoof/emulate any magnetic stripe or credit card. It can work wirelessly, even on standard magstripe/credit card readers.

When dealing with hacking we cannot avoid mention the popular  hacker Samy Kamkar (@SamyKamkar), one of the most prolific experts that periodically presents to the security community his astonishing creations, including the Combo Breaker, OpenSesame and KeySweeper.

This time Kamkar has designed new cheap gadget (it goes for US$10) that can predict and store hundreds of American Express (AMEX) credit cards and use them for wireless transactions. The tiny gadget dubbed MagSpoof is a credit card/magstripe spoofer and can be used also at non-wireless payment terminals, it is composed of a micro-controller, motor-driver, wire, a resistor, switch, LED, and a battery.

“MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work “wirelessly”, even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.” states Kamkar. “MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.”

The hacker clarified that the device does not enable people to use credit cards that they don’t own because it is necessary to have the magstripes that they wish to emulate.

However, this means that crooks could use MagSpoof to rake cash after cards have been cancelled at businesses that do not require the CVV numbers on the back of cards.

After losing a card, Kamkar received a new one as a replacement, then he noticed many of the digits were similar. Analyzing other cards and replacements he discovered a pattern that allows him to predict AMIX card number by knowing a full card number, even if already reported lost or stolen.

“I pulled up the numbers to several other Amex cards I had, and then compared against more than 20 other Amex cards and replacements and found a global pattern that allows me to accurately predict American Express card numbers by knowing a full card number, even if already reported lost or stolen. This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number.

I also know the new expiration date as the expiration date is fixed based on when the new card was requested, and you can determine if the new card has been requested by performing an auth on the existing card.”

Kamkar reported the issue to the American Express that is already working on a fix.

Magspoof  is able to emit a strong “electromagnetic field” that emulates the effect obtained by physically swiping a card. Kamkar has released all the necessary to design a working device, including the source code and the instruction to build it.

“MagSpoof emulates a magnetic stripe by quickly changing the polarization of an electromagnet, producing a magnetic field similar to that of a normal magnetic stripe as if it’s being swiped. What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration).” continues the expert.

Of course, Kamkar precaution disabled the ability to deactivate EMV and has not released the prediction algorithm for the American Express card.

Kamkar has published a animated GIF image that shows how the tiny device works, below a video PoC published by Kamkar:

Kamkar explains that the device could be used to create by readers to create their own versions of Samsung MST or Coin.

Summarizing MagSpoof :

• Allows you to store all of your credit cards and magstripes in one device
• Works on traditional magstripe readers wirelessly (no NFC/RFID required)
• Can disable Chip-and-PIN (code not included)
• Correctly predicts Amex credit card numbers + expirations from previous card number (code not included)
• Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously
• Easy to build using Arduino or other common parts

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – MagSpoof , hacking)