| Page 1 of 1 |
Invasor
Moderator
Posts: 7638
Location: On the road
|
 Posted: Thu, 26th Nov 2015 00:44 Post subject: Hacking credit cards (Amex is shit) |
|
 |
| Quote: | A device built by legendary hacker Samy Kamkar calls into question the security of payment cards as the U.S. continues to grapples with card fraud.
Kamkar's device, nicknamed MagSpoof, is about the size of a U.S. quarter, and it's safe to say it would be a fraudster's dream.
MagSpoof can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.
It can also trick point-of-sale readers into accepting payment from cards that are supposed to have a microchip with advanced cryptographic capabilities designed to deter fraud, a system known as chip-and-PIN, but do not.
He noticed that the replacement card's number appeared to have a relationship with other Amex cards he'd had in the past. Kamkar worked out a formula for how the number was calculated, which matched up to 40 cards and replacement cards shared with him by his friends for his research.
"One hundred percent of them followed my predictions," Kamkar said in a phone interview Tuesday. The card generation algorithm "is not very random."
To do the calculation, Kamkar said he just needs the old card number and the expiration date.
The danger, of course, is that cybercriminals with access to the old card's details could figure out the new card number before the victim has even received it. Once the card is active, the fraudster can go shopping.
American Express officials could not be immediately reached for comment on Monday. Kamkar says he notified them in August, but the company told him they didn't think it was a major issue.
...
U.S. retailers have been upgrading their systems to accommodate chip-and-PIN as card companies are now holding them more accountable for fraud if systems are not upgraded.
Chip-and-PIN, also known as EMV, has been used in areas such as Europe for more than a decade. The payment cards have security features that make them difficult to clone, and transactions are authorized in part by a cryptographic microchip.
If someone with a chip-enabled card goes to Target these days and swipes their card's magnetic stripe, the point-of-sale system will see the service code and know that it's a chip card and ask for it to be inserted into a reader, Kamkar said.
"But I discovered that if I can modify the service code, or create a new card with a different magstripe with the same data but just flip that bit, I can essentially disable that requirement for the chip," he said.
Kamkar modified the service code and was able to buy something by swiping a card when it should have been a chip-and-PIN transaction.
"I was flabbergasted," he said.
When asked if it was Target, Kamkar laughed and said it "was a major retailer."
 |
source
|
|
| Back to top |
|
|
harry_theone
Posts: 11228
Location: The Land of Thread Reports
|
|
| Back to top |
|
|
Invasor
Moderator
Posts: 7638
Location: On the road
|
| Posted: Thu, 26th Nov 2015 01:48 Post subject: |
|
|
p.s. I wonder if Visa and Mastercard are any better... after any major hack to a random online store, credit card data is often dumped at certain places, meaning that a lot of people have access to these old CC numbers that will soon be canceled. Using that you can discover the new number for the new cards that will replace them.... Also, people usually throw away old cards, but if you find them in the trash now you can figure out the new number... this is really, really bad.
|
|
| Back to top |
|
|
|
|
| Posted: Thu, 26th Nov 2015 02:24 Post subject: |
|
|
Hope that guy does not have a tragic suicide with 2 bullets in the back of his head in the next weeks/months 
It`s obvious that these systems have flaws that are exploitable but big players behind it usually do not like it if you poke around
| paxsali wrote: |
Now, I don't know what hardware costs in Poland, I guess it's cheaper because everything is stolen from Germany and resold... |
|
|
| Back to top |
|
|
Horrordee
Soderator
Posts: 8867
Location: England
|
|
| Back to top |
|
|
Invasor
Moderator
Posts: 7638
Location: On the road
|
|
| Back to top |
|
|
garus
VIP Member
Posts: 34200
|
| Posted: Thu, 26th Nov 2015 09:41 Post subject: |
|
|
snip
Last edited by garus on Tue, 27th Aug 2024 21:38; edited 1 time in total
|
|
| Back to top |
|
|
JBeckman
VIP Member
Posts: 34994
Location: Sweden
|
| Posted: Thu, 26th Nov 2015 11:16 Post subject: |
|
|
| Quote: |
Kamkar says he notified them in August, but the company told him they didn't think it was a major issue.
|
Not a major issue for them huh? Wonder what they'll say now that he's gone public with this discovery.
|
|
| Back to top |
|
|
|
|
| Posted: Thu, 26th Nov 2015 11:32 Post subject: |
|
|
|
|
|
| Back to top |
|
|
Przepraszam
VIP Member
Posts: 14501
Location: Poland. New York.
|
| Posted: Fri, 27th Nov 2015 02:13 Post subject: |
|
|
| Pfiemelcheese wrote: | | Nice |
Holy fuck. Where have you been?!!?!
Your last post was back in 2013...Missed your avatar!
And to think that I finally qualified for Amex cards since I got a job.  |
|
| Back to top |
|
|
| Page 1 of 1 |
All times are GMT + 1 Hour |
It's crazy.
