Imagine you have lost your credit card and applied for a fresh credit card from your bank. What if some criminal is using your new credit card before you have even received it?
Yes, it's possible at least with this $10 device.
Hardware hacker Samy Kamkar has built a $10 device that can predict and store hundreds of American Express credit card numbers, allowing anyone to use them for wireless payment transactions, even at non-wireless terminals.
The device, dubbed MagSpoof, guesses the next credit card numbers and new expiration dates based on a cancelled credit card's number and when the replacement card was requested respectively.
This process does not require the three or four-digit CVV numbers that are printed on the back side of the credit cards.
The tiny gadget would be a dream of any card fraudster who can pilfer cash from the stolen credit cards even after they have been blocked or cancelled by their owner.
MagSpoof is a device that can…
…on American Express credit cards.
The wireless function of MagSpoof works by emitting a strong "electromagnetic field" that emulates a traditional magnetic stripe card as if it is physically being swiped.
> "What is incredible is that the magstripe reader requires no form of wireless receiver, RFID, or NFC – MagSpoof works wirelessly, even with standard magstripe readers," _Kamkar says in his blog. "You can put it up to any traditional point of sales system, and it will believe that a card is being swiped."_
After losing an American Express cards, Kamkar noticed that the replacement card's number appeared to have a relationship with his previous three American Express cards.
Kamkar recorded all the numbers and worked out a global pattern that allowed him to accurately predict up to 20 American Express card and replacement card numbers shared with him by his friends for his research.
You can watch the video demonstration that shows the hack in work.
Kamkar has also provided the necessary code that you can download from Github by following the instructions to build your own MagSpoof device, but…
…the code will be somewhat altered because Kamkar has removed the code's ability to deactivate EMV and hasn't released the AMEX prediction algorithm.
American Express has been notified of the issue and says the company is working on a fix.
For in-depth explanation on MagSpoof, read the full blog post by Kamkar.