Compliance Management, Privacy

Samy Kamkar’s latest trick, spoofing canceled Amex cards

Security researcher Samy Kamkar has discovered a way to “resurrect” a cancelled American Express card.

Kamkar said he has figured out the algorithm American Express uses to create new card numbers having. He came about this when he noticed a pattern in how Amex assigns numbers after he lost his own card and received a replacement. He then compared those two cards to others in his possession and the pattern clicked.

“This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number,” he wrote.

However, he cannot create new accounts, but only predict what the account number will be on a replacement card. Other information he is able to suss out is the new expiration date.

This data is than loaded onto a card like Coin using a magstripe writer.

Ashley Tufts, director of corporate affairs  for American Express told SCMagazine.com in an email Wednesday, "
American Express has many years of experience fighting fraud and Samy's observation is not a security concern for our Card Members."

Kamkar notified American Express and will not release the algorithm, he said.

"All credit card companies must adhere to the same ISO Standards for issuing card numbers. Like other card issuers, we use a standardized sequence for new and replacement cards. Given the ISO Standards, it's not a secret that account numbers have a formulaic sequence, which Samy has noticed. However, as his post stated, simply knowing a Card Member's account number and expiration date is not enough for a fraudster to complete a purchase," Tufts said.

Kamkar is well known for hacking through technology. Earlier this year was able to exploit a vulnerability he discovered in GM's OnStar RemoteLink mobile application that lets an attacker identify, locate, unlock and start an OnStar-enabled vehicle. In another feat he said his tool, “OpenSesame,” allows him to open any garage door that uses a fixed code system to communicate with its wireless remote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.