“One hundred percent of them followed my predictions,” Kamkar said in a phone interview Tuesday. He just needs the old card number and the expiration date to complete the calculation.To share his findings with the wider security community, Kamkar has developed MagSpoof, a device which can use his algorithm to predict any replacement card's number based on a canceled card's digits.
“Simply knowing a card number wouldn’t allow a fraudster to complete a purchase face-to-face because a card product would need to dipped at many of the stores with EMV chip portals, or swiped. In addition, the security code embedded in the card product would need to be verified. For both EMV chip and magnetic stripe cards, the security code changes with the card number and is impossible to predict,” writes AmEx spokesperson Ashley Tufts.Tufts's explanation notwithstanding, all PoS terminals are not created the same. For instance, Kamkar was able to complete transactions using two of his own guessed cards at two different restaurants. EMV technology is not air-tight, either.
"I discovered that if I can modify the service code, or create a new card with a different magstripe with the same data but just flip that bit, I can essentially disable that requirement for the chip," the hacker said, as related by CSO Online.He subsequently went on to do just that and make a purchase with a card that should have completed a chip-and-pin transaction. It is clear that MagSpoof can be compromised if left in the wrong hands. As a result, Kamkar has designed the device so that users cannot store magnetic stripes that they are not legally authorized to possess. In other words, they must have/own the magnetic stripes in order to study them using his device. MagSpoof costs $10 to make and requires no more than a micro-controller, motor-driver, wire, a resistor, switch, LED, and a battery. Instructions for assembly can be downloaded off of GitHub here.