MagSpoof is an ATtiny85 based device that can accurately predict your next Amex card number, disable chip-and-PIN and even spoof magnetic stripes wirelessly.
After recently losing his credit card, it wasn’t long before American Express sent Samy Kamkar a replacement. It was that moment in time that the serial hacker noticed something quite peculiar: the digits on the new card were similar to his previous ones. With a little more research, he uncovered a global pattern that would enable him to accurately predict the digits on any subsequent Amex card by knowing the preceding card’s full number.
“This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number,” Kamkar explains. “I also know the new expiration date as the expiration date is fixed based on when the new card was requested, and you can determine if the new card has been requested by performing an auth on the existing card.”
Like many of his prior security-focused projects, this discovery yielded another opportunity to highlight a vulnerability. And so MagSpoof was born. Kamkar’s new $10 device is capable of emulating any magnetic stripe or credit card, entirely wirelessly, and storing more than 100 card numbers in various form factors. The unit works by generating an electromagnetic field that’s strong enough to reach a traditional reader’s sensor within close proximity, sending a signal that mimics the card being swiped.
“What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration),” he notes.
And that’s not all. MagSpoof features a button that employs his prediction algorithm. In order words, if a thief using the device finds out that the card they were trying to imitate had been cancelled, the gadget could instantly determine the victim’s next card number.
“As soon as the card gets declined, you press a button and it switches to the next number,” Kamkar tells WIRED. “It sucks for [Amex users], because they could have their new credit card stolen almost instantly.”
Aside from disabling chip-and-PIN protection (a function that he has since removed), accurately predicting expiration numbers and switching between different Amex cards (even when reported lost or stolen), MagSpoof can be employed for security research in any area that would traditionally require a magstripe, such as readers for drivers licenses, hotel room keys and automated parking lot tickets.
As you can tell, the MagSpoof’s hardware doesn’t look anything like a credit card, so a criminal couldn’t just simply hand it to a cashier or waiter without raising any red flags. However, Kamkar points out that he can use a digital credit card device like Coin to store the numbers that his system generates — a technique that would make his trickery much less noticeable.
Impressively, Kamkar built his prototype out of several off-the-shelf components. These included an ATtiny85, a 100mAh 3.7V LiPo battery, a motor driver, an LED, a capacitor, a resistor and some 24AWG magnet wire. He created a smaller version with an ATtiny10 as well. By simply pulsing the H-bridge and activating the coil of wire, the MagSpoof is capable of emulating the swipe of a card. MagSpoof is compatible with the Arduino framework and can work on traditional Arduino boards, as well as ATtiny chips.
According to the hacker, he has notified American Express of the issue and will not exploit their algorithm. Kamkar has made both MagSpoof’s source code and schematics available on GitHub, and elaborates upon his method on his page here.
[h/t WIRED via Samy Kamkar]