I remember it was about a year ago when my bank (local Kenyan bank) sent out alarming emails and run ads telling customers to go for a new Chip & Pin debit or credit cards. The reason given was that the old credit/debit cards were less secure, and banks are adopting the latest generation of cards equipped with Chip & Pin safeguards to better protect us from hackers and identity thieves.
Barely a year from then, it seems hackers might have a workaround over the so-called Chip & Pin safeguards and can now continue having their field day if you happen to leave or use your card in an insecure manner. Before you start getting worried, this achievement was done in the form of white hat hacking; whereby a security expert looks for security exploits in a security system.
Samy Kamkar is one such white hat hacker and according to Softpedia, he is a well-renowned inventor of numerous hacking tools. His latest invention, the MagSpoof is a very lethal device should it ever fall into the wrong hands. This device is said to have the ability to read accurately and predict credit card numbers and bypass the Chip & Pin safeguards embedded in the latest generation of cards.
A would-be hacker can analyze the magnetic field being produced from the card’s magnetic strip and store the information obtained on the MagSpoof. Given magnetic stripes are used to validate card transactions, and the card’s number among other details are encoded within the magnetic strip.
Extracting data from the magnetic strip is apparently the easiest part since a hacker can simply use a magnetic stripe reader. They can also use their eye by sprinkling metal dust on the magnetic stripe, and virtually anyone can read the barcode.
Once they have extracted the card number, they feed it to the MagSpoof invented by Kamkar. The MagSpoof can then be simply placed near a PoS payment reader that reads magnetic stripes off credit/debit cards to finish a transaction.
However to execute the transaction, the MagSpoof will need to reproduce a magnetic field similar to the stolen card’s magnetic stripe. The MagSpoof can do that using the magnetic stripe data it was fed, and it will mimic the card’s magnetic field albeit at a higher intensity. The high intense magnetic field generated will allow the hacker to trigger payment even without coming close enough to the magnetic stripe reader at the PoS machine. In other words, hackers do not even need to swipe a card at all, they can do the swipe remotely and wirelessly.
Kamkar further says that the MagSpoof can store magnetic stripe data from multiple cards simultaneously. The device can also disable the Chip & Pin safeguards on the card. PIN requirements are embedded as a bit within the magnetic stripe of a card and used to tell the card readers to ask for a PIN. MagSpoof can bypass this security measure by telling the reader that the card has no Chip & Pin support.
If the credit/debit card owner reports the card as missing and request for a replacement. Kamkar says he has come up with an algorithm that allows the MagSpoof to predict the next credit card number issued to the user.
The MagSpoof can predict the next card number with a high level of accuracy due to the predictability of the system used to generate replacement credit/debit cards by the issuers. Simply put, even if your lost/stolen card has been cancelled, hackers can adjust the magnetic stripe on the MagSpoof using Kamkar’s algorithm and predict your new card’s number with a high level of accuracy.
If you got lost somewhere along the explanation above, the following is a video explaining how the MagSpoof device works, by Sammy Kamkar himself.
Now, this is the part that should get you worried. The MagSpoof device can be assembled at the cost of about $10; meaning virtually anyone can afford it. The source code for the device can also be found on GitHub. But the inventor/programmer Kamkar has excluded an important code that will make it a loaded gun in the hands of the black hat hackers, who will probably want to commit fraud with the device. Kamkar did some successful test on the device using the American Express issued cards.