Device can also accurately predict new credit card numbers

Nov 25, 2015 11:05 GMT  ·  By

Samy Kamkar, the inventor of numerous hacking tools, has created another mind-blowing device, one that can accurately read and predict credit card numbers, and bypass chip & PIN safeguards embedded within modern cards.

The device, called MagSpoof uses information stored on credit/debit cards, inside the standard magstripe (magnetic strip).

Hackers can analyze the magnetic field produced by this magnetic strip, and then store it on MagSpoof. Since the magstripe is used to validate card transactions, the card's number and other details are encoded in the magnetic strip itself.

MagSpoof can make payments by placing it in the vicinity of a card reader

Data can be extracted from magstripes using magstripe readers, or by eye, using metal dust that sticks to the magnetic parts of the magstripe and allows anyone to read the barcode.

By taking this data and feeding it to MagSpoof, Kamkar says he was able to make financial transactions just by placing his device next to PoS payment readers that work based on magstripe readers.

This was possible because MagSpoof, using the magstripe data it was just fed, reproduced that magnetic field at a higher intensity, allowing Kamkar to trigger the payment wirelessly, without actually swiping the card.

Kamkar also says that data from multiple magstripes can be stored on his device at the same time and that MagSpoof can also disable chip&PIN (CnP) safeguards.

MagSpoof can trick card readers, telling them it's a card without a chip (and PIN)

Because PIN requirements are coded as a bit inside the magstripe, which tells the card reader to ask for a PIN, Kamkar just flipped this bit to say the card has no CnP support.

Additionally, because of some of the procedures used when issuing credit/debit card replacements, Kamkar also added a functionality that can predict credit card numbers based on the expiration date from the previous card.

This functionality, if it ever fell into the wrong hands, would allow criminals to use a credit card after it was cancelled, by simply adjusting the magstripe data based on Kamkar's algorithm.

MagSpoof costs around $10 / €9.3 to build and was tested only with American Express-issued cards. Its source code is available on GitHub, but Kamkar has removed the parts that would have allowed hackers to abuse it for fraudulent operations.

MagSpoof in action

Kamkar describes his device in the video below:

Photo Gallery (2 Images)

MagSpoof uses data embedded in a card's magstripe
MagSpoof in action
Open gallery