Someone has made a device that costs $10 which could steal credit
card information when anyone has lost his credit card and applied for a new card. And before he gets it, the device helps hacers to steal or at least guess the credit card number.
The device dubbed MagSpoof was made by Samy Kamkar. The
device can predict and store hundreds of American Express credit card numbers,
allowing anyone to use them for wireless payment transactions, even at
non-wireless terminals.
According to the hackers, MagSpoof can spoof any magnetic
stripe or credit card entirely wirelessly, it also disable chip and PIN (EMV)
protection and accurately predict the card number and expiration date on
American Express credit cards.
“MagSpoof can be used as a traditional credit card and
simply store all of your credit cards (and with modification, can technically
disable chip requirements) in various impressive and exciting form factors, or
can be used for security research in any area that would traditionally require
a magstripe, such as readers for credit cards, drivers licenses, hotel room
keys, automated parking lot tickets, etc,” Kamkar said in a blog post.
MagSpoof emulates a magnetic stripe by quickly changing the
polarization of an electromagnet, producing a magnetic field similar to that of
a normal magnetic stripe as if it's being swiped. The magstripe reader requires
no form of wireless receiver, NFC, or RFID. MagSpoof works wirelessly, even
with standard magstripe readers. The stronger the electromagnet, the further
away you can use it.
The device actually guesses the next credit card numbers and
new expiration dates based on a cancelled credit card's number and when the
replacement card was requested respectively. This process does not require the
three or four-digit CVV numbers that are printed on the back side of the credit
cards.
The hacker has notified American Express and said the
company is fixing the flaw.
