FlyerTalk Forums - View Single Post - Expiration dates?
View Single Post
Old Aug 18, 2006, 7:10 am
  #5  
karthik
 
Join Date: Jul 2005
Location: BOS
Programs: CO Silver; DL FO; SPG Gold; HH Gold
Posts: 880
Originally Posted by Joe1690
So my guess is that Amex usually issues their charge cards and some credit cards with 2 year expiration date and then ups them all to 3 years except the blue which because of the chip had a 4 year expiration.
Interesting point about Blue: If you have a Blue replaced to somewhere other than your home address via regular mail, the replacement they send you has no chip and is valid for only 90 days (and they mail you a regular one at the same time to your home address.) So I think you're right about the longer expiry so they don't have to replace those chips...

Still confused about my 1.5 year expiring SkyMiles card! It's not a big deal since it can obviously just be replaced then, but it is kind of odd. Never seen Amex or any other card issuer issue anything with < 2 years, so it does seem like a human-caused error.

I've also just noticed another severe problem with replacement cards as well: your account number DOES NOT change. The card format is documented elsewhere in the forum and on the web, so I'll skip that part, but only 2 digits change: the 4th to last digit, which is the sequence number (starts at 1, incremented for a replacement), and the checksum digit at the end.

The checksum algorithm is trivial. So let's say you previously had a card 3715 123456 71007; a US Amex charge card with an account number of 1234567, first card issued (sequence number of 1), primary cardholder (00), and a checksum of 7 (easily calculated by hand.) Your first replacement card number will be 3715 123456 72005. (To make it even simpler, for the first 3 replacements, you just have to subtract 2 from the checksum to get the new one. So the next card ends in 73003, then 74001.)

This is disturbing because anyone who steals my card can easily figure out what the new card number will be. Why doesn't Amex change your account number when you have a card replaced? I believe other institutions do exactly that. They do issue you a new random 4-digit CID, but this is not on the magstripe and thus not required for an in-person transaction, and many online transactions do not require the CID. (And there are lots of online stores that require your 3-digit CVV2/CVC2 for a Visa/MC but do not require the CID for an Amex!) And your expiration date changes of course, but that's easy enough to guess at with just a few attempts (especially with a charge card where it generally seems to be exactly 2 years.) So in perhaps 1 - 2 attempts for a charge card and no more than 10 or so for a credit card, a shrewd thief could have figured out your new card number and expiration date which is all that's needed to make a duplicate card of your replacement.

Funny how Amex tells you to keep in mind that your account number will be different when you request a replacement card...
karthik is offline