Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Hackable FedEx Kinko's cards

Hackable FedEx Kinko's cards

by Ivana Strahija on March 4th, 2006 Security experts from Secure Science company have found an easy and cheap way to boost your Kinko's card credit and change the serial number, to have hours of fun printing, scanning, surfing and Xeroxing at your local Kinko's for free.


-By soldering wires to the contact points of the card and then connecting those wires to an inexpensive logic analyzer, an attacker can sniff the three-byte code as the kiosk or a card terminal prepares to write data to the card. This security code appears to be the same across all FedEx Kinko's ExpressPay cards currently in circulation, writes Lance James of Secure Science in an e-mail to a mailing list. He further explains that from that point on one can write any data on the card, including changing the value and the serial code.

-Most disturbing, however, is that since stored-value cards can be cashed out by an employee at the register at any time, an attacker could cash out altered cards obtained at little or no monetary cost. If a card is cashed out, its serial number does not appear to be invalidated in the system. If an attacker were to clone a known good card and cash it out, the clone would still be usable, James writes.

The researchers had the proof-of-concept on February 8, sent it to the FedEx and enTrac Technologies (which developed the system) on February 15. At first the FedEx lot denied the existence of the problem, but on March 2 they've issued a statement, saying that: -A security weakness in the payment card system used in its FedEx Kinko's stores doesn't pose a significant risk to the company, or any risk to customers.'

FedEx spokesperson described the vulnerability as stealing, which will not be tolerated in their stores, but has not said a word about tightening security or making the cards less hackable.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »