FedEx Kinko's ExpressPay card (and others?) hacked

by Thomas Ricker, posted Mar 3rd 2006 at 8:45AM

Earlier this week, information security company Secure Science released a video of a hack that would defeat FedEx Kinko's ExpressPay card's limited security. As with all traumatic events, FedEx first issued a denial, but have recently come to accept the situation, albeit with the position that the hack "does not pose a significant risk" to consumers. Yeah, it wouldn't 'cause the hack allows you to load, say $1 onto your ExpressPay card at a kiosk and then bump it to oh, say $100 using an off-the-shelf card reader connected to your PC. See, the payment cards are protected by a simple, unencrypted security code. While sniffing the code from the FedEx Kinko's terminal as it writes data to the card is no easy task (think soldering iron and logic analyser), the code is the same for all cards so it's (now) only a matter of time until that 3-bytes of black magic ends up on the ol' Internet, eh? Thing is, the FedEx Kinko's system is developed by enTrac Tech and also deployed in hotels and other locations across the country. We think you can see where this is heading -- hacker road trip!

[Via Hack A Day]

Filed under: Misc. Gadgets

Reader Comments (Page 1 of 1)

Neutral

Nothingness @ Mar 3rd 2006 8:55AM

First!
its spelled analyzer
313.37 is a good limit!

Neutral

T-4 @ Mar 3rd 2006 9:14AM

I love proof of concept style hacks. I wonder how vicious people will be about this. Wouldn't FedExKinko's just be able to tell, server side, how much money is on a card? I like technology that leaves all the information on the client's side. Very smart.

Neutral

Quentin @ Mar 3rd 2006 9:20AM

Haha, they think they are "31337".

Neutral

Richard @ Mar 3rd 2006 9:24AM

Holy Schnikes.

Remind me to stop at the Kinko's tonight after work and buy 10 bucks worth of 1 dollar cards.

I can't wait to print out wallpaper size prints using their large format printers... zing!

Neutral

Excuse me for my terrible grammar @ Mar 3rd 2006 9:42AM

Somewhere in 1997, the first time I use kinko's and I paid $5 to put credit in card. Somehow, I get too much credit as $100 worth. So, I took advantage and print as much as I could use for college.

I really don't have idea how I got that error. lol. Of course, kinko's change new system probably two years later and I only have around 20 credit lefts and it become useless to new system. I tried asked if I could get money back from credit, they said no. haha

Neutral

Harmlessinc @ Mar 3rd 2006 12:44PM

T4 - the whole point of this particular hack is that FedEx Kinko's doesn't keep a database of the cards serial numbers. So they change the SN to any random number (or not so random in the video) and add whatever amount they want.

Neutral

adm @ Mar 3rd 2006 5:18PM

value on card is 31337. Funny.

Neutral

nojok3 @ Mar 3rd 2006 5:39PM

LOL Adm I saw the price but kind of skipped over it with the 3 in front.

I wonder why the cards weren't encrypted to begin with

Neutral

Mischa Lockton @ Mar 4th 2006 3:18PM

serves them right for bilking us on all of those little amounts that get "stuck" on the card or simply expire.

what is great is that hackers can rip off fedex but not you and me with this deal.

even greater is that every day they become more and more irrelevant as people crank out what they need in their home offices with cheap asian printers.

Neutral

JDM @ Mar 7th 2006 7:24AM

If this is widely used by hackers, then it can really hurt FEK and the employees because this is essentially forging money and taking away profits which go towards employee's paychecks. Just a little FYI.

Neutral

Blaze @ Mar 23rd 2006 7:56PM

Well, I see a use, If I get the number, then I can use this card as my own personal auth system on my machine. The cards cost $1.95/unit and I can get them for $1, a small but nice deal.

Neutral

me @ Oct 7th 2006 1:00AM

what software do you need to use for the kinkos hack

Neutral

Mike @ Oct 21st 2007 8:56PM

Anyone know what/where the card reader program is available online? Hopw somebody could shed some light on this topic?

Add your comments

Your comments:

Remember me

E-Mail me when someone replies to this comment

Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.

When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.

To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.