Earlier this week, information security company Secure Science released a
video
of a hack that would defeat FedEx Kinko's ExpressPay card's limited security. As with all traumatic events, FedEx
first issued a denial, but have recently come to accept the situation, albeit with the position that the hack
"does not pose a significant risk" to consumers. Yeah, it wouldn't 'cause the hack allows you to load, say $1
onto your ExpressPay card at a kiosk and then bump it to oh, say $100 using an off-the-shelf card reader connected to
your PC. See, the payment cards are protected by a simple, unencrypted security code. While sniffing the code from the
FedEx Kinko's terminal as it writes data to the card is no easy task (think soldering iron and logic analyser), the
code is the same for all cards so it's (now) only a matter of time until that 3-bytes of black magic ends up on the ol'
Internet, eh? Thing is, the FedEx Kinko's system is developed by enTrac Tech and also deployed in hotels and other
locations across the country. We think you can see where this is heading -- hacker road trip!
[Via
Hack A Day]
posted Mar 3rd 2006 8:45AM
First!
its spelled analyzer
313.37 is a good limit!
I love proof of concept style hacks. I wonder how vicious people will be about this. Wouldn't FedExKinko's just be able to tell, server side, how much money is on a card? I like technology that leaves all the information on the client's side. Very smart.
Haha, they think they are "31337".
Holy Schnikes.
Remind me to stop at the Kinko's tonight after work and buy 10 bucks worth of 1 dollar cards.
I can't wait to print out wallpaper size prints using their large format printers... zing!
Somewhere in 1997, the first time I use kinko's and I paid $5 to put credit in card. Somehow, I get too much credit as $100 worth. So, I took advantage and print as much as I could use for college.
I really don't have idea how I got that error. lol. Of course, kinko's change new system probably two years later and I only have around 20 credit lefts and it become useless to new system. I tried asked if I could get money back from credit, they said no. haha
T4 - the whole point of this particular hack is that FedEx Kinko's doesn't keep a database of the cards serial numbers. So they change the SN to any random number (or not so random in the video) and add whatever amount they want.
value on card is 31337. Funny.
LOL Adm I saw the price but kind of skipped over it with the 3 in front.
I wonder why the cards weren't encrypted to begin with
serves them right for bilking us on all of those little amounts that get "stuck" on the card or simply expire.
what is great is that hackers can rip off fedex but not you and me with this deal.
even greater is that every day they become more and more irrelevant as people crank out what they need in their home offices with cheap asian printers.
If this is widely used by hackers, then it can really hurt FEK and the employees because this is essentially forging money and taking away profits which go towards employee's paychecks. Just a little FYI.
Well, I see a use, If I get the number, then I can use this card as my own personal auth system on my machine. The cards cost $1.95/unit and I can get them for $1, a small but nice deal.
what software do you need to use for the kinkos hack
Anyone know what/where the card reader program is available online? Hopw somebody could shed some light on this topic?