This was a bunch of fun doing this at Kinkos with Strom! It’s actually a very easy concept once you see it done.

Like Mitch Hedberg said:

Kinko’s is my favorite copy place ’cause it’s open 24 hours. Like, if it’s three in the morning, and I suddenly decide I need two of something, I’m covered. Sometimes I will wake up in the middle of the night in a cold sweat: “Shit… oh ya, Kinko’s… alright, that will not remain singular.”

Posted at 3:31 pm on Mar 2nd, 2006 by dualdflipflop

I imagine things are hectic right now at fedex kinkos HQ

You’d think they’d be more careful with these things, it shouldn’t have to take actual exploitation to get a company to consider their security.

Posted at 3:38 pm on Mar 2nd, 2006 by CaptSnuffy

Wow. Talk about a glaring flaw in the system. I wonder how long it will be before they even aknowledge the problem. How many decades it will take to fix it is anyones guess.

Posted at 4:47 pm on Mar 2nd, 2006 by Steve

one of those things that we all wish we would have figured out before they came out…

Posted at 4:56 pm on Mar 2nd, 2006 by chrozz

so….the maximum balance is 313.37?

did anyone realize that spells ELEET?

Posted at 5:04 pm on Mar 2nd, 2006 by dan diemer

very slick. it used to be much easier way back when they first implemented the keycard kiosks.

31337 – classic! ;P

most likely the limit is 200 or something and their device allows them to put on any amount, so any amount over X will give that response. definitely intentional. ;)

Posted at 5:22 pm on Mar 2nd, 2006 by Ken

Wow…A picture is worth a thousand words eh? I’d say that one is worth about 31337 words…. Nice! LOL

Posted at 5:31 pm on Mar 2nd, 2006 by taylor

The maximum value you can put on the card at the kiosk is $100 (though the way the value is encoded on the card, the theoretical maximum is one hundred thousand centillion dollars). I needed a not-unreasonably-huge value which was highly unlikely to be achieved through normal everyday use, yet be fairly obvious that it wasn’t just some random occurrence. Thus, $313.37 :)

Posted at 6:53 pm on Mar 2nd, 2006 by Strom carlson

One part I found funny, are they shown buying a brand new card with a balance of one dollar that just happened to have some writing from a marker on it, or did they have the card in advance? Seems it would be a better demo if they bought a fresh card first for the hack.

This took forever to d/l. Here’s an azureus magnetic link (16.19 MB):

magnet:?xt=urn:btih:A3PNUUOZHN53GVT5A42G6Q3HMIQLX2WN

1.copy the link text with a control-c
2.launch everyones favorite java powered p2p app: azureus
3.hit control-l, follow the dialog box to download the .torrent file
4.right-click on the file listing and select queue, to start the d/l

Posted at 7:15 pm on Mar 2nd, 2006 by Standard Mischief

As if the hack itself wasn’t cool enough, a Mitch Hedberg reference???

Really very good and nice.

Posted at 9:06 pm on Mar 2nd, 2006 by strider_mt2k

The tragedy is that it’ll probably be these two guys who get sued, not the incompetent morons at entrac who sold fedex-kinko’s an unbelievably insecure system.

Posted at 9:08 pm on Mar 2nd, 2006 by Kevin

thats freaking awesome. now i just need a smart card writer.

Posted at 11:21 pm on Mar 2nd, 2006 by TWEAQ

Wow talk about lack of security. I give it a week before these cards start showing up on EBay…

Posted at 11:32 pm on Mar 2nd, 2006 by Alan

except for the fact that you can trade in the card for cash so selling them would be redundant.

Posted at 1:13 am on Mar 3rd, 2006 by StePhen

Looks like Engadget and C|Net “borrowed” this story from you.

Posted at 9:23 am on Mar 3rd, 2006 by grayskies

I love the compnay’s response.

Nope no issues here, nope none.

Posted at 10:05 am on Mar 3rd, 2006 by Kevon

wow, that is cool! wonder, how much money they made secretly =)

Posted at 1:58 pm on Mar 3rd, 2006 by kevinin

The college I went to had similar ones to these as our ID cards. They used a magnetic strip instead of a microchip. We also used them as a paperless money system. It was several years back so you couldn’t get a card reader for under $100. (a little steep for a college student) Some CS friends of mine and I were working on converting a cassette tape backup drive to work as a reader and writer. We had to disasseble it ad write our own driver for it to get it to work. We eventually were able to read some of the info off the card but ran out of time to disect it. Was a pretty cool project. Where there is a will there is a way.

Posted at 2:41 pm on Mar 3rd, 2006 by Fist Of Konshu

sewed? they didn’t break any laws. if they have any common sense, once it’s fixed they’ll be asking people to attack the machine to see if it’s more secure.

Posted at 4:49 pm on Mar 3rd, 2006 by av1d

btw you can buy smart card writers on ebay for about $15 shipped.

Posted at 5:38 pm on Mar 3rd, 2006 by TWEAQ

Anyone figure out the ATM hack like in Terminator 2?

Posted at 6:57 pm on Mar 3rd, 2006 by drkagent

hmm now to see if i can find that dtv emu kit around here somewhere.

Posted at 7:00 pm on Mar 3rd, 2006 by az324

That ATM “jackpotting” (as well as the key-card cracking) can allegedly be done using EMP / TEMPEST (electromagnetic pulsing) with an induction coil. For example, http://www.google.com/search?q=%22Method+3.+TEMPEST+IV%22&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official

Don’t forget to add the Atari Portfolio palmtop for the added effect. ;-]

Posted at 9:53 pm on Mar 3rd, 2006 by av1d

i need a valid ssn mmn cc cvv1 dob info

Posted at 9:57 pm on Mar 3rd, 2006 by luicy

There is discrepancy in the description of their hack though. I went to a Kinko’s store and got a stored value card and the smart chip has six contacts on it, yet the data sheet for the SLE4442 shows eight contacts.

I’ve e-mailed Strom and hopefully he will clear this up!

Posted at 11:17 pm on Mar 3rd, 2006 by joemuggs666

joe666 – I just got my card, too ;-)
Two pins are no-connects; may that’s it.

Posted at 12:21 am on Mar 4th, 2006 by morcheeba

Two pins are not connected at all, and so it makes absolutely no sense to waste money on contact pads for pins that are not connected. This is fairly common in the smartcard universe.

Yay, thinking.

Posted at 1:54 pm on Mar 4th, 2006 by Strom carlson

Hi Strom, I just sent you e-mail but you can reply to me here so that others can see your reply. I had the same question about the 8 contacts in the data sheet vs. the 6 contacts on the actual card.

Is the pinout of the smart chip the same as in:

http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf

except that the bottom two no-connects are just missing?

The data sheet shows a total of 3 no-connects and my question basically is: if I start at the top of the chip card and then go counter-clockwise, are the contacts: VCC, RST, CLK, I/O, N/C, GND?

Is there a particular smart card reader/writer that you recommend? I saw that you use the ACS in your video. Can you give the exact model number that you use?

Thanks!

Posted at 3:54 pm on Mar 4th, 2006 by ilan1

they mention a 3-byte security code that is the same at all stores, yet they never state what it is. does anyone know?

Posted at 6:58 pm on Mar 4th, 2006 by james

I believe that is an ACR30 SMART card reader.
It comes in USB and serial. Not sure which they used (Probably USB on a laptop)

Posted at 7:21 pm on Mar 4th, 2006 by Spork

Not on behalf of strom, but…. He won’t release the security code because he did not intend this as a way for people to steal from kinkos. Just to alert people that it can be done. Unlike other “exploits” done at stores, this one requires a certain degree of practicle knowledge to pull off, and the need for certain equipment not very common as well. So, if you want to do it, learn to do it, don’t just follow a set of directions.

Posted at 3:49 am on Mar 5th, 2006 by CDE

I STILL THINK THAT SOMEONE SHOULD POST STEP BY STEP

Posted at 6:49 pm on Mar 5th, 2006 by mark

Hey all,

I’m a Fedex Kinkos employee but think that this is a great hack as it was bound to happen! Anyway, here are some things they didn’t mention, that i know about the cards from working there.

There are three card types… Purple, Blue and Green (Green is the Skeleton key.. read on).

* Purple cards have a stored value. Money can be added at the kiosk or at the counter, and can also be refunded at the counter, but you have to fill out your name, phone number and sign for it.

* Blue cards are called convenience cards. They can be preauthorized at the counter to make either 10 or 25 copies, so that the person can just make a few copies and pay after, instead of getting a card. They expire after 24 hours.

* Finally is the mega card, the green card. Green cards are for EMPLOYEES ONLY. They can be activated for 24 hours using any employee’s name. Once activated they can be used to make unlimited free copies or minutes on the computers, and are so that we can do copy jobs in the express area without having to pay. The green card can also be made into a config card which lets you mess around with the server settings on the card readers.

If someone could someone change the type, they could have access to all of these functions. Good luck and hopefully corporate will fix this soon!

Posted at 12:17 am on Mar 6th, 2006 by e pl

I’ve gotten legitimate refunds on my stored-value expresspay cards many times, and not once have I ever been asked for a single piece of personal information. I hand in the card and get back my cash, no questions asked.

I would be interested in reading the blue and green cards to gain more insight into how the ExpressPay system operates, although I’ve never had either one in my possession.

Posted at 1:04 am on Mar 6th, 2006 by Strom Carlson

I like #32 especially after 31 just said that was not the intention.

Anyhow, Strom, great hack here. I like how everyone wants to try it now (have to admit it interests me too). Anyhow I hope nobody writes a step-by-step, they’d be the one getting sued (if anyone) Strom made a point, a step-by-step is basically stealing. (or accessory thereof)

Posted at 1:42 am on Mar 7th, 2006 by Spork

Question:How do you find out what chipset is used for the smartcard? I’ve been interested in this project but stopped when the connections didn’t look like the one on my other smart card(s). What is the best way you reccomend to get a data sheet on a smart card?

Posted at 2:12 pm on Mar 7th, 2006 by jason

Just wondering what program and setting values used to read/write to the card? They never really let you see it in the video.

Posted at 8:58 pm on Mar 8th, 2006 by druidism

Alright , I’m going to agree with the minority. they can’t come out and just tell you, “Use this program, build this circuit, press this button” That would be stealing. My advice, get data sheets, learn to read them, learn to actually write some code, a little low level programming and a parallel port can open up the world

Posted at 5:37 pm on Mar 9th, 2006 by jason

the ACR30 is a nice reader/writer specifically for Siemans smartcards and some others.

“Siemens: SLE4406, SLE4418, SLE4428,SLE4432, SLE4442″

the cheapest i found was $29.95, free ship at:
http://www.smartcardsupply.com/Content/Hardware/ACR30.htm
ebay is even cheaper, but slower and with compatibility issues.

as for logic analyzers, you could buy a relic one on ebay for $50 and lug it to fedex (size of an oscilloscope) or a $200 portable one .. or do either of the following:

1.) Use a microcontroller of your choice, or laptop serial port to record the communications between card and Kinkos reader; emulating what a logic analyzer does (and later downloading to a computer, if you chose the microcontroller path). locating the three reference data bytes is trivial.

2.) Use a microcontroller of choice (as i’ll be doing this weekend) or PC’s parallel port to brute force thru the security codes 2^24 possibilities – attempting 3 at a time, reset power, reset/memread command, then repeat until found. Expect it to take the better part of 24hrs, your mileage will vary. This is done safely at home however, and without you being present – safest approach IMHO.

*This definitely assumes you listen to #38’s advice, datasheets are your friend*
http://www.acs.com.hk/downloads_datasheet/SLE4432_42.pdf
http://www.sample.microchip.com -free PICs

Long post sry, and not for the kiddies

Posted at 3:26 am on Mar 10th, 2006 by maluc

the content is good and informative ,but some new free tutorials should be added to database to help naive hackers.

Posted at 2:56 am on Mar 12th, 2006 by yuva

Naive Hackers should keep their training wheels on.

This ones NOt for you.

Besides, Kinkos knows about this and I will guarantee you that they have now instructed employees to call the police at even the slightest suspicion of smart card funny business, to curb their losses and set an example to others.
an electronic fraud/petty theft conviction, even if its just a misdemeaner, will absolutely ;kill; your chances of ever getting a great job or getting any kind of security clearance, for the rest of your life.
consider this hack burnt if you value your future.

Posted at 5:01 pm on Mar 13th, 2006 by blaine

security code is 923 use it wisely!

Posted at 12:21 am on Mar 14th, 2006 by ryan

security code is 923 use it wisely!

Posted at 12:21 am on Mar 14th, 2006 by ryan

How can some one learn to read and write to mag stripe type of cards.Sorry iam new. love this site info is for information purposes only.

Posted at 4:44 pm on Mar 19th, 2006 by co9rey

This just reminded me of something. I got an American Express Smart Card reader a while back and it’s been sitting in the box for over a year. Is this card reader just a rebadged generic card reader or can I use it to read other smart cards. Anyone know?

Posted at 5:16 pm on Mar 21st, 2006 by Jason

This just reminded me of something. I got an American Express Smart Card reader a while back and it’s been sitting in the box for over a year. Is this card reader just a rebadged generic card reader or can I use it to read other smart cards. Anyone know?

Posted at 5:16 pm on Mar 21st, 2006 by Jason

#44 you’ll need to buy a magstripe reader/writer.. but it’s considerably more expensive than a smart card one. Look to spend around 150 on ebay :/
as for the software.. StripeSnoop is a great program and free.
http://stripesnoop.sourceforge.net/

#46 it’s a safe bet that it’s a rebranded reader from another company. it’s much easier for them to pay licensing fees and get a product now, than to hire a programmer for the same price and have him reinvent the wheel for several months. However, their drivers may be crippleware, and then you’ll have to reinstall with generic PC/SC drivers. Try looking at its datasheet if they give one, and poking around its drivers with a tool called Dependency Walker. it’ll be a DLL in the system32 folder. Google the exported function names, and see if you find another SC driver with a similar naming scheme..

**Also for those buying the ACR30 .. you’ll have a hard time programming for it if u don’t buy the 99$ SDK kit. Without either the ACR30.h header file, or information of the SCardControl() command to select the card type, it wont be able to read memory cards (like Kinko’s) without first changing this option. I’ll try reverse eng it later this week .. but if someone successfully has, or has ACR30.h/ACR38.h .. feel free to email it to arserbin3 at yahoo dot fr ^^ (fr not com)

Posted at 12:05 am on Mar 22nd, 2006 by maluc

OK GUYS IM BACK. I WAS THE ONE WHO POSTED THE #42 AND #43 COMMENT. I WAS ONLY KIDDING. BUT I DO HAVE THE CODE AND BY VISITING MY SITE I AM SHOWING HOW I GOT THE CODE BUT NOT THE PROGRAMMING I USED OR A FEW OTHER THINGS YOU CAN GET THE HINT BY GETTIN WHITEPAPERS ON THE CARD AND ALSO BUYING A SAUDER IRON. HERES THE STUFF: HTTP://WWW.KECKSLIST.ORG/KINKOS

Posted at 5:02 am on Mar 22nd, 2006 by ryan kamfolt

**update to end of #47 .. if you ignore the flowchart on page 4 of ACS’s pc/sc programming reference: http://acs.com.hk/downloads_manual/PMA_ACx30.pdf

you can connect just fine without ’selecting’ the memory type.. just connect with SCARD_PROTOCOL_T0 (or SCARD_PROTOCOL_DEFAULT)

flowchart to follow:
SCardEstablishContext
SCardListReaders (use first string returned)
SCardConnect (SCARD_SHARE_SHARED & SCARD_PROTOCOL_T0 < -zero not 'oh')
SCardTransmit (SCARD_PCI_T0 & SendBuffer filled with {0x00, Command, Arg1, Arg2, ...}
all transmits..
SCardDisconnect (SCARD_LEAVE_CARD)
SCardReleaseContext

Commands for Transmit:
Read: 0x00, Write: 0x01, WriteProtected: 0x02,
SubmitSecCode(PCODE): 0x03, ChangeSecCode:0x04?,
ReadSecCode: SendBuff[0xFF,0xB1,0x00,0x00,0x00]
*write/writep/changecode untested as i haven't gotten the seccode yet - batt wires crossed on way home :/ .. tape em up as i shoulda done..

also, #48s method works, although his example isnt a how-to.. read your datasheets. also, i HIGHLY advise u invest the $2.49+tax at fryes or an electronic store and buy some conductive copper tape instead of using 22-26 gauge wire.. its too thick to fit in the reader

conductive tape is paper thin and copper on the top side.. extend it 2-3inches past card across tape/paper, as it gets sucked in kinda deep.. then u can solder on some wires
http://www.tedpella.com/16067.jpg

Posted at 11:48 pm on Mar 25th, 2006 by maluc

to add to what #33 said and #34’s comments…

I also work at FedEx Kinko’s and I’ve worked at several branches so let me clarify; technically anyone who attempts to refund the money off of a purple stored value card is only supposed to fill out a refund form when they are receiving more than $10 back. However in my experiance management never enforced this policy except at one store, and even in that case the customer can make up completely false information as we don’t check their actual ID.

Quick question, why does this seem so much of a longer process than it looks in the video? do logic analyzers connect to the stores card readers or to your own? and what is #48’s method? does anyone have his page saved, the page is now gone…

Posted at 4:46 am on Apr 24th, 2006 by someone in black and purple

The page is still there but you have to type the address out because the capitol KINKOS doesnt work so it should look like http://www.keckslist.org/k i n k o s without the spaces of course

Posted at 3:52 am on Apr 27th, 2006 by ryan kamfolt

HTTP://67.119.87.140/kinkos

Posted at 3:55 am on Apr 27th, 2006 by ryan kamfolt

Sorry for some reason on my server you have to add the / to the end of the address so here is a working address:

http://www.keckslist.org/kinkos/

Posted at 4:19 am on Apr 27th, 2006 by ryan kamfolt

well i found the code just now, and having tried many methods over these two months.. the one that worked like a charm was a logic analyzer .. if ur smart u can find one for $155US shipped, and worth every penny

u can also do as a friend is doing, and make your own logic analyzer using the parallel port.. but it can be a pain in the ass; microcontroller versions even worse +_+

the keckslist example is also a nice possibility, but you have to make sure to get a smartcard reader that has a ‘read security memory’ command for the sle4442 ..the ACR30 does not!

good luck,
maluc ^^

Posted at 2:53 pm on Apr 28th, 2006 by maluc

A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though…

Posted at 1:10 pm on Jun 21st, 2006 by frodus

A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though…

Posted at 1:11 pm on Jun 21st, 2006 by frodus

Going back to comment 26, in the UK, the chain of pharmacists use a smartcard with just 6 connectors. Is this the standard chip with different connectors. Can I read this with a standard reader?

Posted at 5:18 pm on Jul 30th, 2006 by piglet

In the UK, Boots Advantage Cards have only 6 connectors. The connector matrix is a rectangle so I’m guessing it’s the same ‘6 lines used, only put 6 onto the thing’.

Posted at 6:03 pm on Jul 30th, 2006 by piglet

One last question (please don’t tell me to UAFSE). I’ve ordered a USB smart-card reader-writer. Is their freeware to allow me to simply alter the card?

Posted at 9:42 am on Jul 31st, 2006 by piglet

Hi,
The torrent in comment 28 doesn’t seem to work. Can someone point me in the direction of a stream that DOES work since I’m gagging to see the guys in action. I also have a vested interest since I’m hoping to do a UK reprise on the hack with the Boots Advantage card. Similarly, it only has 6 connectors & has been going since 1997 so it MUST be quite old technology. Also, being a FREE card, cost is everything. I’ve got everything crossed that they have used an SLE4418 so not even a pin-code is needed ;-)

Many thanks in advance, Sean.

Posted at 3:35 pm on Aug 1st, 2006 by piglet

at this point the attacker can take the card to the service counter and ask for the balance in cash

unfortunately look at image

http://hackadaycom.files.wordpress.com/2008/11/overview.jpg?w=450&h=338

the smart chip has been soldered to (a dead give away that the card has been tampered with).

you may want to try getting a proper connector maybe salvage the card reader slot from an old dish receiver or something.

Posted at 9:40 pm on Nov 25th, 2008 by ejonesss