Fedex Kinko’s smart cards hacked

fedex

Researchers at Secure Science Corporation have managed to break the ExpressPay system used at FedEx Kinko’s stores which is provided by enTrac. The cards are write protected using a 3 byte security code. You can sniff this data using a logic analyzer and then use the code to write any data you want to the card since it is unencrypted. The security code is the same across all cards. FedEx Kinko’s stated that the article is inaccurate, so Lance James and Strom Carlson made a video of themselves doing the hack in the store: They put $1.00 on a card at the kiosk and then use it to log into a computer and show the balance of $1.00. They logout and use a separate laptop and card reader/writer to change the balance to $50.00 and modify the serial number. Next they use the card to log back into a computer and show the balance of $50.00. They let one minute pass so that $0.20 is charge to the card. Finally they logout and use the self-service kiosk to print out a receipt showing their balance of $49.80 with the fake serial number. At this point the attacker can take the card to the service counter and ask for the balance in cash.

[thanks Sith from Midnight Research Labs]

[fix: I had originally stated they bought a new card at the kiosk]

[photo: caribb]

Comments

  1. This was a bunch of fun doing this at Kinkos with Strom! It’s actually a very easy concept once you see it done.

    Like Mitch Hedberg said:

    Kinko’s is my favorite copy place ’cause it’s open 24 hours. Like, if it’s three in the morning, and I suddenly decide I need two of something, I’m covered. Sometimes I will wake up in the middle of the night in a cold sweat: “Shit… oh ya, Kinko’s… alright, that will not remain singular.”

  2. CaptSnuffy says:

    I imagine things are hectic right now at fedex kinkos HQ

    You’d think they’d be more careful with these things, it shouldn’t have to take actual exploitation to get a company to consider their security.

  3. Steve says:

    Wow. Talk about a glaring flaw in the system. I wonder how long it will be before they even aknowledge the problem. How many decades it will take to fix it is anyones guess.

  4. chrozz says:

    one of those things that we all wish we would have figured out before they came out…

  5. dan diemer says:

    so….the maximum balance is 313.37?

    did anyone realize that spells ELEET?

  6. Ken says:

    very slick. it used to be much easier way back when they first implemented the keycard kiosks.

    31337 – classic! ;P

    most likely the limit is 200 or something and their device allows them to put on any amount, so any amount over X will give that response. definitely intentional. ;)

  7. taylor says:

    Wow…A picture is worth a thousand words eh? I’d say that one is worth about 31337 words…. Nice! LOL

  8. The maximum value you can put on the card at the kiosk is $100 (though the way the value is encoded on the card, the theoretical maximum is one hundred thousand centillion dollars). I needed a not-unreasonably-huge value which was highly unlikely to be achieved through normal everyday use, yet be fairly obvious that it wasn’t just some random occurrence. Thus, $313.37 :)

  9. One part I found funny, are they shown buying a brand new card with a balance of one dollar that just happened to have some writing from a marker on it, or did they have the card in advance? Seems it would be a better demo if they bought a fresh card first for the hack.

    This took forever to d/l. Here’s an azureus magnetic link (16.19 MB):

    magnet:?xt=urn:btih:A3PNUUOZHN53GVT5A42G6Q3HMIQLX2WN

    1.copy the link text with a control-c
    2.launch everyones favorite java powered p2p app: azureus
    3.hit control-l, follow the dialog box to download the .torrent file
    4.right-click on the file listing and select queue, to start the d/l

  10. strider_mt2k says:

    As if the hack itself wasn’t cool enough, a Mitch Hedberg reference???

    Really very good and nice.

  11. Kevin says:

    The tragedy is that it’ll probably be these two guys who get sued, not the incompetent morons at entrac who sold fedex-kinko’s an unbelievably insecure system.

  12. TWEAQ says:

    thats freaking awesome. now i just need a smart card writer.

  13. Alan says:

    Wow talk about lack of security. I give it a week before these cards start showing up on EBay…

  14. StePhen says:

    except for the fact that you can trade in the card for cash so selling them would be redundant.

  15. grayskies says:

    Looks like Engadget and C|Net “borrowed” this story from you.

  16. Kevon says:

    I love the compnay’s response.

    Nope no issues here, nope none.

  17. kevinin says:

    wow, that is cool! wonder, how much money they made secretly =)

  18. Fist Of Konshu says:

    The college I went to had similar ones to these as our ID cards. They used a magnetic strip instead of a microchip. We also used them as a paperless money system. It was several years back so you couldn’t get a card reader for under $100. (a little steep for a college student) Some CS friends of mine and I were working on converting a cassette tape backup drive to work as a reader and writer. We had to disasseble it ad write our own driver for it to get it to work. We eventually were able to read some of the info off the card but ran out of time to disect it. Was a pretty cool project. Where there is a will there is a way.

  19. av1d says:

    sewed? they didn’t break any laws. if they have any common sense, once it’s fixed they’ll be asking people to attack the machine to see if it’s more secure.

  20. TWEAQ says:

    btw you can buy smart card writers on ebay for about $15 shipped.

  21. drkagent says:

    Anyone figure out the ATM hack like in Terminator 2?

  22. az324 says:

    hmm now to see if i can find that dtv emu kit around here somewhere.

  23. av1d says:

    That ATM “jackpotting” (as well as the key-card cracking) can allegedly be done using EMP / TEMPEST (electromagnetic pulsing) with an induction coil. For example, http://www.google.com/search?q=%22Method+3.+TEMPEST+IV%22&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official

    Don’t forget to add the Atari Portfolio palmtop for the added effect. ;-]

  24. luicy says:

    i need a valid ssn mmn cc cvv1 dob info

  25. joemuggs666 says:

    There is discrepancy in the description of their hack though. I went to a Kinko’s store and got a stored value card and the smart chip has six contacts on it, yet the data sheet for the SLE4442 shows eight contacts.

    I’ve e-mailed Strom and hopefully he will clear this up!

  26. morcheeba says:

    joe666 – I just got my card, too ;-)
    Two pins are no-connects; may that’s it.

  27. Two pins are not connected at all, and so it makes absolutely no sense to waste money on contact pads for pins that are not connected. This is fairly common in the smartcard universe.

    Yay, thinking.

  28. ilan1 says:

    Hi Strom, I just sent you e-mail but you can reply to me here so that others can see your reply. I had the same question about the 8 contacts in the data sheet vs. the 6 contacts on the actual card.

    Is the pinout of the smart chip the same as in:

    http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf

    except that the bottom two no-connects are just missing?

    The data sheet shows a total of 3 no-connects and my question basically is: if I start at the top of the chip card and then go counter-clockwise, are the contacts: VCC, RST, CLK, I/O, N/C, GND?

    Is there a particular smart card reader/writer that you recommend? I saw that you use the ACS in your video. Can you give the exact model number that you use?

    Thanks!

  29. james says:

    they mention a 3-byte security code that is the same at all stores, yet they never state what it is. does anyone know?

  30. Spork says:

    I believe that is an ACR30 SMART card reader.
    It comes in USB and serial. Not sure which they used (Probably USB on a laptop)

  31. CDE says:

    Not on behalf of strom, but…. He won’t release the security code because he did not intend this as a way for people to steal from kinkos. Just to alert people that it can be done. Unlike other “exploits” done at stores, this one requires a certain degree of practicle knowledge to pull off, and the need for certain equipment not very common as well. So, if you want to do it, learn to do it, don’t just follow a set of directions.

  32. mark says:

    I STILL THINK THAT SOMEONE SHOULD POST STEP BY STEP

  33. e pl says:

    Hey all,

    I’m a Fedex Kinkos employee but think that this is a great hack as it was bound to happen! Anyway, here are some things they didn’t mention, that i know about the cards from working there.

    There are three card types… Purple, Blue and Green (Green is the Skeleton key.. read on).

    * Purple cards have a stored value. Money can be added at the kiosk or at the counter, and can also be refunded at the counter, but you have to fill out your name, phone number and sign for it.

    * Blue cards are called convenience cards. They can be preauthorized at the counter to make either 10 or 25 copies, so that the person can just make a few copies and pay after, instead of getting a card. They expire after 24 hours.

    * Finally is the mega card, the green card. Green cards are for EMPLOYEES ONLY. They can be activated for 24 hours using any employee’s name. Once activated they can be used to make unlimited free copies or minutes on the computers, and are so that we can do copy jobs in the express area without having to pay. The green card can also be made into a config card which lets you mess around with the server settings on the card readers.

    If someone could someone change the type, they could have access to all of these functions. Good luck and hopefully corporate will fix this soon!

  34. I’ve gotten legitimate refunds on my stored-value expresspay cards many times, and not once have I ever been asked for a single piece of personal information. I hand in the card and get back my cash, no questions asked.

    I would be interested in reading the blue and green cards to gain more insight into how the ExpressPay system operates, although I’ve never had either one in my possession.

  35. Spork says:

    I like #32 especially after 31 just said that was not the intention.

    Anyhow, Strom, great hack here. I like how everyone wants to try it now (have to admit it interests me too). Anyhow I hope nobody writes a step-by-step, they’d be the one getting sued (if anyone) Strom made a point, a step-by-step is basically stealing. (or accessory thereof)

  36. jason says:

    Question:How do you find out what chipset is used for the smartcard? I’ve been interested in this project but stopped when the connections didn’t look like the one on my other smart card(s). What is the best way you reccomend to get a data sheet on a smart card?

  37. druidism says:

    Just wondering what program and setting values used to read/write to the card? They never really let you see it in the video.

  38. jason says:

    Alright , I’m going to agree with the minority. they can’t come out and just tell you, “Use this program, build this circuit, press this button” That would be stealing. My advice, get data sheets, learn to read them, learn to actually write some code, a little low level programming and a parallel port can open up the world

  39. maluc says:

    the ACR30 is a nice reader/writer specifically for Siemans smartcards and some others.

    “Siemens: SLE4406, SLE4418, SLE4428,SLE4432, SLE4442″

    the cheapest i found was $29.95, free ship at:
    http://www.smartcardsupply.com/Content/Hardware/ACR30.htm
    ebay is even cheaper, but slower and with compatibility issues.

    as for logic analyzers, you could buy a relic one on ebay for $50 and lug it to fedex (size of an oscilloscope) or a $200 portable one .. or do either of the following:

    1.) Use a microcontroller of your choice, or laptop serial port to record the communications between card and Kinkos reader; emulating what a logic analyzer does (and later downloading to a computer, if you chose the microcontroller path). locating the three reference data bytes is trivial.

    2.) Use a microcontroller of choice (as i’ll be doing this weekend) or PC’s parallel port to brute force thru the security codes 2^24 possibilities – attempting 3 at a time, reset power, reset/memread command, then repeat until found. Expect it to take the better part of 24hrs, your mileage will vary. This is done safely at home however, and without you being present – safest approach IMHO.

    *This definitely assumes you listen to #38′s advice, datasheets are your friend*
    http://www.acs.com.hk/downloads_datasheet/SLE4432_42.pdf
    http://www.sample.microchip.com -free PICs

    Long post sry, and not for the kiddies

  40. yuva says:

    the content is good and informative ,but some new free tutorials should be added to database to help naive hackers.

  41. blaine says:

    Naive Hackers should keep their training wheels on.

    This ones NOt for you.

    Besides, Kinkos knows about this and I will guarantee you that they have now instructed employees to call the police at even the slightest suspicion of smart card funny business, to curb their losses and set an example to others.
    an electronic fraud/petty theft conviction, even if its just a misdemeaner, will absolutely ;kill; your chances of ever getting a great job or getting any kind of security clearance, for the rest of your life.
    consider this hack burnt if you value your future.

  42. ryan says:

    security code is 923 use it wisely!

  43. ryan says:

    security code is 923 use it wisely!

  44. co9rey says:

    How can some one learn to read and write to mag stripe type of cards.Sorry iam new. love this site info is for information purposes only.

  45. Jason says:

    This just reminded me of something. I got an American Express Smart Card reader a while back and it’s been sitting in the box for over a year. Is this card reader just a rebadged generic card reader or can I use it to read other smart cards. Anyone know?

  46. Jason says:

    This just reminded me of something. I got an American Express Smart Card reader a while back and it’s been sitting in the box for over a year. Is this card reader just a rebadged generic card reader or can I use it to read other smart cards. Anyone know?

  47. maluc says:

    #44 you’ll need to buy a magstripe reader/writer.. but it’s considerably more expensive than a smart card one. Look to spend around 150 on ebay :/
    as for the software.. StripeSnoop is a great program and free.
    http://stripesnoop.sourceforge.net/

    #46 it’s a safe bet that it’s a rebranded reader from another company. it’s much easier for them to pay licensing fees and get a product now, than to hire a programmer for the same price and have him reinvent the wheel for several months. However, their drivers may be crippleware, and then you’ll have to reinstall with generic PC/SC drivers. Try looking at its datasheet if they give one, and poking around its drivers with a tool called Dependency Walker. it’ll be a DLL in the system32 folder. Google the exported function names, and see if you find another SC driver with a similar naming scheme..

    **Also for those buying the ACR30 .. you’ll have a hard time programming for it if u don’t buy the 99$ SDK kit. Without either the ACR30.h header file, or information of the SCardControl() command to select the card type, it wont be able to read memory cards (like Kinko’s) without first changing this option. I’ll try reverse eng it later this week .. but if someone successfully has, or has ACR30.h/ACR38.h .. feel free to email it to arserbin3 at yahoo dot fr ^^ (fr not com)

  48. ryan kamfolt says:

    OK GUYS IM BACK. I WAS THE ONE WHO POSTED THE #42 AND #43 COMMENT. I WAS ONLY KIDDING. BUT I DO HAVE THE CODE AND BY VISITING MY SITE I AM SHOWING HOW I GOT THE CODE BUT NOT THE PROGRAMMING I USED OR A FEW OTHER THINGS YOU CAN GET THE HINT BY GETTIN WHITEPAPERS ON THE CARD AND ALSO BUYING A SAUDER IRON. HERES THE STUFF: http://WWW.KECKSLIST.ORG/KINKOS

  49. maluc says:

    **update to end of #47 .. if you ignore the flowchart on page 4 of ACS’s pc/sc programming reference: http://acs.com.hk/downloads_manual/PMA_ACx30.pdf

    you can connect just fine without ‘selecting’ the memory type.. just connect with SCARD_PROTOCOL_T0 (or SCARD_PROTOCOL_DEFAULT)

    flowchart to follow:
    SCardEstablishContext
    SCardListReaders (use first string returned)
    SCardConnect (SCARD_SHARE_SHARED & SCARD_PROTOCOL_T0 < -zero not 'oh')
    SCardTransmit (SCARD_PCI_T0 & SendBuffer filled with {0x00, Command, Arg1, Arg2, ...}
    all transmits..
    SCardDisconnect (SCARD_LEAVE_CARD)
    SCardReleaseContext

    Commands for Transmit:
    Read: 0x00, Write: 0x01, WriteProtected: 0x02,
    SubmitSecCode(PCODE): 0x03, ChangeSecCode:0x04?,
    ReadSecCode: SendBuff[0xFF,0xB1,0x00,0x00,0x00]
    *write/writep/changecode untested as i haven't gotten the seccode yet - batt wires crossed on way home :/ .. tape em up as i shoulda done..

    also, #48s method works, although his example isnt a how-to.. read your datasheets. also, i HIGHLY advise u invest the $2.49+tax at fryes or an electronic store and buy some conductive copper tape instead of using 22-26 gauge wire.. its too thick to fit in the reader

    conductive tape is paper thin and copper on the top side.. extend it 2-3inches past card across tape/paper, as it gets sucked in kinda deep.. then u can solder on some wires
    http://www.tedpella.com/16067.jpg

  50. someone in black and purple says:

    to add to what #33 said and #34′s comments…

    I also work at FedEx Kinko’s and I’ve worked at several branches so let me clarify; technically anyone who attempts to refund the money off of a purple stored value card is only supposed to fill out a refund form when they are receiving more than $10 back. However in my experiance management never enforced this policy except at one store, and even in that case the customer can make up completely false information as we don’t check their actual ID.

    Quick question, why does this seem so much of a longer process than it looks in the video? do logic analyzers connect to the stores card readers or to your own? and what is #48′s method? does anyone have his page saved, the page is now gone…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s