Fedex Kinko’s smart cards hacked

fedex

Researchers at Secure Science Corporation have managed to break the ExpressPay system used at FedEx Kinko’s stores which is provided by enTrac. The cards are write protected using a 3 byte security code. You can sniff this data using a logic analyzer and then use the code to write any data you want to the card since it is unencrypted. The security code is the same across all cards. FedEx Kinko’s stated that the article is inaccurate, so Lance James and Strom Carlson made a video of themselves doing the hack in the store: They put $1.00 on a card at the kiosk and then use it to log into a computer and show the balance of $1.00. They logout and use a separate laptop and card reader/writer to change the balance to $50.00 and modify the serial number. Next they use the card to log back into a computer and show the balance of $50.00. They let one minute pass so that $0.20 is charge to the card. Finally they logout and use the self-service kiosk to print out a receipt showing their balance of $49.80 with the fake serial number. At this point the attacker can take the card to the service counter and ask for the balance in cash.

[thanks Sith from Midnight Research Labs]

[fix: I had originally stated they bought a new card at the kiosk]

[photo: caribb]

Comments

  1. ryan kamfolt says:

    The page is still there but you have to type the address out because the capitol KINKOS doesnt work so it should look like http://www.keckslist.org/k i n k o s without the spaces of course

  2. ryan kamfolt says:
  3. ryan kamfolt says:

    Sorry for some reason on my server you have to add the / to the end of the address so here is a working address:

    http://www.keckslist.org/kinkos/

  4. maluc says:

    well i found the code just now, and having tried many methods over these two months.. the one that worked like a charm was a logic analyzer .. if ur smart u can find one for $155US shipped, and worth every penny

    u can also do as a friend is doing, and make your own logic analyzer using the parallel port.. but it can be a pain in the ass; microcontroller versions even worse +_+

    the keckslist example is also a nice possibility, but you have to make sure to get a smartcard reader that has a ‘read security memory’ command for the sle4442 ..the ACR30 does not!

    good luck,
    maluc ^^

  5. frodus says:

    A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though…

  6. frodus says:

    A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though…

  7. piglet says:

    Going back to comment 26, in the UK, the chain of pharmacists use a smartcard with just 6 connectors. Is this the standard chip with different connectors. Can I read this with a standard reader?

  8. piglet says:

    In the UK, Boots Advantage Cards have only 6 connectors. The connector matrix is a rectangle so I’m guessing it’s the same ‘6 lines used, only put 6 onto the thing’.

  9. piglet says:

    One last question (please don’t tell me to UAFSE). I’ve ordered a USB smart-card reader-writer. Is their freeware to allow me to simply alter the card?

  10. piglet says:

    Hi,
    The torrent in comment 28 doesn’t seem to work. Can someone point me in the direction of a stream that DOES work since I’m gagging to see the guys in action. I also have a vested interest since I’m hoping to do a UK reprise on the hack with the Boots Advantage card. Similarly, it only has 6 connectors & has been going since 1997 so it MUST be quite old technology. Also, being a FREE card, cost is everything. I’ve got everything crossed that they have used an SLE4418 so not even a pin-code is needed ;-)

    Many thanks in advance, Sean.

  11. ejonesss says:

    at this point the attacker can take the card to the service counter and ask for the balance in cash

    unfortunately look at image

    http://hackadaycom.files.wordpress.com/2008/11/overview.jpg?w=450&h=338

    the smart chip has been soldered to (a dead give away that the card has been tampered with).

    you may want to try getting a proper connector maybe salvage the card reader slot from an old dish receiver or something.

  12. I’ve really enjoyed reading your articles. You obviously know what you are talking about! Your site is so easy to navigate too, I’ve bookmarked it in my favourites :-D

  13. aaa says:

    asdasd

  14. Haze Him says:

    good info :)

  15. good one..

  16. Hawk says:

    Can the ARC30 allow you to record what is on the card and write it back? That way, you could just keep using the same card over and over without running out. No hacking the card.

    Will this work?

  17. nameless says:

    Has anyone else considered that AFTER the PSC value has been entered, the card cannot then prevent the reading of the PSC (command $31). Connecting +5 to EARTH via an appropriate battery & resistor(s) would allow the value to be read using a standard card reader?

    In the case of the Kinkos thing, this seems a much simpler solution…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,304 other followers