Comments on: Fedex Kinko’s smart cards hacked http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/ Fresh hacks every day Mon, 23 Nov 2009 07:07:31 +0000 http://wordpress.com/ hourly 1 By: Fat Loss 4 Idiots http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-3/#comment-107194 Fat Loss 4 Idiots Fri, 13 Nov 2009 16:23:11 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-107194 I've really enjoyed reading your articles. You obviously know what you are talking about! Your site is so easy to navigate too, I've bookmarked it in my favourites :-D I’ve really enjoyed reading your articles. You obviously know what you are talking about! Your site is so easy to navigate too, I’ve bookmarked it in my favourites :-D

]]> By: ejonesss http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-3/#comment-52352 ejonesss Wed, 26 Nov 2008 05:40:10 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-52352 at this point the attacker can take the card to the service counter and ask for the balance in cash unfortunately look at image http://hackadaycom.files.wordpress.com/2008/11/overview.jpg?w=450&h=338 the smart chip has been soldered to (a dead give away that the card has been tampered with). you may want to try getting a proper connector maybe salvage the card reader slot from an old dish receiver or something. at this point the attacker can take the card to the service counter and ask for the balance in cash

unfortunately look at image

http://hackadaycom.files.wordpress.com/2008/11/overview.jpg?w=450&h=338

the smart chip has been soldered to (a dead give away that the card has been tampered with).

you may want to try getting a proper connector maybe salvage the card reader slot from an old dish receiver or something.

]]> By: piglet http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17493 piglet Tue, 01 Aug 2006 22:35:45 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17493 Hi, The torrent in comment 28 doesn't seem to work. Can someone point me in the direction of a stream that DOES work since I'm gagging to see the guys in action. I also have a vested interest since I'm hoping to do a UK reprise on the hack with the Boots Advantage card. Similarly, it only has 6 connectors & has been going since 1997 so it MUST be quite old technology. Also, being a FREE card, cost is everything. I've got everything crossed that they have used an SLE4418 so not even a pin-code is needed ;-) Many thanks in advance, Sean. Hi,
The torrent in comment 28 doesn’t seem to work. Can someone point me in the direction of a stream that DOES work since I’m gagging to see the guys in action. I also have a vested interest since I’m hoping to do a UK reprise on the hack with the Boots Advantage card. Similarly, it only has 6 connectors & has been going since 1997 so it MUST be quite old technology. Also, being a FREE card, cost is everything. I’ve got everything crossed that they have used an SLE4418 so not even a pin-code is needed ;-)

Many thanks in advance, Sean.

]]> By: piglet http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17495 piglet Mon, 31 Jul 2006 16:42:34 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17495 One last question (please don't tell me to UAFSE). I've ordered a USB smart-card reader-writer. Is their freeware to allow me to simply alter the card? One last question (please don’t tell me to UAFSE). I’ve ordered a USB smart-card reader-writer. Is their freeware to allow me to simply alter the card?

]]> By: piglet http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17494 piglet Mon, 31 Jul 2006 01:03:18 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17494 In the UK, Boots Advantage Cards have only 6 connectors. The connector matrix is a rectangle so I'm guessing it's the same '6 lines used, only put 6 onto the thing'. In the UK, Boots Advantage Cards have only 6 connectors. The connector matrix is a rectangle so I’m guessing it’s the same ‘6 lines used, only put 6 onto the thing’.

]]> By: piglet http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17496 piglet Mon, 31 Jul 2006 00:18:36 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17496 Going back to comment 26, in the UK, the chain of pharmacists use a smartcard with just 6 connectors. Is this the standard chip with different connectors. Can I read this with a standard reader? Going back to comment 26, in the UK, the chain of pharmacists use a smartcard with just 6 connectors. Is this the standard chip with different connectors. Can I read this with a standard reader?

]]> By: frodus http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17498 frodus Wed, 21 Jun 2006 20:11:05 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17498 A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though... A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though…

]]> By: frodus http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17497 frodus Wed, 21 Jun 2006 20:10:50 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17497 A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though... A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though…

]]> By: maluc http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17499 maluc Fri, 28 Apr 2006 21:53:25 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17499 well i found the code just now, and having tried many methods over these two months.. the one that worked like a charm was a logic analyzer .. if ur smart u can find one for $155US shipped, and worth every penny u can also do as a friend is doing, and make your own logic analyzer using the parallel port.. but it can be a pain in the ass; microcontroller versions even worse +_+ the keckslist example is also a nice possibility, but you have to make sure to get a smartcard reader that has a 'read security memory' command for the sle4442 ..the ACR30 does not! good luck, maluc ^^ well i found the code just now, and having tried many methods over these two months.. the one that worked like a charm was a logic analyzer .. if ur smart u can find one for $155US shipped, and worth every penny

u can also do as a friend is doing, and make your own logic analyzer using the parallel port.. but it can be a pain in the ass; microcontroller versions even worse +_+

the keckslist example is also a nice possibility, but you have to make sure to get a smartcard reader that has a ‘read security memory’ command for the sle4442 ..the ACR30 does not!

good luck,
maluc ^^

]]> By: ryan kamfolt http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17500 ryan kamfolt Thu, 27 Apr 2006 11:19:29 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17500 Sorry for some reason on my server you have to add the / to the end of the address so here is a working address: http://www.keckslist.org/kinkos/ Sorry for some reason on my server you have to add the / to the end of the address so here is a working address:

http://www.keckslist.org/kinkos/

]]> By: ryan kamfolt http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17501 ryan kamfolt Thu, 27 Apr 2006 10:55:43 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17501 HTTP://67.119.87.140/kinkos HTTP://67.119.87.140/kinkos

]]> By: ryan kamfolt http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17502 ryan kamfolt Thu, 27 Apr 2006 10:52:42 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17502 The page is still there but you have to type the address out because the capitol KINKOS doesnt work so it should look like http://www.keckslist.org/k i n k o s without the spaces of course The page is still there but you have to type the address out because the capitol KINKOS doesnt work so it should look like http://www.keckslist.org/k i n k o s without the spaces of course

]]> By: someone in black and purple http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17503 someone in black and purple Mon, 24 Apr 2006 11:46:29 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17503 to add to what #33 said and #34's comments... I also work at FedEx Kinko's and I've worked at several branches so let me clarify; technically anyone who attempts to refund the money off of a purple stored value card is only supposed to fill out a refund form when they are receiving more than $10 back. However in my experiance management never enforced this policy except at one store, and even in that case the customer can make up completely false information as we don't check their actual ID. Quick question, why does this seem so much of a longer process than it looks in the video? do logic analyzers connect to the stores card readers or to your own? and what is #48's method? does anyone have his page saved, the page is now gone... to add to what #33 said and #34’s comments…

I also work at FedEx Kinko’s and I’ve worked at several branches so let me clarify; technically anyone who attempts to refund the money off of a purple stored value card is only supposed to fill out a refund form when they are receiving more than $10 back. However in my experiance management never enforced this policy except at one store, and even in that case the customer can make up completely false information as we don’t check their actual ID.

Quick question, why does this seem so much of a longer process than it looks in the video? do logic analyzers connect to the stores card readers or to your own? and what is #48’s method? does anyone have his page saved, the page is now gone…

]]> By: maluc http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17504 maluc Sun, 26 Mar 2006 07:48:05 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17504 **update to end of #47 .. if you ignore the flowchart on page 4 of ACS's pc/sc programming reference: http://acs.com.hk/downloads_manual/PMA_ACx30.pdf you can connect just fine without 'selecting' the memory type.. just connect with SCARD_PROTOCOL_T0 (or SCARD_PROTOCOL_DEFAULT) flowchart to follow: SCardEstablishContext SCardListReaders (use first string returned) SCardConnect (SCARD_SHARE_SHARED & SCARD_PROTOCOL_T0 <-zero not 'oh') SCardTransmit (SCARD_PCI_T0 & SendBuffer filled with {0x00, Command, Arg1, Arg2, ...} all transmits.. SCardDisconnect (SCARD_LEAVE_CARD) SCardReleaseContext Commands for Transmit: Read: 0x00, Write: 0x01, WriteProtected: 0x02, SubmitSecCode(PCODE): 0x03, ChangeSecCode:0x04?, ReadSecCode: SendBuff[0xFF,0xB1,0x00,0x00,0x00] *write/writep/changecode untested as i haven't gotten the seccode yet - batt wires crossed on way home :/ .. tape em up as i shoulda done.. also, #48s method works, although his example isnt a how-to.. read your datasheets. also, i HIGHLY advise u invest the $2.49+tax at fryes or an electronic store and buy some conductive copper tape instead of using 22-26 gauge wire.. its too thick to fit in the reader conductive tape is paper thin and copper on the top side.. extend it 2-3inches past card across tape/paper, as it gets sucked in kinda deep.. then u can solder on some wires http://www.tedpella.com/16067.jpg **update to end of #47 .. if you ignore the flowchart on page 4 of ACS’s pc/sc programming reference: http://acs.com.hk/downloads_manual/PMA_ACx30.pdf

you can connect just fine without ’selecting’ the memory type.. just connect with SCARD_PROTOCOL_T0 (or SCARD_PROTOCOL_DEFAULT)

flowchart to follow:
SCardEstablishContext
SCardListReaders (use first string returned)
SCardConnect (SCARD_SHARE_SHARED & SCARD_PROTOCOL_T0 < -zero not 'oh')
SCardTransmit (SCARD_PCI_T0 & SendBuffer filled with {0x00, Command, Arg1, Arg2, ...}
all transmits..
SCardDisconnect (SCARD_LEAVE_CARD)
SCardReleaseContext

Commands for Transmit:
Read: 0x00, Write: 0x01, WriteProtected: 0x02,
SubmitSecCode(PCODE): 0x03, ChangeSecCode:0x04?,
ReadSecCode: SendBuff[0xFF,0xB1,0x00,0x00,0x00]
*write/writep/changecode untested as i haven't gotten the seccode yet - batt wires crossed on way home :/ .. tape em up as i shoulda done..

also, #48s method works, although his example isnt a how-to.. read your datasheets. also, i HIGHLY advise u invest the $2.49+tax at fryes or an electronic store and buy some conductive copper tape instead of using 22-26 gauge wire.. its too thick to fit in the reader

conductive tape is paper thin and copper on the top side.. extend it 2-3inches past card across tape/paper, as it gets sucked in kinda deep.. then u can solder on some wires
http://www.tedpella.com/16067.jpg

]]> By: ryan kamfolt http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/comment-page-2/#comment-17505 ryan kamfolt Wed, 22 Mar 2006 13:02:28 +0000 http://hackaday.iheartcashews.com:8181/2006/03/02/fedex-kinkos-smart-cards-hacked/#comment-17505 OK GUYS IM BACK. I WAS THE ONE WHO POSTED THE #42 AND #43 COMMENT. I WAS ONLY KIDDING. BUT I DO HAVE THE CODE AND BY VISITING MY SITE I AM SHOWING HOW I GOT THE CODE BUT NOT THE PROGRAMMING I USED OR A FEW OTHER THINGS YOU CAN GET THE HINT BY GETTIN WHITEPAPERS ON THE CARD AND ALSO BUYING A SAUDER IRON. HERES THE STUFF: HTTP://WWW.KECKSLIST.ORG/KINKOS OK GUYS IM BACK. I WAS THE ONE WHO POSTED THE #42 AND #43 COMMENT. I WAS ONLY KIDDING. BUT I DO HAVE THE CODE AND BY VISITING MY SITE I AM SHOWING HOW I GOT THE CODE BUT NOT THE PROGRAMMING I USED OR A FEW OTHER THINGS YOU CAN GET THE HINT BY GETTIN WHITEPAPERS ON THE CARD AND ALSO BUYING A SAUDER IRON. HERES THE STUFF: HTTP://WWW.KECKSLIST.ORG/KINKOS

]]>