Researchers at Secure Science Corporation have managed to break the ExpressPay system used at FedEx Kinko’s stores which is provided by enTrac. The cards are write protected using a 3 byte security code. You can sniff this data using a logic analyzer and then use the code to write any data you want to the card since it is unencrypted. The security code is the same across all cards. FedEx Kinko’s stated that the article is inaccurate, so Lance James and Strom Carlson made a video of themselves doing the hack in the store: They put $1.00 on a card at the kiosk and then use it to log into a computer and show the balance of $1.00. They logout and use a separate laptop and card reader/writer to change the balance to $50.00 and modify the serial number. Next they use the card to log back into a computer and show the balance of $50.00. They let one minute pass so that $0.20 is charge to the card. Finally they logout and use the self-service kiosk to print out a receipt showing their balance of $49.80 with the fake serial number. At this point the attacker can take the card to the service counter and ask for the balance in cash.
[thanks Sith from Midnight Research Labs]
[fix: I had originally stated they bought a new card at the kiosk]
[photo: caribb]
The page is still there but you have to type the address out because the capitol KINKOS doesnt work so it should look like http://www.keckslist.org/k i n k o s without the spaces of course
http://67.119.87.140/kinkos
Sorry for some reason on my server you have to add the / to the end of the address so here is a working address:
http://www.keckslist.org/kinkos/
well i found the code just now, and having tried many methods over these two months.. the one that worked like a charm was a logic analyzer .. if ur smart u can find one for $155US shipped, and worth every penny
u can also do as a friend is doing, and make your own logic analyzer using the parallel port.. but it can be a pain in the ass; microcontroller versions even worse +_+
the keckslist example is also a nice possibility, but you have to make sure to get a smartcard reader that has a ‘read security memory’ command for the sle4442 ..the ACR30 does not!
good luck,
maluc ^^
A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though…
A few years ago, there was a free reader from American Express, I got one, free of charge, no shipping. Need a smart card though…
Going back to comment 26, in the UK, the chain of pharmacists use a smartcard with just 6 connectors. Is this the standard chip with different connectors. Can I read this with a standard reader?
In the UK, Boots Advantage Cards have only 6 connectors. The connector matrix is a rectangle so I’m guessing it’s the same ‘6 lines used, only put 6 onto the thing’.
One last question (please don’t tell me to UAFSE). I’ve ordered a USB smart-card reader-writer. Is their freeware to allow me to simply alter the card?
Hi,
The torrent in comment 28 doesn’t seem to work. Can someone point me in the direction of a stream that DOES work since I’m gagging to see the guys in action. I also have a vested interest since I’m hoping to do a UK reprise on the hack with the Boots Advantage card. Similarly, it only has 6 connectors & has been going since 1997 so it MUST be quite old technology. Also, being a FREE card, cost is everything. I’ve got everything crossed that they have used an SLE4418 so not even a pin-code is needed ;-)
Many thanks in advance, Sean.
at this point the attacker can take the card to the service counter and ask for the balance in cash
unfortunately look at image
http://hackaday.com/wp-content/uploads/2008/11/overview.jpg?w=450&h=338
the smart chip has been soldered to (a dead give away that the card has been tampered with).
you may want to try getting a proper connector maybe salvage the card reader slot from an old dish receiver or something.
I’ve really enjoyed reading your articles. You obviously know what you are talking about! Your site is so easy to navigate too, I’ve bookmarked it in my favourites :-D
asdasd
good info :)
good one..
Can the ARC30 allow you to record what is on the card and write it back? That way, you could just keep using the same card over and over without running out. No hacking the card.
Will this work?
Has anyone else considered that AFTER the PSC value has been entered, the card cannot then prevent the reading of the PSC (command $31). Connecting +5 to EARTH via an appropriate battery & resistor(s) would allow the value to be read using a standard card reader?
In the case of the Kinkos thing, this seems a much simpler solution…