Fedex Kinko’s Smart Cards Hacked


Researchers at Secure Science Corporation have managed to break the ExpressPay system used at FedEx Kinko’s stores which is provided by enTrac. The cards are write protected using a 3 byte security code. You can sniff this data using a logic analyzer and then use the code to write any data you want to the card since it is unencrypted. The security code is the same across all cards. FedEx Kinko’s stated that the article is inaccurate, so Lance James and Strom Carlson made a video of themselves doing the hack in the store: They put $1.00 on a card at the kiosk and then use it to log into a computer and show the balance of $1.00. They logout and use a separate laptop and card reader/writer to change the balance to $50.00 and modify the serial number. Next they use the card to log back into a computer and show the balance of $50.00. They let one minute pass so that $0.20 is charge to the card. Finally they logout and use the self-service kiosk to print out a receipt showing their balance of $49.80 with the fake serial number. At this point the attacker can take the card to the service counter and ask for the balance in cash.

[thanks Sith from Midnight Research Labs]

[fix: I had originally stated they bought a new card at the kiosk]

[photo: caribb]

67 thoughts on “Fedex Kinko’s Smart Cards Hacked

  1. well i found the code just now, and having tried many methods over these two months.. the one that worked like a charm was a logic analyzer .. if ur smart u can find one for $155US shipped, and worth every penny

    u can also do as a friend is doing, and make your own logic analyzer using the parallel port.. but it can be a pain in the ass; microcontroller versions even worse +_+

    the keckslist example is also a nice possibility, but you have to make sure to get a smartcard reader that has a ‘read security memory’ command for the sle4442 ..the ACR30 does not!

    good luck,
    maluc ^^

  2. Going back to comment 26, in the UK, the chain of pharmacists use a smartcard with just 6 connectors. Is this the standard chip with different connectors. Can I read this with a standard reader?

  3. In the UK, Boots Advantage Cards have only 6 connectors. The connector matrix is a rectangle so I’m guessing it’s the same ‘6 lines used, only put 6 onto the thing’.

  4. Hi,
    The torrent in comment 28 doesn’t seem to work. Can someone point me in the direction of a stream that DOES work since I’m gagging to see the guys in action. I also have a vested interest since I’m hoping to do a UK reprise on the hack with the Boots Advantage card. Similarly, it only has 6 connectors & has been going since 1997 so it MUST be quite old technology. Also, being a FREE card, cost is everything. I’ve got everything crossed that they have used an SLE4418 so not even a pin-code is needed ;-)

    Many thanks in advance, Sean.

  5. Can the ARC30 allow you to record what is on the card and write it back? That way, you could just keep using the same card over and over without running out. No hacking the card.

    Will this work?

  6. Has anyone else considered that AFTER the PSC value has been entered, the card cannot then prevent the reading of the PSC (command $31). Connecting +5 to EARTH via an appropriate battery & resistor(s) would allow the value to be read using a standard card reader?

    In the case of the Kinkos thing, this seems a much simpler solution…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.