Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Hacker Outsmarts Kinkos ExpressPay Cards



 By: Paul F. Roberts
2006-03-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Hacker Outsmarts Kinkos ExpressPay Cards
  2. ' Bigger Issues in Smart'

Rate This Article:
Poor Best
Hacker Outsmarts Kinkos ExpressPay Cards
( Page 1 of 2 )

The exploitability of unencrypted smart cards has bigger implications for money-laundering and terrorism.A security hole in a common technology used to manage prepaid store cards could let malicious hackers and other criminal groups bilk FedEx Kinkos stores, according to a recently published report.

ExpressPay is a system developed by EnTrac Technologies, of Toronto. The system uses smart cards from Infineon, but does not secure data on the cards.

A security hole could allow hackers to clone legitimate cards or change the value of a card to any amount, according to Strom Carlson, a hardware security researcher at Secure Science in San Diego.

The report is just the latest warning about vulnerabilities in cash card technology, which is becoming a popular tool for money laundering, according to one banking fraud expert.

Neither enTrac nor FedEx, based in Memphis, Tenn., responded to requests for comment in time for this story.

Resource Library:
ExpressPay cards are payment cards that can be purchased and recharged at self-service kiosks placed inside Kinkos stores. The cards are used by the FedEx-owned copy shops to store credits that can be used in lieu of cash to purchase photocopies and rent access to PCs and Macintosh computers in the stores.

Microsofts ID-management moves could be good news for smart cards. Click here to read more.

According to the report, data stored on the cards is not encrypted and can be viewed by anyone with a magnetic card reader. Data on the card can be modified with a 3-byte security code, said Carlson, who posted his report on the Full Disclosure discussion list.

Carlson said he purchased a Kinkos card for $1, and then wired it to a USB logic analyzer, costing just a few hundred dollars, that sniffed the secret code from an ExpressPay card as it interacted with the kiosk.

The three-digit code was unencrypted and easy to spot from the data passed back and forth between card and reader.

With secure code in hand, Carlson used card duplication technology to modify the dollar amount on the card from $1 to $2, though he could put any amount on the card, he said.

Malicious hackers could safely gain almost unlimited access to Kinkos store resources with the cards, because they can purchase, recharge and use them without interacting with store employees, he said.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Stores like Kinkos are vulnerable to fraud, because the ExpressPay system implicitly trusts the value reported by the card, without verifying it against a store-managed database, he said.

The ExpressPay system from enTrac is only used at Kinkos stores, and the cards can only be used to buy goods and services at Kinkos. However, unused cards can also be redeemed for cash. That means that malicious hackers could reprogram the value of their Kinkos cards and obtain cash from the store, the report said.

Next Page: Bigger issues in smart-card security.





  Reader Comments: Hacker Outsmarts Kinkos ExpressPay Cards
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}r۸j9kmYۑR%Z-/KWRJE1Er/3g~b:?qtMZ%;NŖnt7F?[[~$rəklJ9D[[?.ԇP|k^Po2t}R  tӌ5v:! ->;|/s=NmN5%j'a]kcF}[2ű5n0 f E1;' VI { #%֥ϊͻ#k[޷(z}:XQ=ze膡;? Cx*Jt/"(?F#&c-4~qwN?n=3τPcwҴvk*v_eߌڭB{x)BX/#bF]߂gMCI%_qؓthl5D`YRi 3 LmfCÑcWPpmׇT*sTkq3#}jݷt{#ԷF@:S1)æ'I#!_TBRp`ZGr V#vRxA'ס" Gl_k| uz3'3~3 CoZHUKo~cn.LjZE&> ؗ}Y͢`F3l˸.:4 @S=(neO;pދ*[1ٝS wڨ>~*Uew9(C[w-uPu.qw?OO9N Hw&LT-jR*LL@aBjL~9 uz3P %Jeow)ځVR]jF[V@a`%pfQUe>'sK߾ڤ>:9촏}3fPUM~ 3he+%2h\u\9:Uw/Is!+|qg>!5M0\̱¬:֪׷V1X?x7 kh`cRVޓ{dZݣ6Pi$Y*r":韝Cj ݖyB_*X_wKj,nHˤdx6M2Tc]NjoNP_ uooZPĿ"G/'ݸä 7X(}ZcOg6/|\a֔^큉i$>6(Z\?`c VC@B놂9[׿ޚB"Qޒ]ѡ4aqj =*~3=g{` Κotև &SsfPB<JdN˥s ] #RRR$S'!hI#r Bг!,`@o%`{`[wew$]wVph(ݞH:u@-ʻh&3ay7cb -d[b}IlΌ eV&vφa,[Lbo7], Sl-uum{swW9дJ >д7=YK{Һ8,$MX IK$%\Ew,[t 3AP컷BoBCEsJ00ӊYsƾ s apO& ]5m(tsj9`XƄWj>!4ӇiЈ4XĽŦYguϳ-jrǸ&q9oan5ʉ9WR>U< đOT׃REaT(j]xwVF0\n}єa˘;|qWm*IݒTRАah"pHEAxZ+hpT@U.)L-9IZ 5[ hg [QznSCz+ή `RI?I BL!2B3ݧ==1g匬~`" hUkRPZEUՃ]ZfGU`q,(xO?b5xh/Op8_ˬ7?K_zo?SM7s\}O>yN '-h'^)0ZN +{J#2ByQihwrRk]L˧FxpkՃ u3uav9Aخ kqAmY1 pWG (k{0qkM?݄3%Jt( ֹB\S4UudԻu(bH#CnpBEWFڬ,t[4FuNԲ)즵V,tu `_ܚ:z,.,HT0  d5}u*սZIe/YU/^> (&Lt0Ȑ%=WlTjO1՞l$R*C01^*== 7S_)-ʖ~cѢ O+bIۛgўgobr"9ym2-%8zN0JM;O%9$_ۀ3JitLeb`l "Z`|iY`&c1 s*? .|l3pڳ. `Mɧb_+Xcփ0 ]K}3OnyUc;6~ zzi0bZ`{7=;%k(4Q4rRl2~6P=m"lƳ>AqHl7+n'U`K96=RrRHǞ1]]2Yޘz4> ʀjxG2c7(Ъ6#iB/%e.N1)Q;+&v}j;_&I|SeQȃV)KY+TuRaoaqVZʁFHU%EOM#/ PNkR[C^$}T>VvAU>HU[-UղR?ITAtyU!n?mVPVW`Zd&{ ڜ%\3Li0)Q뱋^ fTMZ/)+iQ/ ~ dwm E&7 uYx\v ˽'jD@KYJ7eZVڞ*\$T+IjItn:0wȘُYD[^:H&rOfss]`_aOnΏ[ܝ90FI ʮv@ljpw|L2M: Vjwjy>e!r ]N7._Tji vA ^`| @-c'd1s<ēo =$Ԅ7wLaV*7A!RēC$ |Cʍ D;}R^\ό&ŧmVS/(0h_hmdU]uv@Ϣ.}뇫NOJۧ>Y>1ag 3^fr|8yZٻcq 4 }*u[UO-sgadz LR(ɢ]2~ܮbo/Vt0lg~hy% @4Qn=pΚ:KG%?w@N;m)^{!o< r@p'Bjv>$'d0 stn^F'7bW `xѤĢ[E|}aM&mn2μ3K:g6n+̣ ,-Y+4$/i\A1;Gh",GDp<3J[L>CT䵴f[YUHO~D!6OY!tQ^}rRT-t#^Ubݩc3cD1uR;2Q杊f>J,X420m`Ue"VcV'l<N\(d(΁,33R-@{(;P6IJ1͜pQxσ Anb ׄ@gݖJZA9䌷H8MeYz_P;J~أw'z s}WnaIňAw\yJwzRSdqsz"K2Uޮ83OW0R50Y j%$T=KB9̩۬UWQԉ͑ceO7ߚmTa[pfB<;ϚRW\A'D4,e=y)Ti<#̥*d\; ennPq!z~~~~~{Z{D}Un&s/Zc sY!Ϧ-rQ/>v$-(%Ʒ $HH@&o~T} jSsL?wm4EzO&i/{0,$@Ӧl0 . 1\"a K 0!t H"!2d| B|$r(h 5PyM{~kj"GQGjz_qW )d; @y=h2,症1olXaM}.8eN @.xsN(#̍N@RI+6D8>5^Zs|.eI׉srIJ_ɯ5V*ka-B+FNVyi%6ԙ~M"F .fS3O3~V-ddeAc9ȿa4{O"RIg\~4X=„%S q)%;-?tyB>΁ 6j`5oW[?pi*`3Crcw*z}TI57faZoG$WÙesF UUc!`^p>8v(FnU-CgIx:ߋ8?1Xfo!L,PG}3rĔ&ok؅Xx@ pY.C@SmQko^u1mJgR":wf7 i/XN/K<=ދ;wP-ie@n-=K8#E.WY,r.A蹞nA xWY uǿ2"rO|k .gNc]@u+8E@m𛷿cnd;2yv[A+=V4 :pXII[_<@_1+tЅ4UoJY&[_˯Gjp,!D˺ ؼn z!(g ʬ+EI3Ʊ)/b*NhLP2͙QbT 5{! Rd$r@sפ;s|:ۘMϠ)87eQ?c {bg闶Vzq-I O WybuJɤQEAx8n Ms=;Vq_6Ic\'|]D0v*uמQN|lڏ ]jmo TŢW\!5B,vaDMȡc+1ʵm <~܊!,t;Z4a􀲷9L XrjbdFyAx!FvcϏ[Kb+6Q[$IpjK AXE;Wb*Y"'"KIEЮ(> l?. dRmʹ<8?ԣPSVF UH+4h m@OksM>؜>3-iM13[Oka`;Ӛ ]leK/mLt?T8Ow| emEP♛:QSyU ;˼'7ƄgLE[TSvXf 17WvqA&Э ՗>Ϲ,Gc0M0w\vKJiRa)zd H“%`_IǏ>HP.%$ೝ_vx`ܒ|rP[ozpײZ ǁ; AgJS4H v߯$x\jB_ג "|r2$O3'NޢSF;16CWIеA\Π{9iF-sq}Fsc.;cHwku{xm3VGxfVؖUm}qV΍R )q4bNGw,}X.?ȋDa8TJ ok J}z%rUkq{V]3F^RA'LmJJGh5;P2*5&;L98ǘ"xxa aZ a7ϪͲ;IoP}wY?e=a '2u?|}v BJ;l=Hm~'dM-ã+f|U:i|%wҙn,o͢6~?!}]L&`Cqrt7%eRQ[ٓ!8F_ 6f^zgZQ)MG).}ocb2zވ6pb X`Oh$}b\2S7Ή^) `v#CsJWv߾졇@n{wB&!xwOuq,C,kYazl+Ja S~1&v+%"&LmahnoE|pbwH 1SӦ;0_t';! &(?q֋D {GLƙ;fSZ,7s!&@Q3UET&}nA=`Aa~N­!RfF·:-f3yOi8qXg- .E.kqwo'+W!5:0 1YG7`C[UEY|obL,`A~NBj@̐0ح><&).yci 8^yN4WZ# oX22 =<RXX_1[U=LꚂOJBveX z9v[wyWfE3{8~#\OSz% %uW0`A i2bg4t\@%bj`f\1CB 9^&9lIasta{g%}RGݨ;֗ŗys/4-<,_S}i)|Q)X7KGYFyfvʌPN;:cͅf1.yNs8,tG0}4yE~+Q^e9DM@_zq7M/zacj]{=-Z[kA7^L˒#:jS#}uRwB&7bS>mI]hD&5/m;9_kN%_.?j6sʻP)GN.o Z#(?Z]~ 9ΡVt NrʡsSc)_V05r ?  sC3,3ϳ<_?.)>Crs~~swWyW9{_wNr!(oYNOo ps˅a+/WAa u~S9@yJ ,c/r\){%;[?k_;GVz]!,.5Pg^e4vYAm{}ys`˼7T(^xPHyE#.ȭ-'Hl]=g%%x=0?Mu{.1پWߕ\*ܼ}:qOkXE9s8G#iPA9Ч=|,y |8SNt7<1 }^1 B8 vt{z*%.n ۍwxL|sOkz>s <[~r^<^ȬUU5lNA6K֐E>Y7xwn o\gUfe2p_eD˪U&b))={B` j?=kn%c$QUiHr]bX {ow#˅F>tJ^`ˋiB0HtN[׿_SsTF` vM0ܽ/`9ͤqn&f\c1G*̯dwxEwI>]hmЁu$|Hm7g@oL`Xkt J7Bg3΃>̆I+MXvg&rra`O*{qsAnӥcX00wYW7 -As5 D =bW׶k&'.xY~1[~#Ҵ 7[feF`]fBaI' X='̄08B:L hn94Id`-\90r ]ɡ=F$>}T.I sEyבy,&J {k*u8w ɰ\,Nd=:tx'Hj _3荌=$_A֝ 2}jSo:h}v;3^ܲ1PԽU/=ׇ"2cT =Sxͨev稦F{&.Y{N6 )4M˚HμYS ]szln()y+J9*لW0U7VAoL3SY,> F_dvO~-"fqa'R1<zH|m,XoOT*L[s |QK:AL Kd/-Y稯ˊL3t#(3R+YVȥI񿄷zH,爔事6SAQ^ yJ>? T|5 5OBB`t p"s6cC@_6ܙeNUw]ᗍSЈxs2xEy?83& M7خ;Oq^Gd9b7ctīc 2|? OGe Lt8C3`ܐ}lIC_?Fu:hY )6O}0uGĺrCR2OEpwR6 K?93699 3 &e@EqL'Hv;[y@t  ] < v3fC &K_2qF`H؂{!MR>ǔ  ]'[ڧ3й?-Re͌o#_{QFbfCq얢e.nD{|w!G[ 0rczz7Y>5 ɴ{)̅Ͱ`I[[Q0&iE-ȓl`Cv_.~ph?҈YA wVǰ޳BLN S 3pRaL $b[и<7qږqaG?Y)ԽiF~\ʉˮVW֨Ȁ7HYD,5Ra:(G= zBk|FvXK]s&&tĵa}ar8Lt4QS|J)Km)蝇ȭoz`Z]x O!0YdWP Y-f1%Dv$8ґCBȞBJ>e31C7Dn0Br1H d[\O_مnu3\j /YH~1 <99.@OI"c؛b=ʧ3~q <ø(X+n:' ^i{bg!t<~!3Mw*`NgI^k;zvQKe