Bigger Issues in Smart
-Card Security"> The type of smart card used in the Kinkos ExpressPay solution is inexpensive and offers only modest security protections over the low-security magnetic stripe cards, Carlson said. At the very least, the data on the card should be encrypted to prevent easy prying. Kinkos should also log and track ExpressPay transactions and account balances to prevent fraud, he said."As far as I know, Im the first person to do this," he said. However, other payment card systems out there may be vulnerable to similar hacks, especially when sensitive data is not encrypted on the card, Carlson said. GeoTrust buys German smart-card maker TrustCenter. Read more here. The prospect of international terrorists and shadowy online criminal groups gaining unfettered access to photocopy machines may not warrant undue panic. However, the ExpressPay security problem is part of a larger trend in money-laundering and terrorist financing circles, according to Saskia Rietbroek, former executive director of ACAMS (the Association of Certified Anti-Money Laundering Specialists), who now works as a financial crime advisor for NetEconomy, an anti-fraud company based in the Hague, Netherlands. Criminals are using so-called "closed network" store cards like the Kinkos ExpressPay card and rechargeable "open network" ATM cards to move money across borders and access funds without leaving a trail, she said. "The ease of acquisition, pervasiveness and anonymity of these prepaid cards is challenging," she said. For example, open-system cash cards can be used to withdraw cash directly from an ATM anywhere in the world, she said. "You can load U.S. $10,000 on one card and that weighs a lot less than $10,000 in dollar bills," she said. "Its an easy way to move money." Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Carlson said he informed enTrac of the problem with the ExpressPay system in early February, but has not heard back from the company. He does not know of any actual fraud involving the ExpressPay technology.