Days after a hardware security expert demonstrated jaw-dropping security holes in FedEx Kinkos ExpressPay cards, company officials said the company doesnt think the security holes pose a risk to customers.
After initially denying that any security hole existed in the Kinkos ExpressPay technology, FedEx officials said on March 2 that it is “continuing our evaluation of the claims made” by a researcher from Secure Sciences. Spokesperson Jim McCluskey said in an e-mail statement that the company doesnt look kindly on the hacks, which it considers “no different than stealing.”
ExpressPay cards are payment cards that can be purchased and recharged at self-service kiosks in Kinkos stores. The cards are used by the FedEx-owned copy shops to store credits that can be used in lieu of cash to purchase photocopies and rent access to PCs and Macintosh computers in Kinkos stores.
ExpressPay was developed by EnTrac Technologies of Toronto and uses smart cards from Siemens and Infineon Technologies.
According to the report, written by Strom Carlson at Secure Science in San Diego, data stored on the cards is not encrypted and can be viewed by anyone with a smart-card reader. Data on the card can also be modified with a three-byte-long security code.
As part of his research, Carlson purchased a Kinkos card for $1 and then wired it to a USB logic analyzer that sniffed the secret code from the card as it interacted with the kiosk. The three-digit code was unencrypted and easy to spot from the data passed back and forth between card and reader, he said.
In a video that demonstrates the hack, Carlson used a secure card reader connected to a laptop to modify the dollar amount on the card from $1 to $50 and change the serial number of the card. He then redeemed $.20 from the modified card from a Kinkos computer terminal and printed out a receipt for the activity that shows the modified ExpressPay serial number and an adjusted balance of $49.80 on the card. (See: http://www.securescience.net/exploits/ssc_expresspay_vuln.wmv.)
Carlson claims he could put any amount on the card and even cash in unused cards at Kinkos, though he refrained from doing so.
EnTrac has not responded to repeated requests for comment.
In comments to eWEEK late Feb. 28, FedEx claimed Carlsons report was inaccurate and that the hack would not work on ExpressPay as it was implemented at Kinkos stores. After viewing the Secure Science video of the hack on March 2, the company issued a statement saying the hack does not pose “a significant risk based on the controls and security we have in place,” and “does not impact our customers.”
In an interview with eWEEK, Carlson supported those claims, saying that there is no danger to Kinkos customers because ExpressPay cards are purchased with cash, and the system doesnt hold sensitive customer information that could be exposed to hackers. Carlson also said he does not know of anyone else who has hacked the ExpressPay system, though he acknowledged that it was possible individuals had but were not disclosing it.
“You could program a card worth $50 then sell it to someone for $5,” he said.
FedEx had scattered reports about the problem and initially discounted it. After more digging, including viewing the video from Secure Science, the company realized the problem reported by Secure Science warranted more investigation.
In a statement, FedEx said it “will not tolerate illegal actions.” The company would not comment on whether it would take legal action against Carlson and Secure Science for its research.
“Im not going to speculate what may or may not happen on that subject,” McCluskey said.
FedEx is also talking to EnTrac. However, the company declined to discuss any changes to the ExpressPay system that would address the security holes, McCluskey said.