ExpressPay is a system developed by EnTrac Technologies, of Toronto. The system uses smart cards from Infineon, but does not secure data on the cards.
A security hole could allow hackers to clone legitimate cards or change the value of a card to any amount, according to Strom Carlson, a hardware security researcher at Secure Science in San Diego.
The report is just the latest warning about vulnerabilities in cash card technology, which is becoming a popular tool for money laundering, according to one banking fraud expert.
Neither enTrac nor FedEx, based in Memphis, Tenn., responded to requests for comment in time for this story.
ExpressPay cards are payment cards that can be purchased and recharged at self-service kiosks placed inside Kinkos stores. The cards are used by the FedEx-owned copy shops to store credits that can be used in lieu of cash to purchase photocopies and rent access to PCs and Macintosh computers in the stores.
According to the report, data stored on the cards is not encrypted and can be viewed by anyone with a magnetic card reader. Data on the card can be modified with a 3-byte security code, said Carlson, who posted his report on the Full Disclosure discussion list.
Carlson said he purchased a Kinkos card for $1, and then wired it to a USB logic analyzer, costing just a few hundred dollars, that sniffed the secret code from an ExpressPay card as it interacted with the kiosk.
The three-digit code was unencrypted and easy to spot from the data passed back and forth between card and reader.
With secure code in hand, Carlson used card duplication technology to modify the dollar amount on the card from $1 to $2, though he could put any amount on the card, he said.
Malicious hackers could safely gain almost unlimited access to Kinkos store resources with the cards, because they can purchase, recharge and use them without interacting with store employees, he said.
Stores like Kinkos are vulnerable to fraud, because the ExpressPay system implicitly trusts the value reported by the card, without verifying it against a store-managed database, he said.
The ExpressPay system from enTrac is only used at Kinkos stores, and the cards can only be used to buy goods and services at Kinkos. However, unused cards can also be redeemed for cash. That means that malicious hackers could reprogram the value of their Kinkos cards and obtain cash from the store, the report said.