A security hole in a common technology used to manage prepaid store cards could let malicious hackers and other criminal groups bilk FedEx Kinkos stores, according to a recently published report.
ExpressPay is a system developed by EnTrac Technologies, of Toronto. The system uses smart cards from Infineon, but does not secure data on the cards.
A security hole could allow hackers to clone legitimate cards or change the value of a card to any amount, according to Strom Carlson, a hardware security researcher at Secure Science in San Diego.
The report is just the latest warning about vulnerabilities in cash card technology, which is becoming a popular tool for money laundering, according to one banking fraud expert.
Neither enTrac nor FedEx, based in Memphis, Tenn., responded to requests for comment in time for this story.
ExpressPay cards are payment cards that can be purchased and recharged at self-service kiosks placed inside Kinkos stores. The cards are used by the FedEx-owned copy shops to store credits that can be used in lieu of cash to purchase photocopies and rent access to PCs and Macintosh computers in the stores.
According to the report, data stored on the cards is not encrypted and can be viewed by anyone with a magnetic card reader. Data on the card can be modified with a 3-byte security code, said Carlson, who posted his report on the Full Disclosure discussion list.
Carlson said he purchased a Kinkos card for $1, and then wired it to a USB logic analyzer, costing just a few hundred dollars, that sniffed the secret code from an ExpressPay card as it interacted with the kiosk.
The three-digit code was unencrypted and easy to spot from the data passed back and forth between card and reader.
With secure code in hand, Carlson used card duplication technology to modify the dollar amount on the card from $1 to $2, though he could put any amount on the card, he said.
Malicious hackers could safely gain almost unlimited access to Kinkos store resources with the cards, because they can purchase, recharge and use them without interacting with store employees, he said.
Stores like Kinkos are vulnerable to fraud, because the ExpressPay system implicitly trusts the value reported by the card, without verifying it against a store-managed database, he said.
The ExpressPay system from enTrac is only used at Kinkos stores, and the cards can only be used to buy goods and services at Kinkos. However, unused cards can also be redeemed for cash. That means that malicious hackers could reprogram the value of their Kinkos cards and obtain cash from the store, the report said.
Bigger Issues in Smart
The type of smart card used in the Kinkos ExpressPay solution is inexpensive and offers only modest security protections over the low-security magnetic stripe cards, Carlson said.
At the very least, the data on the card should be encrypted to prevent easy prying. Kinkos should also log and track ExpressPay transactions and account balances to prevent fraud, he said.
Carlson said he informed enTrac of the problem with the ExpressPay system in early February, but has not heard back from the company. He does not know of any actual fraud involving the ExpressPay technology.
“As far as I know, Im the first person to do this,” he said.
However, other payment card systems out there may be vulnerable to similar hacks, especially when sensitive data is not encrypted on the card, Carlson said.
The prospect of international terrorists and shadowy online criminal groups gaining unfettered access to photocopy machines may not warrant undue panic.
However, the ExpressPay security problem is part of a larger trend in money-laundering and terrorist financing circles, according to Saskia Rietbroek, former executive director of ACAMS (the Association of Certified Anti-Money Laundering Specialists), who now works as a financial crime advisor for NetEconomy, an anti-fraud company based in the Hague, Netherlands.
Criminals are using so-called “closed network” store cards like the Kinkos ExpressPay card and rechargeable “open network” ATM cards to move money across borders and access funds without leaving a trail, she said.
“The ease of acquisition, pervasiveness and anonymity of these … prepaid cards is challenging,” she said.
For example, open-system cash cards can be used to withdraw cash directly from an ATM anywhere in the world, she said.
“You can load U.S. $10,000 on one card and that weighs a lot less than $10,000 in dollar bills,” she said. “Its an easy way to move money.”