March 2, 2006 3:47 PM PST

FedEx Kinko's payment card cracked

Related Stories

Banks scramble on debit card theft

February 13, 2006

MasterCard kicks off data security push

January 11, 2006
FedEx on Thursday said that a security weakness in the payment card system used in its FedEx Kinko's stores doesn't pose a significant risk to the company--or any risk to customers.

The statement comes after the company's initial denial that the ExpressPay payment card system could be tricked. Security researchers earlier this week announced that anyone with some extra hardware and technical knowledge could use FedEx Kinko's services for free and even get cash from the company.

"Continuing our evaluation of the claims made online, we do not believe there is significant risk to the company based on the controls and security that we have in place," FedEx spokeswoman Maggie Thill said Thursday. "More importantly, this matter does not impact our customers."

Researchers with information security company Secure Science said the payment system could be hacked because of its limited security. Secure Science sent an e-mail with a detailed description of the hack to a popular mailing list on Tuesday.

The researchers responded to FedEx initial denial by posting a picture, as well as a video on the Web to demonstrate the breach. The picture shows a FedEx Kinko's payment card with a value of $313.37, while FedEx Kinko's allows values only up to $100, and the video shows a researcher changing a card serial number and increasing its value, the researchers said.

"The type of activity described is no different than stealing and we will not tolerate illegal actions," Thill said. "Security is a top priority for FedEx Kinko's and we continually update our security measures in light of ever-changing technology."

However, Thill declined to say if FedEx is taking any action in response to the breach of its payment card system. "We don't discuss the specifics of our security measures."

The payment system uses chip cards that can be loaded with money. The researchers found that the data stored on the card is freely rewritable once a security code has been found. None of the data on the card, including this security code, is encrypted, they wrote. "Anyone able to obtain the security code is free to rewrite the data stored on the card using an inexpensive commercially available smart card reader/writer."

Obtaining the security code requires some work, however. "By soldering wires to the contact points of the card and then connecting those wires to an inexpensive logic analyzer, an attacker can sniff the 3-byte code as the kiosk or a card terminal prepares to write data to the card."

However, the security code appears to be the same across all FedEx Kinko's ExpressPay cards currently in circulation, they said. This could make the job much easier for copycat fraudsters if the code leaks to the Web.

"Once the 3-byte code is known to the attacker, the card's stored value and serial number can be changed to any value," the researchers wrote. The ExpressPay system doesn't appear to validate the value of the card, they wrote.

The altered card could be used to get free services or can even be cashed out at the FedEx Kinko's register, according to the Secure Science researchers.

The FedEx Kinko's system was developed by enTrac Technologies, based in Canada. Similar systems may also be vulnerable, according to Secure Science. enTrac executives did not immediately respond to calls seeking comment.

Secure Science suggests taking the following steps to secure the payment system:

•  Encrypt data before storing it on the chip card, or migrate to a system that uses cards with built-in encryption functionality.

•  Verify that the stored value on the card does not significantly differ from a reference value stored in a database.

•  Do not allow the use of cards with invalid serial numbers.

•  Invalidate serial numbers of cards that are cashed out.

See more CNET content tagged:
Federal Express, researcher, payment, value, card

4 comments

Join the conversation!
Add your comment
Not a problem?
Funny, but isn't the dollar amount "$313.37" elite speak? (3l337)

Oh you kids...now go to your room.
Posted by Below Meigh (249 comments )
Reply Link Flag
fedex kinkos cards
the cards can only be up to $100.00 any more the customer will need a new card and if that
customers wants their money back if the amount is over $20.00 -Fedex Kinkos has to send the card to
to their main offices in Dallas TX and after
they research it and its found to be vaild
fedex Kinkos will send the customer a check
if the value is under $20.00 but over $10.00
the customer can get refund but will have to fill out a refund slip with their name, address, phone and id on the slip..no id no refund...
Posted by mrpanitz (1 comment )
Reply Link Flag
fedex kinkos card balance info
How do we find out the value left on our cards? The FedEx and/or Kinkos web page search engine does not provide a result for card balances.

I dont know about you, but I have several of these cards as a result of numerous visits and I dont know which has what amount left on it. My wallet cant carry all these cards.

Any solutions other than gathering them all up and driving to Kinkos?
Posted by Reisenwebers (1 comment )
Reply Link Flag
i would like to know the same thing as well
Posted by birminghamj (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.