FedEx Kinko's payment card cracked

Anyone with some extra hardware and technical know-how could add value to the card, but FedEx says there's no risk.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
FedEx on Thursday said that a security weakness in the payment card system used in its FedEx Kinko's stores doesn't pose a significant risk to the company--or any risk to customers.

The statement comes after the company's initial denial that the ExpressPay payment card system could be tricked. Security researchers earlier this week announced that anyone with some extra hardware and technical knowledge could use FedEx Kinko's services for free and even get cash from the company.

"Continuing our evaluation of the claims made online, we do not believe there is significant risk to the company based on the controls and security that we have in place," FedEx spokeswoman Maggie Thill said Thursday. "More importantly, this matter does not impact our customers."

Researchers with information security company Secure Science said the payment system could be hacked because of its limited security. Secure Science sent an e-mail with a detailed description of the hack to a popular mailing list on Tuesday.

The researchers responded to FedEx initial denial by posting a picture, as well as a video on the Web to demonstrate the breach. The picture shows a FedEx Kinko's payment card with a value of $313.37, while FedEx Kinko's allows values only up to $100, and the video shows a researcher changing a card serial number and increasing its value, the researchers said.

"The type of activity described is no different than stealing and we will not tolerate illegal actions," Thill said. "Security is a top priority for FedEx Kinko's and we continually update our security measures in light of ever-changing technology."

However, Thill declined to say if FedEx is taking any action in response to the breach of its payment card system. "We don't discuss the specifics of our security measures."

The payment system uses chip cards that can be loaded with money. The researchers found that the data stored on the card is freely rewritable once a security code has been found. None of the data on the card, including this security code, is encrypted, they wrote. "Anyone able to obtain the security code is free to rewrite the data stored on the card using an inexpensive commercially available smart card reader/writer."

Obtaining the security code requires some work, however. "By soldering wires to the contact points of the card and then connecting those wires to an inexpensive logic analyzer, an attacker can sniff the 3-byte code as the kiosk or a card terminal prepares to write data to the card."

However, the security code appears to be the same across all FedEx Kinko's ExpressPay cards currently in circulation, they said. This could make the job much easier for copycat fraudsters if the code leaks to the Web.

"Once the 3-byte code is known to the attacker, the card's stored value and serial number can be changed to any value," the researchers wrote. The ExpressPay system doesn't appear to validate the value of the card, they wrote.

The altered card could be used to get free services or can even be cashed out at the FedEx Kinko's register, according to the Secure Science researchers.

The FedEx Kinko's system was developed by enTrac Technologies, based in Canada. Similar systems may also be vulnerable, according to Secure Science. enTrac executives did not immediately respond to calls seeking comment.

Secure Science suggests taking the following steps to secure the payment system:

•  Encrypt data before storing it on the chip card, or migrate to a system that uses cards with built-in encryption functionality.

•  Verify that the stored value on the card does not significantly differ from a reference value stored in a database.

•  Do not allow the use of cards with invalid serial numbers.

•  Invalidate serial numbers of cards that are cashed out.