April 23rd, 2014

For the kinkos hack skeptics

And for the seriously skeptical, Secure Science actually released a video of an in store hack of the Kinko’s ExpressPay system. The enTrac/FedEx/Kinkos people must really be in denial here. You’d think they’d want to get this fixed up as soon as possible. One of the alarming things is that it seems that you can actually get cash back from the register with a printed receipt by showing the unused portion of your bill ($100 cap per card per charge). The system seems to wholly trust what it reads from the cards, and doesn’t even try to validate the data. Any serial number and dollar value can be written into it. Wow.

Here are some screen captures:

2 Responses to 'For the kinkos hack skeptics'

  1. 1Strom Carlson made the news at Digital DawgPound
    March 4th, 2006 at 2:44 am

    [...] eWeek: Hacker Outsmarts Kinko’s ExpressPay Cards SC Magazine: FedEx pay system could be grounded Bruce Schneier: FedEx Kinko’s Payment Card Hacked Digg: Fedex Kinko’s Smart Cards Hacked Security Focus: Report: ExpressPay can be exploited for cash PC Magazine: Hacker Outsmarts Kinko’s ExpressPay Cards Extreme Tech: Hacker Outsmarts Kinko’s ExpressPay Cards CNet: FedEx Kinko’s payment card cracked ZDNet: FedEx Kinko’s payment card cracked Midnight Research Labs: For the kinkos hack skeptics Hack A Day: Fedex Kinko’s smart cards hacked [...]

  2. 2Midnight Research Labs – Fedex says hack is “no different than stealing”
    March 7th, 2006 at 3:26 am

    [...] As this story gets increasingly popular in the mainstream media, I’ll probably leave updates to them in the future, but here’s a quick last note about the issue. Fedex has publicly stepped up to say that the hack is no different from stealing, and even though they’ve seen it in pictures, and seen it in movies, they’ll continue to evaluate the claims made by Secure Science. According to the article, only after they had seen the video did they think it was worth some more investigation. It seems like a whitepaper and pictures might have been enough for most people considering the potential they have to lose on this. Hopefully they won’t shoot the messengers, especially considering that they’re not releasing the magic three-byte code. [...]

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS