Security Watch | Matt Hines » FedEx Kinko's ExpressPay smartcards vulnerable

March 05, 2006 | Comments: (0)

FedEx Kinko's ExpressPay smartcards vulnerable

TAGS: None

Several stories have posted over the past few days about a vulnerability in the ExpressPay smartcard implementation recently exposed by Secure Science Corporation. The attacker who successfully exploits this vulnerability can, anonymously, add value to a smartcard up to roughly $300 and then cash out that value.

After speaking to a representative at FedEx/Kinko's, they feel that they currently have no security risk from this vulnerability and they are taking all appropriate actions from a security standpoint since hearing about this issue. FedEx/Kinko's feels that this exposure is minimal and doesn't currently impact their customers. They further stated that they equate anyone exploiting this vulnerability as an act of theft and they will not tolerate any illegal activity at their stores on on their network.

Again we come back to encryption (and some physical security couldn't hurt here either). A recommended solution includes encrypting the three-byte security code before storing it on the card so it cannot be modified.

It's Sunday afternoon now and what's really interesting is that a video demonstration of Secure Science Corp exploiting the vulnerability has been viewed roughly 36,000 times since it went up on YouTube on Friday morning.

I've embedded the video of the exploit taking place here so you can take a look at it. The video is about 5 minutes long.

Or you can go to this link over at YouTube.

Change made on (3/6) removed "a network security issue", replaced with "minimal" per K/FE request.

Posted by Victor R. Garza on March 5, 2006 01:38 PM

RATE THIS ARTICLE: