Hacking FedEx Kinko's: How Not To Implement Stored-Value Card Systems

Presented at DEF CON 14 (2006), Aug. 4, 2006, 4 p.m. (50 minutes)

ExpressPay is a stored-value cash card system which utilizes the Infineon SLE4442 chip; it was developed by enTrac Technologies of Toronto, Ontario, and its largest application is as the pre-paid cash card system in use at FedEx Kinko's. Analysis of a few dozen cards reveals that the data stored on the card is unencrypted and poorly protected against fraud, and a simple attack can be used to obtain the security code necessary to alter the data on the card. This talk will step the audience through the analysis, research, attack, and subsequent tests performed on the ExpressPay system, and conclude with recommendations on how to implement a more secure stored-value card system.


  • Strom Carlson - Hardware Security
    Strom Carlson is a hardware security researcher at Secure Science Corporation, the organizer of the Los Angeles area Defcon Groups chapter (DC213), and the co-host of Binary Revolution Radio. He enjoys tinkering with technology, playing with telephones, and having a good time with whatever he happens to be involved in.


Similar Presentations: