Hacking FedEx Kinko's: How Not To Implement Stored-Value Card Systems

Presented at DEF CON 14 (2006), Aug. 4, 2006, 4 p.m. (50 minutes)

ExpressPay is a stored-value cash card system which utilizes the Infineon SLE4442 chip; it was developed by enTrac Technologies of Toronto, Ontario, and its largest application is as the pre-paid cash card system in use at FedEx Kinko's. Analysis of a few dozen cards reveals that the data stored on the card is unencrypted and poorly protected against fraud, and a simple attack can be used to obtain the security code necessary to alter the data on the card. This talk will step the audience through the analysis, research, attack, and subsequent tests performed on the ExpressPay system, and conclude with recommendations on how to implement a more secure stored-value card system.

Presenters:

• Strom Carlson - Hardware Security
  Strom Carlson is a hardware security researcher at Secure Science Corporation, the organizer of the Los Angeles area Defcon Groups chapter (DC213), and the co-host of Binary Revolution Radio. He enjoys tinkering with technology, playing with telephones, and having a good time with whatever he happens to be involved in.

Links:

• https://defcon.org/html/defcon-14/dc-14-speakers.html#Carlson
• https://infocon.org/cons/DEF CON/DEF CON 14/DEF CON 14 video/DEF CON 14 - Strom Carlson - Hacking FedEx - Kinkos - Video.mp4
• https://www.youtube.com/watch?v=39iSIo9L2vY

Similar Presentations:

• BSidesLV 2019 / Giving Credit Where It's Not Due: Visualizing Joker's Stash
• DEF CON 18 (2010) / Bypassing Smart-card Authentication and Blocking Debiting: Vulnerabilities in Atmel Cryptomemory-based Stored-value Systems
• DEF CON 12 (2004) / Smart Card Security