funsec mailing list archives
Re: Report: FedEx Kinko's ExpressPay Can Be Exploited For Cash
From: Drsolly <drsollyp () drsolly com>
Date: Tue, 28 Feb 2006 23:40:39 +0000 (GMT)
On Tue, 28 Feb 2006, Fergie wrote:
This might not be news to some of you, but I unsubscribed to FD several months ago due to the SN ratio. :-) Via SecurityFocus. [snip] A vulnerability in the FedEx Kinko's ExpressPay system allows an attacker to receive free services or even cash from the stores, according to a post on Full-Disclosure yesterday. The ExpressPay system uses a Siemens/Infineon SLE4442 smartcard to store the pre-purchased value, and a three-byte security code prevents rewriting of the card's data. The method described for obtaining the security code involves using a logic analyzer at a point where the card is written to, and it is reported that this code is the same across all cards in circulation. [snip] Duh -- that was stoopid. More: http://www.securityfocus.com/brief/150
That reminds me of a story. I was on TV once, maybe 15 years ago, and they were asking me a lot of very dumb questions about ATMs, and eventually I got fed up with them because what the hell do I know about ATMs, I was an antivirus guy, and they were assuming that if you know about one aspect of security, you must know them all, and when the interviewer asked me "And are there any ways that people can get money out of a cash machine without using their card?" I said "Yes, there's a special test number, 314159, which if you key it in, it delivers £20 even if you don't have a card." And then she went very quiet. "We're live, that just went out" she said. I managed to keep a straight face for several seconds before I cracked up. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Report: FedEx Kinko's ExpressPay Can Be Exploited For Cash Fergie (Feb 28)
- Re: Report: FedEx Kinko's ExpressPay Can Be Exploited For Cash Drsolly (Feb 28)
- LIST SECURITY - what's going on here? Jon O. (Mar 01)
- Re: [mwp] LIST SECURITY - what's going on here? Gadi Evron (Mar 01)