Re: Report: FedEx Kinko's ExpressPay Can Be Exploited For Cash

[Drsolly <drsollyp () drsolly com>]

On Tue, 28 Feb 2006, Fergie wrote:

> This might not be news to some of you, but I unsubscribed to
> FD several months ago due to the SN ratio. :-)
>
> Via SecurityFocus.
>
> [snip]
>
> A vulnerability in the FedEx Kinko's ExpressPay system allows an attacker to receive free services or even cash from 
> the stores, according to a post on Full-Disclosure yesterday.
>
> The ExpressPay system uses a Siemens/Infineon SLE4442 smartcard to store
> the pre-purchased value, and a three-byte security code prevents
> rewriting of the card's data. The method described for obtaining the
> security code involves using a logic analyzer at a point where the card
> is written to, and it is reported that this code is the same across all
> cards in circulation.
>
> [snip]
>
> Duh -- that was stoopid.
>
> More:
> http://www.securityfocus.com/brief/150
 
That reminds me of a story.

I was on TV once, maybe 15 years ago, and they were asking me a lot of
very dumb questions about ATMs, and eventually I got fed up with them
because what the hell do I know about ATMs, I was an antivirus guy, and
they were assuming that if you know about one aspect of security, you must
know them all, and when the interviewer asked me "And are there any ways
that people can get money out of a cash machine without using their card?"
I said "Yes, there's a special test number, 314159, which if you key it
in, it delivers £20 even if you don't have a card." And then she went very
quiet. "We're live, that just went out" she said.

I managed to keep a straight face for several seconds before I cracked 
up.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.