FedEx Pay System Could Be Grounded

A smart card used for the FedEx Kinko’s ExpressPay system is vulnerable to malicious attacks that could lead to a handsome payday for hackers, a malware-monitoring group said Tuesday. The memory chip card contains data that can be rewritten once a three-byte security code is applied, scientist Lance James of Mal-Aware.org said. Because neither the data nor the code is encrypted, all it takes is a smart-card reader to rewrite the memory card and a logic analyzer to determine the code, said James, the lead scientist with Dachb0den Laboratories, a Southern California-based hacker think-tank. "Once the three-byte code is known to the attacker, the card's stored value and serial number can be changed to any value," James said. "The ExpressPay system appears to implicitly trust the value stored on the card, regardless of what the value actually is." The exploited cards can be used to make copies or rent computers, he said. Worse yet, they could be used to steal cash from FedEx Kinko's locations.

Source - SC Magazine