Published: 2006-02-28
The ExpressPay system uses a Siemens/Infineon SLE4442 smartcard to store the pre-purchased value, and a three-byte security code prevents rewriting of the card's data. The method described for obtaining the security code involves using a logic analyzer at a point where the card is written to, and it is reported that this code is the same across all cards in circulation.
The various byte-ranges are described in the posting, however the crucial point allowing this to be an issue in the first place is that the ExpressPay system completely trusts the value reported by the card and does not require the database to confirm this value. Serial numbers on the card for store location may be changed to any value without consequence as well, allowing for straightforward cloning of the cards once produced.
The report was sent to Fedex Kinko's by the researcher on February 19th, however no reply has been received at this point.
Posted by: Peter Laborge
