"By the way: I did say minor exploit. Most people don't have smartcard readers."

Smartcard readers and writers have been openly available for little to money for some time now. Remember the Amex Blue readers they were giving out by the truckload a few years ago? And I know I've seen reader-writers in the $20 range before...

"Kinkos cards can only be used at Kinkos and you can't transfer money to PayPal so what does this get you? Free photocopies."

Or cash. By law (at least in California) you have to be able to cash in the value stored on the card, since they're legally treated the same as gift cards.

"This looks like another case of the press blowing a minor exploit out of proportion."

Oh, there's definitely hyperbole there - but the fact still stands that there are no controls behind the system.

"The posting came from some security company. What makes you think he was unpaid or wasn't a professional or didn't have the design?"

Paid or not shouldn't matter; I don't know whether he was or not, but realistically it's not a criterion by which the merit of any exploit (which has potential here to range far beyond just the Kinko's cards) should be judged.

And if he's a professional, or even just has access to the design documents - so what? See above regarding judging worth. The findings are still valid.

"This just emphasizes the hacker stereotype."

How? They found a flaw, generated an exploit, and practiced responsible disclosure. The company told them there was no exploit ('ceci n'est pas un exploit') when clearly there was. Kinko's now has their pants down around their ankles on it, which makes sense given the circumstances.

Now, if you're equating this hack with the usual 2600-level garbage on how to screw over [insert chain store here], you're missing the point - as well as making the assumption that the company was defrauded. I can see a couple of ways in a lab setting (with subsequent field testing) of how you could store credit on the card and verify that the credit is there without actually defrauding the company.

Anyway, since it looks like he's speaking on this at the LayerOne conference in about six weeks, maybe the best thing to do would be attend the conference, watch the talk, and make a decision once presented with the evidence?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/150/694#694