Schneier on Security
A blog covering security and security technology.
« Jury Duty Identity Theft Scam |
| The Psychology of Password Generation »
March 2, 2006
FedEx Kinko's Payment Card Hacked
This site goes into detail about how the FedEx Kinko's ExpressPay stored value card has been hacked. There's nothing particulary amazing about the hack; the most remarkable thing is how badly the system was designed in the first place. The only security on the cards is a three-byte code that lets you read and write to the card. I'd be amazed if no one has hacked this before.
EDITED TO ADD (3/2): News article.
Posted on March 2, 2006 at 7:02 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It bugs me that the article says that what the cards need is some encryption, and while that might help some, it wouldn't hurt for them to also have some authentication.
Of course, I'm also kind of curious what FedEx Kinko's can do at this point. It's a bad situation. One of my favorite sayings is "If you have a mouth full of too-hot soup, the next thing you do will be wrong." I don't know what they're going to do about this, but I can almost guarantee that it will be wrong.
Here's the beauty part:
"This security code appears to be the same across all FedEx Kinko’s ExpressPay cards currently in circulation."
Having the code transmitted between card and reader in plaintext is weak, but understandable. You can forgive someone for missing the possibility that the card contacts could be tapped while a transaction is happening.
But all cards using the same access code? That's just sloppy design, and anyone who with the technical savvy to write "hello world" in BASIC should know better.
I was a bit surprised that one of the recommendations was to encrypt the data before writing it to the card. Wouldn't that still allow the adversary to reset the card to its original value and to clone new cards to a higher value?
The thief could buy one card with a high value and many more cards with the minimum value, copy the high value into the cheap cards, and then cash them in. To prevent this, the vendor would have to include the serial number in the encrypted value and invalidate serial numbers for cashed-in cards.
Of course, that doesn't stop the thieves from using the pumped-up cards for copies and services.
This was a dumb design and fixing it won't be easy. It shows once again that security needs to be designed in from the beginning.
"I was a bit surprised that one of the recommendations was to encrypt the data before writing it to the card. Wouldn't that still allow the adversary to reset the card to its original value and to clone new cards to a higher value?"
Of course. The security issue is not that the data on the card needs to be secret. The security issue is that the data needs to be authenticated. But non-security people confuse the two all the time: "Of course it's secure; it's encrypted!"
Maybe it's time for someone to write the book, "Stored Value Card System Design for Dummies".
So how do you defend against a replay attack in this situation?
I am assuming that the photocopiers and kiosks, etc. are meant to be stand alone (otherwise why would they use a stored value card), so the only record of a transaction is stored on the card. As long as I can write to the card (and the 3 byte code, or larger, is not going to stop me regardless of whether or not the use the same code per card) I can put the old value back. I don’t need to be able to decrypt the data because I don’t care what it is; I just want the old data back thereby erasing the previous transactions.
I don’t see a way out of this without upgrading the cards to a smarter card.
The money value on the card is stored as an eight byte floating point?
Ahem! All possible money values will be exact counts denominated in US cents. There cannot be any intermediate values, yet almost all of the 64-bit floating point number space is intermediate values. (Tests for A=B and X=zero can fail.)
There are three things we don't use floating points for: time, phase, and counts.
"The money value on the card is stored as an eight byte floating point?"
I read that in the article and went "that's odd" and kept moving. Thanks for highlighting it.
So, go ahead, design how a stored-value card should proceed.
What are the assumed requirements on this business? Here's some I came up with just in five minutes of typing:
1. The card must be cheap enough to give away to users who want to make five copies and then throw the card away.
2. The card must be secure enough to allow users to confidently put hundreds (maybe thousands) of dollars onto the card, and count this money accurately to the one-cent level.
3. The value stored on the card cannot be removed except through authorised use at an unattended Kinko's machine, or at the register by a Kinko's employee.
4. Value can be added to the card by an employee or at an automated vending machine.
5. Allow customers to exchange their cards for new ones when your scheme is broken, without the likelihood of significant rampant fraud, or loss of value. [Obviously, the scheme being eventually broken is a requirement of the design, and the breakage must be detected in time that the loss is offset by the cost savings of having automated charges]
6. Includes or anticipates any present or future measures required by the government of any municipality, region, or country in which Kinko's may have offices. After all, homeland security is important.
What other requirements do you think Kinko's had originally, or should they have had? How would you implement them? It's all very well to criticise an obviously flawed scheme after the fact, but not so easy to design the scheme in the first place.
My favorite part was the serial number. Even bogus numbers worked. To what use is the serial number good for if it isn't compared to valid accounts? Silly.
This is a real common type of implemetation of sotored value cards. In my hostel at uni, we had magnetic stored value cards. So we got a reader, put $20 on one card, and copied the strip data with no money. Worked like a charm.
Then they wised up and used smartcards. they were pretty new back then, and you couldn't just but a smart card reader like you can now. But that wasn't a problem, we just ripped a card reader off the machine from the other hostel and used that. It was a little more difficult to work out what was going on, but once we did the same attact worked. Just copy the bits that change when you put money on it. easy.
Then they wised up to that, and now just use coin slots. We never tried to brake that system.--oh yes we did. With salt water. It worked untill they upgraded the machines. Now they take visa and matercard, and salt water does not work anymore.
"So, go ahead, design how a stored-value card should proceed."
People have been studying stored value cards and e-cash for many years. I was involved in such a study about ten years ago.
There are much better system designs out there than were used here. The folks who put this system together just didn't do their homework.
There's no way to completely fix the system they've got without changing the cards. Proper use of encryption and serial numbers can prevent users from minting money with the cards. That would be a big improvement over what they have now.
However, to prevent the replay attack, there must be something on the card that changes with each use and can't be modified by the user, such as a non-resettable counter implemented in hardware. That counter must be included with the serial number and the value in the encrypted message on the card.
Another option for preventing replay is to go to a card that supports more secure cryptographic authentication protocols.
Designing these systems is not easy, but fielding a system with such obvious flaws should merit a spot in Bruce's doghouse.
Single points first:
Maybe the serial numbers aren't used for anything. I believe that these cards are used similarly to the Dave and Busters type cards, in other words they aren't really tied to a specific customer/user so they represent no risk to the customer and therefore the serial number doesn't matter.
How does encrypting the security code or the money on the card improve anything? The values are transmitted in a way that can be "sniffed". So whether or not they are encrypted doesn't matter, you still get the encrypted string value and present that to the card and it will let you write to it. If the money part is encrypted you still have the string so you could put the max value on the card, read the value and then keep writing that value back everytime you use the card.
The only way to prevent this is to have some sort of key exchange (like Diffie Helman) where the security code would then be sent across after establishing a secure tunnel. I am not sure whether these cards have that capability.
A former employee states on here that they are only allowed to refund $10.
"What other requirements do you think Kinko's had originally, or should they have had? How would you implement them? It's all very well to criticise an obviously flawed scheme after the fact, but not so easy to design the scheme in the first place."
You're kidding, right?
This seems to me an incredibly straightforward design project. I agree that it's not so easy to design the scheme, if you don't understand security, but I think it's pretty easy it you do understand security -- and very easy if you assume the card readers are on-line.
But you're probably right; this would make a good assignment problem in an undergraduate computer-security class.
Implementing an offline stored value card implementation that's immune to separate-reader replay attacks seems hard. Is it actually possible?
Is Diffie-Hellman not an assymetric key encryption system? So by stating it needs encryption - I think nitpicking by saying how the encryption needs to be performed is really up to the design spec. Either way, if you had a Diffie-Hellman or RSA authenticated kiosk to protect the modification of the smart card, this would be ideal, but stating that that's not using encryption is not necessarily correct.
Once again, I know that Diffie-Hellman is an assymetric key encryption system. What I mean is that I don't believe the card would support this, I believe it would have to be a more expensive card with a processor and possibly more storage space. Of course I already made that point, guess I needed to clarify.
Why is everyone so worried if Kinko's might lose some money? This does not affect the customer, the cards don't store any sensitive information (or at least I don't think they do). It is possible that they have assumed this risk. Given the fact that in order to do this properly they would need more expensive cards, and given the fact that they only allow small cashouts ($10 or $20), and given the fact that this is not something just anyone can do they might have just accepted that risk.
The fix could cost more than the fraud savings.
“Implementing an offline stored value card implementation that's immune to separate-reader replay attacks seems hard. Is it actually possible?��?
I don’t think it is possible with the cards that they use. It is just a memory card (kind of like a really slow, really small capacity USB flash drive) with some rudimentary write protection.
I started playing with smart cards a couple years ago to get a better understanding of their capabilities. The first thing I found out is that there as smart cards and there are smart cards. Even within the general classes of smart cards there is huge variation of capabilities. As an example, there is a paper about integrating Kerberos V with a smart card (http://www.citi.umich.edu/techreports/reports/citi-tr-98-7.pdf); it has a great quote:
"Many vendors claim that their smartcards support DES, but we had a very hard time getting a smartcard that meets our requirements, even though all we need is pure, unadulterated DES."
So, it might be possible with a crypto card (I don’t know enough about them). It definitely is possible with a JavaCard. The big problem is the memory cards less than $1.00 and the JavaCards are greater than $10.00
I think that is the issue, any card that would provide the required security features would be prohibitively expensive. Your example shows as much as 10 times more expensive. This would cost millions of dollars and probably be substantially more than the loss from not providing the security.
Also, let's not forget that many other copy shops operate on the "good faith" model that you will make your copies and honestly pay for the accurate amount of copies you made. These shops are vulnerable to lying and people just walking out without paying. So the ironic thing here is that this system (although vulnerable to fraud) actually protects against theft, and this protection probably saves infinitely more than would protecting the card.
As a final note, I think that this was a case of shameless self-promotion. This does not present any risk to customers (conveniently left out in the posting and thus potentially scaring customers) and presents a fairly minimal risk to Kinko's (especially since they limit the amount you can cash out for). What's more is the fact that these vulnerabilities are a primary result of the hardware/software design of the enTrac system. This system is used by other people. I believe that this group released the vulnerability with Kinko's association so that it would have a higher level a visibility. Few people probably know the name enTrac but a lot of people recognize the name Kinko's.
re: "given the fact that they only allow small cashouts ($10 or $20), "
This is a false statement - when we did our video for this - I asked the lady personally at the counter how much she would cash out. She said whatever was left on the card.
This means if I use the card and put 100.00 and use 20 cents, then she will cash out 99.80.
Please don't be fooled by one unauthoritative comment from a blogger - please stop at your nearest kinkos and ask the same question.
You still aren't addressing all of the other issues but that is another story. The fact is that several former employees on several sites (http://www.digg.com/security/Fedex_Kinko_s_Smart_Cards_Hacked here is one of them) have stated that they are only supposed to cash out $10 to $20. So this is an issue of awareness for the company and ensuring that their employees know this policy.
BTW: In the video you do not ask a clerk if they will cash the full amount; you ask your co-worker and he says yes.
"...any card that would provide the required security features would be prohibitively expensive. "
This simply isn't so. Well designed smart card-and-PK based systems have been used for various systems, especially public transportation systems, in several countries now for years. For example the "Ocotopus card" system has been used in Hong Kong for 9 years (and the pilot phase started 3 years before that). It is widely believed to be secure, it is highly profitable, and it is easy to use for a variety of purposes. Similar systems are used in Shanghai, Japan, Boston, Chicago, Washington DC, Taiwan, and most recently London. Of course, as technology has advanced these later systems have become increasingly cost-effective.
"...I asked the lady personally at the counter how much she would cash out. She said whatever was left on the card."
Since the value is apparently stored as an IEEE 754 double float, which has a maximum value (other than "Infinite") of approximately $10^308, it would be interesting and amusing to see how they respond to really large values. I expect you will exceed the reader's ability to display the value long before the maximum is reached. Hey, you might even be able to crash the reader by claiming to have Infinite money, or negative Infinity.
It would be amusing to see what happens when the clerk is asked to cash out a card for merely a few hundred million. Or if it claims you owe them tens of thousands of dollars, and you start counting out pennies. Or that you are owed 1/10th of a penny, and you demand exact change.
It would be more interesting, from a security sociology point of view, if the value was approximately equal to one Kinko's total cash float, whatever that might be.
"...employees on several sites ... have stated that they are only supposed to cash out $10 to $20"
But on the site you list, this is only claimed as a temporary countermeasure, in one area, after getting hit with a rash of forged cards. He also says he's not sure if they are still limiting it.
Is there any easy way to alert you to spam posts?
"This simply isn't so. Well designed smart card-and-PK based systems have been used for various systems, especially public transportation systems, in several countries now for years. For example the "Ocotopus card" system has been used in Hong Kong for 9 years (and the pilot phase started 3 years before that). It is widely believed to be secure, it is highly profitable, and it is easy to use for a variety of purposes."
Highly profitable? I believe that for Kinko's it would be all expense. They don't make money from these cards, they help prevent some forms of theft (like walk outs or lying about how many copies were made). If a card is 4 or 5 times more expensive just to provide the security for the company, and if there are hundreds of thousands or millions of these cards (Kinko's is a worldwide company) then you are flat out wrong. Do the math, say the cards are $1 more, with hundreds of thousands or millions of cards that eats up a lot of extra money. If the current cards are cheaper and prevent much more common types of theft then why go with something that could cost the company millions while protecting them against what would more than likely be an incredibly small amount of people willing and capable to perform this fraud.
"If the current cards are cheaper and prevent much more common types of theft then why go with something that could cost the company millions while protecting them against what would more than likely be an incredibly small amount of people willing and capable to perform this fraud."
Until someone writes and publishes a program to modify the cards for you, ala DirectTV hacking years back.
I just looked up the local Kinkos in my area and there are 20 within 20 miles of my home. With a laptop, card reader and a program to modify the card I could easily make 200 dollars in a few hours, even if I kept the payout around 10 dollars.
Just imagine if a program and instructions were globally available.
There's two avenues for fraud here. (1) Getting free copies, (2) getting free money.
(1) is harder to protect against if you want really cheap cards and offline readers. Within the constraints Kinkos is working with, it probably makes sense to just write off the free copies as a known hole and take the losses.
(2) is easier to protect against because there's no reason for the cash outs to be offline. The POS terminals should already by networked (even if the network isn't always available) so a simple case of encrypted data with unique serial numbers should work fine.
The real risk to Kinkos is from people buying cards and then getting the refund multiple times. That risk is much easier to mitigate. The risk that people will buy a $20 card and then use $2000 worth of copies is not as significant.
i think, instead of using cards, fedexkinkos could just use fingerprint authentication, and store how much money the customer has added to their accounts in secure encrypted databases. so there is no card to crack, you just go in, swipe your fingerprint, and the computer tells you how much money you have to spend.
im no security analyst or anything, so tell me, do you think that could work?
Iwant to hack on mig33 sarver to get any user password
If there away to it please give it to me and send aresult to my email
with my great thnx
i need someone to help me program a card simular to the kinok card i will pay please email me firstname.lastname@example.org
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.