The memory chip card contains data that can be rewritten once a three-byte security code is applied, scientist Lance James of Mal-Aware.org said.
Because neither the data nor the code is encrypted, all it takes is a smart-card reader to rewrite the memory card and a logic analyzer to determine the code, said James, the lead scientist with Dachb0den Laboratories, a Southern California-based hacker think-tank.
"Once the three-byte code is known to the attacker, the card's stored value and serial number can be changed to any value," James said. "The ExpressPay system appears to implicitly trust the value stored on the card, regardless of what the value actually is."
The exploited cards can be used to make copies or rent computers, he said. Worse yet, they could be used to steal cash from FedEx Kinko's locations.
"Most disturbing is, since stored-value cards can be cashed out by an employee at the register at any time, an attacker could cash out altered cards obtained at little or no monetary cost," James said. "If a card is cashed out, its serial number does not appear to be invalidated in the system. If an attacker were to clone a known good card and cash it out, the clone would still be usable."
Representatives from enTrac Technologies, the maker of the ExpressPay system, could not be reached for comment today.
James said copies of the proof-of-concept vulnerability were sent to FedEx Kinko's on Feb. 19, although he has not heard back from the company.
As a fix, James suggests encrypting the cards, making sure the stored values on the cards do not differ form the database, prohibiting the use of cards without valid serial numbers and invalidating serial numbers of cashed-out cards.
Jim McCluskey, a spokesman for the Memphis, Tenn.,-based FedEx, said the company still is evaluating the claims made by James. McCluskey said he was not aware of any reports that the cards were being used for any wrongdoing.
"We do not believe there is significant risk," McCluskey said Thursday. "More importantly, the matter does not impact our customers."
"The type of activity that is described is no different than stealing," he added, "and we will not tolerate illegal actions. It's important to impress that security is obviously a top priority for FedEx Kinko's, and we are continuing to update our security measures."