According to the friendly gentleman who works at my neighborhood FedEx Kinko’s, an ExpressPay card allows people using Kinko’s printers and copiers to pre-load cash onto a card and then pay for the printing and copying services using the little card readers positioned next to each machine. The readers also accept credit and debit cards, so most people do it that way. But if you don’t happen to have such a card, the ExpressPay cards make it possible for you to pay for the services with cash.
As it turns out, they also make it possible for people to steal money from Fed Ex Kinkos. A small security firm discovered a few days ago that the cards can be hacked. You can buy a card at the store for $1, go home, and add hundreds more to the card. You can either spend your fake money on copies, or you can ask the store to refund you the balance of your card.
The story first broke when two scientists at Secure Science posted a video on the Web demonstrating how the cards can be hacked.
Rather than regurgitate the same old rhetoric about how this is Kryptonite locks all over again for Fed Ex Kinkos and card technology manufacturer Entrac Enterprises - I’d like to offer these companies some support on how to unpickle this pickle.
First and foremost, both Kinkos and Entrac Technologies need to engage the blogosphere and the public in general.
They should get in touch with the bloggers that are spreading the story and put forth their side in clear, concise terms - including what they are doing to remedy the problem as quickly as possible.
Entrac, in particular, needs to carefully consider how this revelation affects all of its consumer products, and should consider launching a crisis blog to offer support and information to customers who are no doubt worried that products they’ve purchased from the company have similar flaws.
They should also be getting in touch with customers to tell them up front about the problem. One of the most important rules about doing business in this era of instantaneous communication is that it’s always better to own up to problems immediately and be transparent about efforts to fix the problem. The worst case scenario for this poor little company is to have a million angry messages first thing Monday morning.
I left them a message a couple of hours ago, but their offices were closed. I don’t expect a call back before Monday - or possibly not at all if they’re full steam ahead on fixing the problem. I wish both Fed Ex Kinkos and Entrac Technologies well as they deal with this challenge.
{ 3 comments… read them below or add one }
steven e streight aka vaspers the grate 03.03.06 at 6:24 pm
I prolly need to send you my ‘email that shocked and rocked the blogosphere’.
I offer corporations Buzz Killers Hordes…lunatic highly trained vaspersian blogocombat wooters who zap any hurtful trollers or flamers that attack a company…I am serious.
Our motto: “Guaranteed nervous breakdowns: one flamer at a time”.
From my New Reformed Insane Blog Media Network.
My service of Buzz Killer Hordes
Dave Taylor 03.03.06 at 8:38 pm
Here’s what I don’t understand, Teresa: why didn’t the two scientists notify FedEx/Kinko’s directly, instead of bringing it directly into the public eye. Seems to me that they’d be partially liable for any losses that FedEx/Kinko’s experiences.
Teresa Valdez Klein 03.17.06 at 3:32 pm
I’d like to apologize to you gentlemen for my late responses to both of you. We’ve recently been hit by a collossal wave of comment spam and are still digging out. Also - the Essentials of Business Blogging seminar had us all a little preoccupied.
Now to your comments…
Vaspers: That intimidate-a-troll idea sounds like a great investment. Let me know if you want venture capital
Dave: That’s a great question. Not being an attorney, I can’t speak from any voice of real authority, but it’s my understanding that the only legal restrictions on speech are those that involve libel - or spreading of falsehoods about a person or organization that would tend to tarnish their good name. Libel doesn’t extend to information that is true, as the information about the cards turned out to be.
The ethics of revealing the flaw to the Web at large instead of simply approaching Entrac are another matter, and I agree with you that Secure Science probably should have given Entrac fair warning. But then again, we don’t know that they didn’t.
Or it’s possible that Secure Science wanted the publicity - and inbound links - that come from breaking a story like this.
This is all just speculation of course…