Hacking of Envelo postage stamps

Story originally shared as a lightning talk at Security PWNing 2016

Sometimes the old meets the new, i.e. when postage stamps of Polish Post (institution founded in AD 1558) are sold through an online service Envelo.pl (founded in 2013). It also means that the old, analog office, occasionally has to face challenges discovered in the world of digital.

That is what exactly happens, when you look at print-it-yourself postage stamps through a hackers’ glasses (I do not wear glasses, BTW). This is a digital, easily replicable good used in the real world! So, can I use one stamp multiple times? If yes, what is the time window during which one stamp can be reused? Because you know, in digital world there are both replay attacks (in which valid data transmission is fraudulently repeated) and concurrency attacks (in which given resource is consumed many times in a short timeframe before the fact of consumption is properly acknowledged).

To make long story short, I bought two stamps with intention to find answers to these two questions.

Concurrency test

I sent PDF file with the first stamp to five friends from different cities around Poland, asking them to print it and use it on a postcard or an envelope addressed to me. Sender’s address was supposed to be missing, so in case of fraud detection, Polish Post would presumably ask me — the recipient — to cover due fee.

The whole thing took place at one agreed Tuesday night, so all the copies of the stamp were to be validated at the same following day. “If the list of spent stamps is not validated in real time”, I was thinking, “at least some of the duplicates can slip through”.

On Thursday I got the first letter from Gdańsk but on Friday there was none. On Monday I received four remaining letters and postcards from Warszawa, Rzeszów, Kraków and Poznań delivered to my post box. Thanks Triss, Kasia, Paweł, Piotr and Daniel!

So far so good. But what if I send a few letters with the same stamp from one location for a few days? It is time for the second test.

Replay test

I printed second stamp five times, glued to five numbered envelopes and sent to myself during five consecutive days, starting Monday.

I got first letter on Thursday, on Friday there was none. On Monday I received four remaining letters delivered to my box.
Conclusion?

I do not know how Polish Post IT services operate but I am convinced that they can compare number of issued and validated e-stamps (with one-year expiration time, WAIT, what will happen if I use expired stamp?). On the other hand, it might be that despite some fraud threshold, it is less expensive to let it go instead of returning mail to sender or calling the recipient to pay for the service. On the other hand, maybe there are no stamp scanners in, at least, some of the sorting offices, so one stamp can be reused forever?

This way or another, there is a proof that it is possible to re-use single postage e-stamp multiple times, even if the letter is sent from one location during the whole week.

But what about the consequences of my fraud? I paid 4 PLN instead of 20 PLN. I could have bought missing stamps and thrown them away, but hey, that was the cost of science. Instead, I paid 50 PLN for “SOS Syria” charity run by Polish Humanitarian Action. Hope it will make it even in the universe.

Zapisz się na newsletter aby otrzymać powiadomienia o nowych postach