Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS

A lesson for all the Dean's out there. Following a rather embarrassing case of mistaken identity, a group of Pennsylvania college students are now in hot water after trying to purchase fake IDs from a Chinese website. The fake IDs were discovered when a package delivery mistakenly arrived on the desk of a high-level college administrator, rather than the student who placed the order.

The Delaware County Daily Times reports that a dean at a local college received a package that had been mistakenly delivered to him. The package was intended for a student with the first name Dean, but not realizing the mixup, the university dean opened the package and found an empty picture frame.

When the dean turned the frame over, he found eight fake IDs hidden inside. One of the fake ID cards was printed with a student’s real name, and after the university investigated the incident, police were contacted. Police spoke with the students involved and learned that the they had used a Chinese website to purchase the phony credentials -- made to double as state-issued driver licenses -- which were shipped from the city of Guangzhou.

Upon further investigation, it was discovered that website sells ID cards for any US state along with a host of other countries. The site enables users to input their birth dates, height, weight, eye and hair color.

According to police, $250 will get a customer two fake IDs, while a group rate is applied to three people paying $450 for a total of six cards. For groups of 10 or more, police say that the website requests direct contact prior to determining rates.

One Oklahoma State student used his final project in an information security class as an opportunity to raise awareness of the vulnerabilities of OSU's mag stripe card system.

OSU's student IDs are used to facilitate a number of standard functions on campus including physical access and making purchases via a campus declining balance account. Per the university's card office website, OSU's ID card features randomly assigned 16-digit ISO numbers that are encoded on the magnetic stripe and printed on the card.

The student's findings and report have generated a good bit of attention around the campus, as well as online at hacking sites and other outlets. However, the reality is that OSU, though making a couple of poor decisions, is doing nothing out of the norm with regards to mag stripe encoding and ID numbering.

The facts

The student examined the campus card numbering system, and using 100 different OSU cards as a sample, discovered that all cards started with same eight digits. Moreover, the student found that there were only three combinations used for the following two digits -- 05, 06, or 11. With this information the student calculated three million total possible card number combinations.

While the student's report was well researched, it really only highlights the fact that mag stripe cards are designed for convenience not security. The security limitations of mag stripe cards are well known, or at least should be, and reports like this should serve as a reminder rather than a shocking exposé.

Unfortunately, the university did make a mistake. As pointed out in the student's project, OSU prints on the back of each card, the URL for a web portal that reports the status of every card number. From this site, users can enter a 16-digit card number and the system informs the user if that card is valid, as well as if the cardholder is an employee or student.

At the time of the student's report, there was no limit to the number of queries that could be made at the site. The university appeared to be aware of the security risks, however, as a disclaimer on the site states that usage of the web portal is logged and tracked. While the site has since been taken down, there would seem to be no reason for open, public access to this type of resource.

The student also purchased a $300 mag stripe reader/writer and used the it to copy the data from his own campus card, modify the name and then rewrite the data onto a blank, unprinted mag stripe card. He then used this blank, unprinted card to purchase items from a store on campus.

The student created a basic script that generated all possible card number combinations. Per the student's report, the now inactive university website was able to handle between three and five queries per second, meaning all possible card number combinations could have been tested in about two days. These harvested numbers could then have been written onto blank mag stripe cards and potentially used for fraudulent building access, declining balance purchases or bursar account charges.

The takeaway

While the thought of a student being able to make purchases using someone else's account might garner shock and awe status among the general public, many in the campus card community will see it as a somewhat regular occurrence. Those that don't may be denying the reality. The heart of the issue, and the lesson here, is that too many people still believe the mag stripe card to be a secure credential.

The student's report is factual and provides a primer on the standardization of mag stripe cards as well as their natural limitations, but his findings are the very same that have seen many in the industry push for the adoption of more secure credentials.

As a starting point, the conversation surrounding the use of mag stripe on campus needs to be reopened, specifically with regards to physical access. It is simply too easy to counterfeit mag stripe cards and the risks to life safety are too great. The student in this case used a rewritten mag stripe card to make a purchase on campus, but the same process leaves physical buildings, including residence halls just as vulnerable.

When it comes to fraudulent financial transactions, the decision to upgrade from a mag stripe to a secure credential can be based on dollars alone. But when it comes to the safety of students and staff, financial cost should not be the sole consideration. In reading some of the reactions to this story, it seems that more secure credentials should be in the cards.

When it comes to the design of identity credentials, the campus card tends to take a more pragmatic approach than its state or federal-issued colleagues. In particular, most campus cards seem to avoid the use of holograms and other sophisticated laminates and card overlays.

While these more advanced card design features may not yet be common in the university setting, the addition of holographic elements creates a more secure credential that can better stand up to fraud and counterfeiting attempts.

ColorID’s corporate marketing manager, Mark Degan explains that a university has options when it comes to adding a holographic laminate to its campus card.

One option is to add the hologram to the cardstock itself via surface holographic foil stamping to the card surface, he says. Another options sees an embedded hologram applied to the clear overlay portion of the cardstock. Finally, a custom holographic laminate can be used in desktop dye-sublimation card printers or transfer film could be utilized in a retransfer ID printer to apply a hologram to the card.

I know what you’re thinking. What’s it going to cost me?

In terms of price, Degan says that the addition of a hologram to cards or overlays could add anywhere from an extra 20-75 cents per card.

Cost also increases depending on the sophistication of design. If a university wanted their own custom hologram, Degan says the supplies would cost 10-20% more per roll and would include an origination fee for registering the hologram design. There could also be an order minimum attached to these credentials.

In order to justify the additional cost of holograms and other card design features, it’s vital to first understand what it is you’re paying for.

Layered security

There’s a reason that holographic elements appear on secure, official identity documents. Simply put, advanced graphic elements make it more difficult to counterfeit a credential.

“Holograms are an excellent deterrent to fraud and replication, and help eliminate duplication,” says Degan. “More times than not, forgers don’t try to duplicate the exact design of a card, but a similar looking layout instead as holographic elements make exact replication virtually impossible.”

HID Custom Laminate i (1)If a credential that features holographic elements were to be forged, the fake would still be unlikely to pass a visual inspection. “As long as your staff that is checking the cardstock knows what to look for, your cards will have next to no successful forgeries,” says Degan.

Degan explains that add-ons like UV ink, custom overlay patterns and foil stamps can all be replicated to fool an untrained eye. “True holograms that feature guilloche patterns, micro-text, 2D features and nano-text are nearly impossible to duplicate, particularly if those checking the IDs know what to look for,” he adds.

As Degan sees it, anyone can utilize a UV panel from an ID printer, or a metallic foil ribbon to make an official looking ID card, but ultimately it comes down to who checks the IDs. In addition to the presence of a hologram, however, there are further subtleties that can be added to enhance design security, as well as weed out the forgeries.

The sophistication of holograms can also be altered depending on the card issuer’s needs. As Degan explains there are a number of options on this front, but they can generally fall under one of three levels:

A fit for campus?

In Degan’s experience, most universities don’t opt to add holograms or advanced security features to their current campus cards. “But each year we do have more and more universities add the security component after understanding the benefits these elements can add their the cards,” he adds.

“Any institution can easily take their existing campus card and add a secure hologram to it for minimal cost per unit and next to zero changes to their infrastructure,” says Degan. “It can provide peace of mind that your university utilizes a secure cardstock that can’t be duplicated.”

The Clemson case

One university that has employed holograms on its campus card to great effect is Clemson University. The Tiger OneCard features Datacard’s Duragard OptiExpress 0.6 mil Custom Laminate along with a registered security design specific to Clemson’s brand.

Datacard Custom Holographic Laminate (1)Steve Robbins, associate vice president of student affairs at Clemson explains that the university initially considered a clear over laminate as part of its campus identity management and re-carding initiative in 2012. Since a new card design was being implemented, however, it was decided that it would also be a good time to add more security by selecting a custom
laminate.

“The idea of a hologram and custom laminate was thought of as a way to make counterfeiting the card more difficult but there was also an element of branding that would make the card unique and stand out,” says Robbins. “The biggest benefit other than the protection offered by a laminate is the unique design that is a deterrent to duplicating the card.”

While the implementation of a custom, registered hologram is the pricier route, Robbins insists that the cost to Clemson’s card issuance process was nominal.

“The cost was very reasonable considering the additional security it provided to deter fraudulent duplications and counterfeiting. Also, it really promotes the University brand and image,” he says. “We make about 10,000 cards per year, so based on current pricing we are spending less than $4000 for the custom laminate.”

Robbins and the folks at Clemson have implemented the hologram to great success thus far, making a case for others to consider the added layer of card security.

“There are a number of reasons to consider adding a hologram, but it really boils down to how the card is used and supports your campus activities,” explains Robbins. “In the end, we felt it made our card more secure and aligned with our campus wide identity management initiative.”

The number of people affected by stolen medical records at Shorter University has risen to more than 30 people, following reports that criminals have used the acquired identity information to file fake tax returns. Among the information acquired were birth dates and Social Security numbers.

As reported by Northwest Georgia News, two full stacks of medical records were taken from the files at Shorter University in September. The records were reportedly those of students involved in athletic programs at the Rome, Georgia university.

Police investigation reveals that the door to the records room was not locked because it was misaligned and difficult to lock.

Police believe as many as 900 records could have been stolen, but as of yet only 30 people have reported cases of identity theft. The dead giveaway for those affected; someone else had filed fraudulent tax returns using the information from victims' stolen records.

Those affected individuals discovered the fraud either when they tried to file their own taxes but were notified that they already had filed, or when they received a letter in the mail notifying them that their return was being processed. According to the police investigators, filing fraudulent tax returns is one of the most common criminal uses of stolen identity information.

The University of Missouri will offer gender-neutral housing to students this coming fall, with returning students have access to the new option when they enroll for fall housing options.

According to a report from the Columbia Daily Tribune, the block of dorm rooms are open to students of any gender, with the goal of the initiative being the creation of a safe, secure housing option for students that identify as transgender or gender nonconforming. The 2015-2016 academic year will serve as a test for the project, which will offer 16 beds in one of the university's residence halls.

The report suggests that some 150 universities nationwide have adopted similar programs. The unique aspect to Missouri's plan, however is that incoming freshmen can also select the gender-neutral housing option. Of the 16 total spaces, four will be reserved for freshmen that sign up for housing int he month of April. University officials say plans for expanding the housing option will depend on student demand.

The 16-bed space takes up half of the first floor in the university's College Avenue Hall. The dorm rooms consist of either single rooms or double suites with a shared bathroom. Interested students will be required to sign agreements affirming they are understanding and open to having roommates, suitemates and floormates who are of a different gender or gender nonconforming.

For University of Illinois students, February 28 will mark the end of a banking partnership between their university and TCF Bank.

According to a report by The Daily Illini, the university's partnership with TCF Bank will not be renewed once the current contract expires at the end of February. The decision to end the partnership means that there will no longer be a TCF Bank branch on Illinois' campus or in the Champaign-Urbana area.

TCF’s on-campus ATMs will remain operational until at least mid-May in an effort to ease the transition. TCF officials also state that the bank continues to make improvements to its mobile and online banking platforms, offering those students that bank with TCF additional convenience while eliminating the need to visit a brick-and-mortar branch.

Per the bank's official website, the TCF branch located on the University of Illinois at Urbana-Champaign campus will close at the end of business on May 18, 2015. TCF will continue to provide four ATMs located across the Urbana-Champaign campus, with one of the ATMs continuing to accept deposits for TCF account holders.

In addition to maintaining the ATMs and online access, students who hold accounts with TCF will otherwise not be affected. However, students who have their TCF Bank account attached to their i-card, the University of Illinois student ID, will no longer be able to use their student ID for debit functionality as of February 28.

Officials close to the i-card program insist that students will not be expected to close or switch bank accounts as a result of the contract ending. The only change is that students will be required to use a TCF-issued card rather than their university ID. The University of Illinois i-card website says that the program is currently negotiating a contract with a new, unnamed provider.

Heartland Campus Solutions has partnered with data integration management company, SwiftData to provide Heartland OneCard campuses the ability to outsource its data integration processes.

Heartland's vice president of OneCard sales, Fred Emery, discussed the partnership in a post on the company's website. "OneCard programs offer a single point of access for dining, buying books, paying for laundry, grabbing a snack, going to an event on campus, unlocking their resident hall door, and more," he says. "OneCard is built on a foundation of student information that allows these privileges to be assigned to students or financial balances to be added to accounts."

Emery goes on to explain that this data often comes from multiple sources, such as a campus ERP system or through existing ID production solutions. Moreover, data will need to flow from the OneCard system to existing third party access control or print management solutions.

The newly formed SwiftData, and flagship solution Pinwheel Data Management Engine, will add to Heartland's existing data integration solutions.

Emery explains that the Pinwheel Data Management Engine will allow campuses to automate the data workflow between disconnected systems, providing assistance to Heartland OneCard clients in creating business rules for the flow of data. It will also allow the necessary data to flow into OneCard or be shared with other systems, creating the necessary privileges and rules that account holders need to access services in an automated fashion.

Emery goes on to list his top reasons for a university to consider outsourcing its data integration management with SwiftData, and implementing the Pinwheel Data Management Engine:

Online shopping could get a lot easier for Purdue students, as the university has partnered with Amazon for its first brick-and-mortar store on a college campus. The new storefront is offering students a pick up and drop-off location for packages purchased through the company.

The store, Amazon@Purdue, allows students to place store orders via Amazon Student, and leverage an existing service that provides free shipping. Students then receive an email or text notification when their orders arrive at the storefront on Purdue's West Lafayette, Indiana campus.

As an added incentive to use the new Amazon@Purdue location, the company is offering free one-day shipping for purchases shipped to the new location. Students can also get 2-day shipping on Amazon Prime items delivered to the store.

According to a report from the Lafayette Journal & Courier reveals that Amazon@Purdue has been examining data since the store's unofficial launch earlier this semester. The results to this point have exceeded expectations when it comes to student and staff savings.

"Our estimate had been 35% savings on textbooks. So far, it looks to be north of 40%," says Mitch Daniels, Purdue University president and former Indiana Governor.

When it comes time to pick up a package, students are given two options; they can choose to speak with an Amazon store clerk, or retrieve their package from an automated storage locker. Students make this choice directly from the email notification screen. Packages remain in the lockers for 15 minutes once a student makes their pick up order.

While textbooks may offer students the most significant savings, the Amazon@Purdue store is expected to support the full range of products that students can purchase from the online retailer. Since opening its doors, Amazon reports that students have utilized the service to purchase school supplies, video games, as well as consumer electronics and accessories.

While Purdue is the first university to adopt the Amazon storefront, the company has also announced partnerships with the University of Massachusetts-Amherst and the University of California-Davis.

The campus card office at Brandeis University amended its dining period schedule, offering students new hours to access food at campus dining facilities. The university's old policy provided for three meal periods each day, but the new policy now offers five dining windows having added "continental breakfast" and "limited lunch" windows.

According to a report from Brandeis University's student newspaper, The Justice, the university's campus card office sent an email to students explaining that the decision to increase the meal periods was made to allow students additional flexibility in accessing their daily meals.

According to the email, the added dining times were the result of student feedback and consultation with the university's food service provider, Sodexo which partnered with Brandeis in the fall of 2013.

Per the university's card office website, students were previously offered the standard 3 meal periods each day -- breakfast, lunch and dinner. The university had received complaints about this structure, giving rise to the new meal time schedule. The university will keep its existing policy of only one allotting one meal during each meal window, only now the day is divided into 5 meal periods.

The 5 meal periods:

Jeremy Earles, credentials business leader, Allegion

Earles_headshotBy 2020, the student ID card probably won’t be a card at all. Like other forms of technology, the nature of credentials changes at an ever-increasing rate. The traditional brass key gave way to the magnetic stripe card and then quickly to low-frequency technology. Moving into smart cards has provided extra security with just as much convenience as the previous technologies, and some cards now include biometric protection for added security.

The next step, a result of the rapid growth of smartphone technology, combines the extra security of a smart card with the convenience of a device you already carry with you. Students may forget their keys or cards but are almost never without their phones. Smartphones have begun to replace cards for many types of transactions, including individual loyalty cards such as Starbucks and broader based applications such as Apple Pay. Smartphone-activated electronic access control devices already are available, and the format is evolving quickly.

It now appears that Near Field Communication (NFC) is the technology most likely to emerge as the standard for ID, transactions and access control. What happens in the retail world will affect student ID direction through the acceptance and popularity of a format. The addition of NFC capabilities by major manufacturers makes smartphones a practical and growing solution for access control as well as identification. Samsung has had an NFC antenna in its phones ever since launching the Galaxy S3 about two years ago. Allegion tested pilot programs using NFC for access control devices at about the same time and since then has launched that technology into the Android and iPhone markets. While the latest iPhone 6 design incorporates an NFC antenna, it does not yet allow functionality outside of Apple Pay, though many companies are hopeful to have access to that technology in the future to provide a broader range of NFC features.

NFC holds the lead today, since it works with a large population of existing readers already in the field, but other technologies such as Bluetooth are also available. As evidenced by current trends, change is occurring quickly, so another new technology that nobody has yet heard of could emerge suddenly and take over everything. As of now, however, NFC holds the most promise. Two years ago it was unknown that NFC would be so well accepted, but with the recent adoption of mobile payments on popular devices, it has become the leading contender. A major deciding factor in what finally emerges will be the availability of readers and other devices in the field that can accept a credential. No matter how many technologies there are, they will have to work together to be of value.

Changing ID credentials from cards to smartphones won’t occur overnight. There is likely to be a period of transition, with some people still using cards and others using smartphones. By 2020, and maybe long before, smartphone and tablet apps should be universally accepted for ID and access control. Already, your identity is tied more than ever to your phone, yet it is more secure than a card, which can be stolen or lost and used by someone else. The addition of screen lock, passwords or biometric security on the device – like the thumbprint reader on the new iPhone – adds extra levels of security.

Of course, the credential is only half of the access control and transaction loop. A reader must be compatible with the technology to receive the communication and execute the action. Many retailers such as Starbucks are accepting payment by either card or smartphone app. When it comes to access control, some manufacturers already have readers and other devices that are NFC capable. For example, Allegion’s multi-technology readers will work with either smart cards or NFC devices. Readers such as these are future-proof in the sense that they are already installed and ready.

In the end, it may be a hybrid world for some time, with several different technologies operating in harmony, rather than just a single credential. A student or staff member may access NFC readers for ID and transactions on campus but use Bluetooth at home. These and other technologies can coexist on a single mobile device.

ID cards are likely to be around for years to come, but before long, they and the information they carry are almost certain to be embedded in a mobile electronic device, whether a smartphone, a tablet or another device still to be invented.

About the AVISIAN Publishing Expert Panel

At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the market to serve as Expert Panelists. Individuals are asked to share their unique insight into different aspects of the campus card market. During the months of December and January, these panelist’s predictions are published at CR80News.

CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Join Jeff Koziol and Robert Gaulden from @AllegionUS as we explore how mobile credentials and proptech are changing on- and off-campus housing.

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.