While most institutions are eliminating physical keys in favor of cards and mobile credentials, Saint Louis University (SLU) was forced to make the opposite move. This comes after a student illegally cloned a valid ‘master’ card and used it to access another student’s dorm room.

According to an article in SLU’s student newspaper, the student used a card-skimming device known as a flipper to copy data from the mag stripe of an campus card belonging to a staff member. This data was then encoded to the magnetic stripe on another card, creating the clone.

We have long known of the vulnerabilities inherent in both magnetic stripe and 125kHz prox technologies, still thousands of facilities continue their use.

According to an anonymous residence advisor, the cloned card belonged to a staff member who had master access to the residence halls, so the forged card could potentially provide entry to any dorm room.

This aligns with a university statement.

In an email to students, the university said the switch to keys was due to an incident involving a student worker in the central housing office.

Though not explicitly confirmed, it would follow that the cloned card belonged to a housing staffer with master access privileges to residence hall rooms.

Fortunately, though the impacts of the cloning could have impacted life safety, they were minor. The university says the unauthorized access was limited to the single event, no one was hurt or robbed, and the card skimmer was confiscated.

The anonymous residence advisor says a female student used the card to enter her ex-boyfriend’s dorm room.

In response to the incident, the university suspended use of ID cards at residence hall doors and returned to physical keys. The campus cards are still being used for functions including parking, dining, and access to non-residence hall buildings on campus.

SLU’s reacted quickly to remedy the situation. Because the doors in the dorms had both physical and electronic locks, in just a few days card access was shut down and physical keys were provided to residents.

There are lessons to be learned for campuses across the country and beyond.

The SLU case is just one more in a decades-long string of events that demonstrate the dangers associated with antiquated ID technology. We have long known of the vulnerabilities inherent in both magnetic stripe and 125kHz prox technologies, still thousands of facilities continue their use. Migration to secure chip-based contactless and NFC credentials is essential to guard against card cloning and other security threats.