Campus ID News
Card, mobile credential, payment and security

Student 'hacks' campus card for final project

Findings spark concern from general public amidst continued misconceptions of mag stripe

Andrew Hudson   ||   Feb 27, 2015  ||   

One Oklahoma State student used his final project in an information security class as an opportunity to raise awareness of the vulnerabilities of OSU's mag stripe card system.

OSU's student IDs are used to facilitate a number of standard functions on campus including physical access and making purchases via a campus declining balance account. Per the university's card office website, OSU's ID card features randomly assigned 16-digit ISO numbers that are encoded on the magnetic stripe and printed on the card.

The student's findings and report have generated a good bit of attention around the campus, as well as online at hacking sites and other outlets. However, the reality is that OSU, though making a couple of poor decisions, is doing nothing out of the norm with regards to mag stripe encoding and ID numbering.

The facts

The student examined the campus card numbering system, and using 100 different OSU cards as a sample, discovered that all cards started with same eight digits. Moreover, the student found that there were only three combinations used for the following two digits -- 05, 06, or 11. With this information the student calculated three million total possible card number combinations.

While the student's report was well researched, it really only highlights the fact that mag stripe cards are designed for convenience not security. The security limitations of mag stripe cards are well known, or at least should be, and reports like this should serve as a reminder rather than a shocking exposé.

Unfortunately, the university did make a mistake. As pointed out in the student's project, OSU prints on the back of each card, the URL for a web portal that reports the status of every card number. From this site, users can enter a 16-digit card number and the system informs the user if that card is valid, as well as if the cardholder is an employee or student.

At the time of the student's report, there was no limit to the number of queries that could be made at the site. The university appeared to be aware of the security risks, however, as a disclaimer on the site states that usage of the web portal is logged and tracked. While the site has since been taken down, there would seem to be no reason for open, public access to this type of resource.

The student also purchased a $300 mag stripe reader/writer and used the it to copy the data from his own campus card, modify the name and then rewrite the data onto a blank, unprinted mag stripe card. He then used this blank, unprinted card to purchase items from a store on campus.

The student created a basic script that generated all possible card number combinations. Per the student's report, the now inactive university website was able to handle between three and five queries per second, meaning all possible card number combinations could have been tested in about two days. These harvested numbers could then have been written onto blank mag stripe cards and potentially used for fraudulent building access, declining balance purchases or bursar account charges.

The takeaway

While the thought of a student being able to make purchases using someone else's account might garner shock and awe status among the general public, many in the campus card community will see it as a somewhat regular occurrence. Those that don't may be denying the reality. The heart of the issue, and the lesson here, is that too many people still believe the mag stripe card to be a secure credential.

The student's report is factual and provides a primer on the standardization of mag stripe cards as well as their natural limitations, but his findings are the very same that have seen many in the industry push for the adoption of more secure credentials.

As a starting point, the conversation surrounding the use of mag stripe on campus needs to be reopened, specifically with regards to physical access. It is simply too easy to counterfeit mag stripe cards and the risks to life safety are too great. The student in this case used a rewritten mag stripe card to make a purchase on campus, but the same process leaves physical buildings, including residence halls just as vulnerable.

When it comes to fraudulent financial transactions, the decision to upgrade from a mag stripe to a secure credential can be based on dollars alone. But when it comes to the safety of students and staff, financial cost should not be the sole consideration. In reading some of the reactions to this story, it seems that more secure credentials should be in the cards.

Subscribe to our weekly newsletter


Sheridan College onecard banner
Sep 21, 23 / ,

Interview: Sheridan College onecard manager details hugely successful mobile credential rollout

At the start of the fall term in 2022, the Sheridan College onecard office rolled out its new Mobile onecard. The Canadian institution serves 27,000 students across its three campuses in Ontario, so launching a project of this magnitude required careful planning and a well-orchestrated marketing effort to ensure success. CampusIDNews spoke with Aesha Brown, […]
University of Minnesota Twin Cities mascot
Sep 21, 23 /

Treasure hunt sends students in search of mascot’s lost campus card

At the University of Minnesota Twin Cities, the mission is to find Goldy’s U Card. On each of the institution’s three campuses, one of the mascot’s U Cards is hidden. Each undergraduate student that finds a card will receive a $100 reward. Finding the cards will not be easy. To help in the hunt, three […]
UX Tech event logo
Sep 19, 23 / ,

ColorID’s UX Tech event explores campus ID impact on user experience

We all want great user experiences for our cardholders and our system administrators, and advancements in technology are making this more possible than ever before. New credential and reader technologies are transforming the campus ID and with it the campus. The event is hosted and sponsored by UC Irvine, and will take place at the […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.