Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS

Student 'hacks' campus card for final project

Findings spark concern from general public amidst continued misconceptions of mag stripe

Andrew Hudson   ||   Feb 27, 2015  ||   

One Oklahoma State student used his final project in an information security class as an opportunity to raise awareness of the vulnerabilities of OSU's mag stripe card system.

OSU's student IDs are used to facilitate a number of standard functions on campus including physical access and making purchases via a campus declining balance account. Per the university's card office website, OSU's ID card features randomly assigned 16-digit ISO numbers that are encoded on the magnetic stripe and printed on the card.

The student's findings and report have generated a good bit of attention around the campus, as well as online at hacking sites and other outlets. However, the reality is that OSU, though making a couple of poor decisions, is doing nothing out of the norm with regards to mag stripe encoding and ID numbering.

The facts

The student examined the campus card numbering system, and using 100 different OSU cards as a sample, discovered that all cards started with same eight digits. Moreover, the student found that there were only three combinations used for the following two digits -- 05, 06, or 11. With this information the student calculated three million total possible card number combinations.

While the student's report was well researched, it really only highlights the fact that mag stripe cards are designed for convenience not security. The security limitations of mag stripe cards are well known, or at least should be, and reports like this should serve as a reminder rather than a shocking exposé.

Unfortunately, the university did make a mistake. As pointed out in the student's project, OSU prints on the back of each card, the URL for a web portal that reports the status of every card number. From this site, users can enter a 16-digit card number and the system informs the user if that card is valid, as well as if the cardholder is an employee or student.

At the time of the student's report, there was no limit to the number of queries that could be made at the site. The university appeared to be aware of the security risks, however, as a disclaimer on the site states that usage of the web portal is logged and tracked. While the site has since been taken down, there would seem to be no reason for open, public access to this type of resource.

The student also purchased a $300 mag stripe reader/writer and used the it to copy the data from his own campus card, modify the name and then rewrite the data onto a blank, unprinted mag stripe card. He then used this blank, unprinted card to purchase items from a store on campus.

The student created a basic script that generated all possible card number combinations. Per the student's report, the now inactive university website was able to handle between three and five queries per second, meaning all possible card number combinations could have been tested in about two days. These harvested numbers could then have been written onto blank mag stripe cards and potentially used for fraudulent building access, declining balance purchases or bursar account charges.

The takeaway

While the thought of a student being able to make purchases using someone else's account might garner shock and awe status among the general public, many in the campus card community will see it as a somewhat regular occurrence. Those that don't may be denying the reality. The heart of the issue, and the lesson here, is that too many people still believe the mag stripe card to be a secure credential.

The student's report is factual and provides a primer on the standardization of mag stripe cards as well as their natural limitations, but his findings are the very same that have seen many in the industry push for the adoption of more secure credentials.

As a starting point, the conversation surrounding the use of mag stripe on campus needs to be reopened, specifically with regards to physical access. It is simply too easy to counterfeit mag stripe cards and the risks to life safety are too great. The student in this case used a rewritten mag stripe card to make a purchase on campus, but the same process leaves physical buildings, including residence halls just as vulnerable.

When it comes to fraudulent financial transactions, the decision to upgrade from a mag stripe to a secure credential can be based on dollars alone. But when it comes to the safety of students and staff, financial cost should not be the sole consideration. In reading some of the reactions to this story, it seems that more secure credentials should be in the cards.

Subscribe to our weekly newsletter

RECENT POSTS

Feb 03, 23 /

Brown campus mailroom adds visual queue

Brown University has added a new visual queue in its campus mailroom that displays the order in which students will be called to pick up their packages. The system is underpinned by the student ID card and a kiosk system in the mailroom.
Feb 02, 23 / ,

East Carolina adds robot delivery with Grubhub, Starship

East Carolina University has joined the growing list of institutions to deploy robot delivery, partnering with Grubhub and Starship Technologies to provide the service. All students, faculty and staff at East Carolina University are able to leverage robot delivery from main campus dining locations.

LEAF on campus: An open standard for access control and identity management

ELATEC's Sean Houchin discusses a solution for campuses seeking an open alternative to traditional access control platforms: LEAF. LEAF is an open, interoperable platform that allows credential holders to use their LEAF ID card, key fob or smartphone to unlock access to various campus applications through any LEAF-enabled reader.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT. https://go.touchnet.com/l/652093/2022-05-18/lsndq

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at https://register.gotowebinar.com/register/7821245544009488910?source=campus-id

As supply chain issues in 2021 persist, identity solutions provider @ColorID discusses ways campuses can to overcome potentially troublesome delays until the situation eases.

https://www.cr80news.com/news-item/protecting-your-campus-card-program-from-supply-chain-issues/

A dining services push at the @UBuffalo is reinforcing the utility of self-service checkout. @CBORD is improving the food service experience using the GET app, as well as Nextep kiosks and Oracle’s Micros Simphony POS.

https://www.cr80news.com/news-item/kiosks-self-service-tech-streamline-campus-food-service-u-buffalo/

Did you miss our recent webinar? No worries - watch it on-demand. Leaders from @NAU and the @UAlberta joined Ryan Audus, Touchnet, and Andrew Hudson, @CR80News, to discuss innovative mobile services and the future of mobile tech in higher ed. Watch now: https://bit.ly/31RFyLn

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.