Campus ID News
Card, mobile credential, payment and security

Student 'hacks' campus card for final project

Findings spark concern from general public amidst continued misconceptions of mag stripe

Andrew Hudson   ||   Feb 27, 2015  ||   

One Oklahoma State student used his final project in an information security class as an opportunity to raise awareness of the vulnerabilities of OSU's mag stripe card system.

OSU's student IDs are used to facilitate a number of standard functions on campus including physical access and making purchases via a campus declining balance account. Per the university's card office website, OSU's ID card features randomly assigned 16-digit ISO numbers that are encoded on the magnetic stripe and printed on the card.

The student's findings and report have generated a good bit of attention around the campus, as well as online at hacking sites and other outlets. However, the reality is that OSU, though making a couple of poor decisions, is doing nothing out of the norm with regards to mag stripe encoding and ID numbering.

The facts

The student examined the campus card numbering system, and using 100 different OSU cards as a sample, discovered that all cards started with same eight digits. Moreover, the student found that there were only three combinations used for the following two digits -- 05, 06, or 11. With this information the student calculated three million total possible card number combinations.

While the student's report was well researched, it really only highlights the fact that mag stripe cards are designed for convenience not security. The security limitations of mag stripe cards are well known, or at least should be, and reports like this should serve as a reminder rather than a shocking exposé.

Unfortunately, the university did make a mistake. As pointed out in the student's project, OSU prints on the back of each card, the URL for a web portal that reports the status of every card number. From this site, users can enter a 16-digit card number and the system informs the user if that card is valid, as well as if the cardholder is an employee or student.

At the time of the student's report, there was no limit to the number of queries that could be made at the site. The university appeared to be aware of the security risks, however, as a disclaimer on the site states that usage of the web portal is logged and tracked. While the site has since been taken down, there would seem to be no reason for open, public access to this type of resource.

The student also purchased a $300 mag stripe reader/writer and used the it to copy the data from his own campus card, modify the name and then rewrite the data onto a blank, unprinted mag stripe card. He then used this blank, unprinted card to purchase items from a store on campus.

The student created a basic script that generated all possible card number combinations. Per the student's report, the now inactive university website was able to handle between three and five queries per second, meaning all possible card number combinations could have been tested in about two days. These harvested numbers could then have been written onto blank mag stripe cards and potentially used for fraudulent building access, declining balance purchases or bursar account charges.

The takeaway

While the thought of a student being able to make purchases using someone else's account might garner shock and awe status among the general public, many in the campus card community will see it as a somewhat regular occurrence. Those that don't may be denying the reality. The heart of the issue, and the lesson here, is that too many people still believe the mag stripe card to be a secure credential.

The student's report is factual and provides a primer on the standardization of mag stripe cards as well as their natural limitations, but his findings are the very same that have seen many in the industry push for the adoption of more secure credentials.

As a starting point, the conversation surrounding the use of mag stripe on campus needs to be reopened, specifically with regards to physical access. It is simply too easy to counterfeit mag stripe cards and the risks to life safety are too great. The student in this case used a rewritten mag stripe card to make a purchase on campus, but the same process leaves physical buildings, including residence halls just as vulnerable.

When it comes to fraudulent financial transactions, the decision to upgrade from a mag stripe to a secure credential can be based on dollars alone. But when it comes to the safety of students and staff, financial cost should not be the sole consideration. In reading some of the reactions to this story, it seems that more secure credentials should be in the cards.

Related Posts

Subscribe to our weekly newsletter


Photo ID camera webinar
Jul 18, 24 /

How do I select the right camera for my campus card office?

When it comes to getting a photo onto a campus card, a lot has changed in recent years. In many offices, high-end SLR and video cameras have been replaced by web cams or other technologies. There are many options, so how do you decide what is right for your environment. In a recent episode of […]
HID Access Control Survey

Access control survey shows continuing rise in biometrics, mobile, AI

HID’s 2024 State of Physical Access Control Report showcases significant market changes since the last report was issued two years ago. In partnership with IFSEC Insider, HID conducted their study from November 2023 until January 2024, distributing the survey to users through email, media outlets, social media, and internal teams. In all, more than 1,200 […]
Hiring student workers
Jul 17, 24 /

Tips for hiring student workers for your campus card office

Many campus card offices rely on students to supplement their full-time staff, but interviewing and hiring student workers can be challenging. Many have little or no prior work experience, and the current generation of young people have different drivers than prior generations. So how can you best approach the process in your office? Alicia Todaro, […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself.

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.