Card, mobile credential, payment and security
Findings spark concern from general public amidst continued misconceptions of mag stripe
One Oklahoma State student used his final project in an information security class as an opportunity to raise awareness of the vulnerabilities of OSU's mag stripe card system.
OSU's student IDs are used to facilitate a number of standard functions on campus including physical access and making purchases via a campus declining balance account. Per the university's card office website, OSU's ID card features randomly assigned 16-digit ISO numbers that are encoded on the magnetic stripe and printed on the card.
The student's findings and report have generated a good bit of attention around the campus, as well as online at hacking sites and other outlets. However, the reality is that OSU, though making a couple of poor decisions, is doing nothing out of the norm with regards to mag stripe encoding and ID numbering.
The student examined the campus card numbering system, and using 100 different OSU cards as a sample, discovered that all cards started with same eight digits. Moreover, the student found that there were only three combinations used for the following two digits -- 05, 06, or 11. With this information the student calculated three million total possible card number combinations.
While the student's report was well researched, it really only highlights the fact that mag stripe cards are designed for convenience not security. The security limitations of mag stripe cards are well known, or at least should be, and reports like this should serve as a reminder rather than a shocking exposé.
Unfortunately, the university did make a mistake. As pointed out in the student's project, OSU prints on the back of each card, the URL for a web portal that reports the status of every card number. From this site, users can enter a 16-digit card number and the system informs the user if that card is valid, as well as if the cardholder is an employee or student.
At the time of the student's report, there was no limit to the number of queries that could be made at the site. The university appeared to be aware of the security risks, however, as a disclaimer on the site states that usage of the web portal is logged and tracked. While the site has since been taken down, there would seem to be no reason for open, public access to this type of resource.
The student also purchased a $300 mag stripe reader/writer and used the it to copy the data from his own campus card, modify the name and then rewrite the data onto a blank, unprinted mag stripe card. He then used this blank, unprinted card to purchase items from a store on campus.
The student created a basic script that generated all possible card number combinations. Per the student's report, the now inactive university website was able to handle between three and five queries per second, meaning all possible card number combinations could have been tested in about two days. These harvested numbers could then have been written onto blank mag stripe cards and potentially used for fraudulent building access, declining balance purchases or bursar account charges.
While the thought of a student being able to make purchases using someone else's account might garner shock and awe status among the general public, many in the campus card community will see it as a somewhat regular occurrence. Those that don't may be denying the reality. The heart of the issue, and the lesson here, is that too many people still believe the mag stripe card to be a secure credential.
The student's report is factual and provides a primer on the standardization of mag stripe cards as well as their natural limitations, but his findings are the very same that have seen many in the industry push for the adoption of more secure credentials.
As a starting point, the conversation surrounding the use of mag stripe on campus needs to be reopened, specifically with regards to physical access. It is simply too easy to counterfeit mag stripe cards and the risks to life safety are too great. The student in this case used a rewritten mag stripe card to make a purchase on campus, but the same process leaves physical buildings, including residence halls just as vulnerable.
When it comes to fraudulent financial transactions, the decision to upgrade from a mag stripe to a secure credential can be based on dollars alone. But when it comes to the safety of students and staff, financial cost should not be the sole consideration. In reading some of the reactions to this story, it seems that more secure credentials should be in the cards.
