Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS

Student 'hacks' campus card for final project

Findings spark concern from general public amidst continued misconceptions of mag stripe

Andrew Hudson   ||   Feb 27, 2015  ||   

One Oklahoma State student used his final project in an information security class as an opportunity to raise awareness of the vulnerabilities of OSU's mag stripe card system.

OSU's student IDs are used to facilitate a number of standard functions on campus including physical access and making purchases via a campus declining balance account. Per the university's card office website, OSU's ID card features randomly assigned 16-digit ISO numbers that are encoded on the magnetic stripe and printed on the card.

The student's findings and report have generated a good bit of attention around the campus, as well as online at hacking sites and other outlets. However, the reality is that OSU, though making a couple of poor decisions, is doing nothing out of the norm with regards to mag stripe encoding and ID numbering.

The facts

The student examined the campus card numbering system, and using 100 different OSU cards as a sample, discovered that all cards started with same eight digits. Moreover, the student found that there were only three combinations used for the following two digits -- 05, 06, or 11. With this information the student calculated three million total possible card number combinations.

While the student's report was well researched, it really only highlights the fact that mag stripe cards are designed for convenience not security. The security limitations of mag stripe cards are well known, or at least should be, and reports like this should serve as a reminder rather than a shocking exposé.

Unfortunately, the university did make a mistake. As pointed out in the student's project, OSU prints on the back of each card, the URL for a web portal that reports the status of every card number. From this site, users can enter a 16-digit card number and the system informs the user if that card is valid, as well as if the cardholder is an employee or student.

At the time of the student's report, there was no limit to the number of queries that could be made at the site. The university appeared to be aware of the security risks, however, as a disclaimer on the site states that usage of the web portal is logged and tracked. While the site has since been taken down, there would seem to be no reason for open, public access to this type of resource.

The student also purchased a $300 mag stripe reader/writer and used the it to copy the data from his own campus card, modify the name and then rewrite the data onto a blank, unprinted mag stripe card. He then used this blank, unprinted card to purchase items from a store on campus.

The student created a basic script that generated all possible card number combinations. Per the student's report, the now inactive university website was able to handle between three and five queries per second, meaning all possible card number combinations could have been tested in about two days. These harvested numbers could then have been written onto blank mag stripe cards and potentially used for fraudulent building access, declining balance purchases or bursar account charges.

The takeaway

While the thought of a student being able to make purchases using someone else's account might garner shock and awe status among the general public, many in the campus card community will see it as a somewhat regular occurrence. Those that don't may be denying the reality. The heart of the issue, and the lesson here, is that too many people still believe the mag stripe card to be a secure credential.

The student's report is factual and provides a primer on the standardization of mag stripe cards as well as their natural limitations, but his findings are the very same that have seen many in the industry push for the adoption of more secure credentials.

As a starting point, the conversation surrounding the use of mag stripe on campus needs to be reopened, specifically with regards to physical access. It is simply too easy to counterfeit mag stripe cards and the risks to life safety are too great. The student in this case used a rewritten mag stripe card to make a purchase on campus, but the same process leaves physical buildings, including residence halls just as vulnerable.

When it comes to fraudulent financial transactions, the decision to upgrade from a mag stripe to a secure credential can be based on dollars alone. But when it comes to the safety of students and staff, financial cost should not be the sole consideration. In reading some of the reactions to this story, it seems that more secure credentials should be in the cards.

Related Posts

Subscribe to our weekly newsletter

RECENT ARTICLES

High school bathroom

Bathroom breaks tracked by campus ID and mobile app

At California’s Fresno High, a new app is authorizing and monitoring trips to the bathroom in an effort to increase students’ time in class and decrease gathering in halls and bathrooms. Of course, this has not gone over well with students. Raising your hand and asking the teacher if you can go to the bathroom […]
Atrium Ozzi container

Atrium clients track check-out and return of reusable containers at OZZI kiosks

The push to reduce or even eliminate single-use containers from campus dining is now easier for Atrium clients. Thanks to a seamless integration between Atrium and the OZZI reusable container program, the processes for both students and dining services is streamlined. Atrium clients have been using OZZI for years, but the two systems were independent. […]
HID report snapshot

Security industry’s top trends include mobile IDs, MFA and sustainability

The 2024 State of the Security Industry Report from HID Global studies trends and changes in the security industry. This year six major themes emerged surrounding mobile identity, multi-factor authentication, biometrics, AI, and sustainability. The research includes data from more than 2,500 individuals – partners, end users, and security/IT personnel – from around the globe. Respondents […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Join Jeff Koziol and Robert Gaulden from @AllegionUS as we explore how mobile credentials and proptech are changing on- and off-campus housing.

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.