University ID system leaves students vulnerable
Two month-long project highlights student cards' weaknesses, ease of forgery
The University security system that relies heavily on ID cards, used for everything from library printers to residential halls, may in fact rest more on the community of trust than technological safeguards, according to a series of student projects for a class taught by Computer Science Asst. Prof. Abhi Shelat last fall.
Although the University ID Card Office reports instances of fraud are negligible, the potential for massive cases of trespassing and theft are enormous, said fourth-year Engineering student Matthew Hurtz, who worked in one of the groups that looked into the security issues.
“A lot of this issue comes into play with the fact that you can create a card without having the original card,” Hurtz said. He said that any card — be that a school ID card or major credit card — could be copied if the forger has access to the original, as a card reader can simply read and copy the code on the magnetic stripe. But when the encoding on an ID is predictable, creation of a duplicate does not require the forger to have the original physical copy. The student projects found that though encoded information on cards is unique for each student, differences are largely predictable. The key distinction encoded on each ID is directly related to the student’s ID number, which is printed on the front of IDs and available on databases open to the entire residential advisor staff, Hurtz said.
During the two-monthlong project, Hurtz and fellow group members fourth-year College student Jonathan DiLorenzo and fourth-year Engineering student Christopher Jones created a handful of fake student and faculty IDs — which were promptly erased once their effectiveness was verified.
The project demonstrated, Hurtz said, that someone could fairly easily create a fake ID and gain access to residence halls, meal plans, Cav Advantage accounts, and the like. “This takes an afternoon of reading and a couple hundred bucks,” he said.
The Office of Business Operations oversees the card-swipe system, which has been in place in some form since the 1970s. Gary Conley, the facilities and systems engineer who manages the physical aspect of the ID system, said though the University is aware of the relatively simplistic encoding of the ID cards, a more complex level of security is unnecessary.
“That’s not to say we’re not considering [increased ID security] and we’re not talking about it,” he said. “It just has not yet come to fruition.”
Potential solutions range from the extreme to the mundane, but there are outstanding questions about implementation.
”Given the technology that we use, we’ve taken all the steps that we can to mitigate any risk,” Conley said. “That’s not to say there’s not a higher level that we could go to, but there are significant costs involved with going to that next level.”
The student ID system includes upward of 30,000 cards and more than 2,500 readers across Grounds, meaning a complete revamping of the system would involve a large investment by the University.
Conley said, however, the card system is not a critical threat to students’ security, and that if it appeared to be an issue the University would take action.
More financially cautious changes were proposed by the student leaders of the investigation including replacing the encoded student ID with a random number, and linking that number with a student ID in a firewall-protected server.
“It is not immediately clear to me why they would store our student IDs on the card at all,” DiLorenzo said. He added that switching the ID number with a random number would not require costly software or hardware, but merely a database update.
It may be, however, that the best protection is a lack of awareness of the ID system’s shortcomings.
“It’s really a security by obscurity kind of system,” DiLorenzo said. “If people don’t know about it then they won’t do it. Most people don’t think to investigate this kind of thing, otherwise they would figure it out.”
Though the technological capabilities required to uncover and exploit this loophole may not prevent a motivated attacker, Hurtz said, it certainly discourages a widespread outbreak of fraud.
“[Creating false student ID cards is] not the easiest attack — it’s easy, but not the easiest,” he said. “If you’re looking for easy cash, go to a dining hall and steal a book bag with a $1000 computer in it [instead.]”