Last week, a group of fourth-year students revealed the lesson they learned from a two-month project they undertook for one of their classes. They discovered that our student ID cards are not that hard to replicate. Several of the students involved in the project advocated a change in the system in order to make students’ ID cards more secure, but such suggestions are unlikely to be implemented, as the Office of Business Operations — which heads the ID card system — does not see fraud as a serious threat. While this stance is not entirely illogical, and there are several reasons why student IDs are unlikely to be exploited, the ease with which IDs can be replicated ultimately demands a change in the current system.
On the one hand, you have the Office of Business Operations, which would, to its credit, take action if things took a turn for the worse. Possible improvements to the ID system are on the table, but any serious overhaul would be too costly to justify considering the threat’s relatively benign nature. Then there are the cards themselves, which — unless you had access to a list of individual ID numbers — would have to fall into the hands of a copier for him or her to procure a card number. And a fake card would not be convincing without a good deal of work, leaving the likelihood of fraud — with meal swipes, Plus Dollars and Cav Advantage — fairly low.
On the other hand, a number of weaknesses in the ID card system require attention. The recent study called official attention to the exploitable aspects of the ID system, which could lead to the system’s improvement. At the same time, the study’s release undermined the system it critiqued by making its weaknesses more evident and thus more vulnerable. One of the students of the study rightly referred to the current system as “security by obscurity.” Now, some of that obscurity is gone.
Possibility of fraud is admittedly low — no one at O-Hill is going to successfully swipe in with cheap knockoffs or floppy index cards. But if the strip is programmed correctly on a fake card, the doors around Grounds would not know the difference. Old dorms on McCormick and new dorms like Watson-Webb and Kellogg are just some of the places that could be vulnerable to entry via fake ID card. One can only imagine the danger such vulnerability creates.
In addition, one should consider the simplicity with which IDs can be faked. It is not merely experienced students in computer science classes who devote two months to the task that can pull this off. Several first-year Engineering students conducted a similar study before the higher-publicity study was released, first overwriting their own cards with a volunteer’s information, then making a brand new card from scratch using only an index card and some cassette tape. The actual project took less than two hours to complete. It cost $250, which was even more expensive than necessary, as a cheaper card reader would have done just as well as the one they bought.
In light of the simplicity of this process, University officials should take steps to strengthen the security of the student ID card system. A rather simple solution was suggested by one of the fourth years from the study that drew attention to the issue: merely replace the current number stored in the magnetic strip — which is now the same as the student’s ID number — with a random number.
There are plenty of avenues for mischief at college, and I am not saying every student is capable of walking around with a faux ID card. Yet the problem is out there now, and the ease with which the system can be exploited should act as a call to action. These enterprising students have called to our attention a weakness that was previously not well-known, and they have also suggested inexpensive remedies that would fortify the system — remedies the University should not ignore.
Sam Novack’s column appears Tuesdays in The Cavalier Daily. He can be reached at email@example.com.