Who’s doing it and what’s being done to prevent it

By Zack Martin, Editor, Avisian Publications

Hacking can mean many things. The image it conjures for most is that of a young man in a dark room lit by nothing more than the glow of a computer monitor, trying to break into some top-secret government system or steal credit card numbers.

On college campuses hacking can mean a number of different things and threats can come from students as well as outsiders. Hackers attack university databases and systems but they also are targeting the student ID card.

Several high-profile incidents have hit close to home with the campus card community, but securing cards isn’t enough. Universities need to secure payment and IT networks as well or risk data falling into the hands of hackers.

What happened at Harvard is just about a campus card director’s worst nightmare. In July 2008 a Harvard undergraduate student was caught making fake Harvard University ID cards. Not just any cards, but duplicate cards of those belonging to the University President Drew G. Faust, Assistant Dean of the College Paul J. McLoughlin II, and Dunster House Superintendent H. Joseph O’Connor, according to the Harvard Crimson.

The student was able to replicate the magnetic stripe on the back of the card and gain access to buildings and gates across campus with only knowledge of the individual’s university ID numbers and a $200 card reader purchased on eBay. He was also able to make purchases using the individual’s Crimson Cash accounts, which are used to pay for items on and off campus.

The hack was the impetus for Harvard to launch new IDs for the students, faculty and staff in the Faculty of Arts and Science. The university rolled out iCLASS contactless smart cards from HID Global for physical access to facilities. The new card has two magnetic stripes on the back that are used for payments and other functions, according to the Harvard Crimson.

Mag stripe has its uses

At George Washington University in Washington DC, Ken Pimentel’s biggest fear is someone copying the mag stripe on the card and using it to gain access to a dorm or somewhere else they should not go. “There’s nothing wrong with mag stripe at the point of sale,” says Pimentel, director of the university’s GWorld Card Program.

He admits that they have experienced unauthorized people using accounts to pay for items on campus, but says, “someone can steal some money and we can get it back, but it’s much more dangerous when they can get into a door.”

Securing access control is Pimentel’s main concern. He would like to switch to a contactless smart card for access control but says it’s too costly in the current environment. “I’ve been telling [university officials] that we need to get away from mag stripe because it’s vulnerable,” he says.

Replicating a mag stripe can be easy with the right equipment, says Pimentel. But universities also need to be sure to secure all the back end physical access control equipment as well. The reader, door controller and wiring all need to be secured so nobody can skim numbers from the devices. George Washington University has 44,000 active cardholders and more than 475 access control readers across its campus, Pimentel says.

Protecting the wiring for physical access control system is important. “People can get access to the readers and watch the communication,” he says. George Washington runs all the wiring for the system in conduit to prevent unauthorized access.

Protecting the network and the computers

Servers also need to be secured, Pimentel says. With hundreds of devices in the field you need to be able to tell when something may be going wrong or someone may be trying to gain access to the campus card system. “You need to follow three tenets: authenticate, authorize and account,” he says.

To gain access to George Washington’s system employees have two-factor authentication using an RSA token, Pimentel says. The firewall used to protect the system has to be different than the typical ones too. “You need a next generation firewall that sees the requests, knows they don’t look right and sends notification,” he says. “You just can’t sit there and be passive.”

But the biggest security intrusion is theft, Pimentel says. Someone steals a laptop or hard drive and takes off with the information. At George Washington the entire hard drive has to be encrypted so that if it falls into the wrong hands it would be worthless.

The Carleton case

Carleton University’s card program was the victim of a hacker, sort of, says Kathleen Kelly, campus card coordinator at the Ottawa, Ontario university.

“I would use the term ‘hacked’ loosely,” says Kelly, also president and chair of the Corporate Relations Committee at the National Association of Campus Card Users. The student was able to access students’ personal information, but he didn’t break into the campus card system.

The incident occurred in the university’s computer lab where print stations are equipped with magnetic stripe readers. When a student prints a job he goes to the station, logs-in with user ID and password and swipes his ID to authorize the job to print.

The hacker did two separate things to gain the student’s personal information. He installed key logging software on computer in the lab to capture user names and passwords as they were typed. He also installed another program on the print station to record information from the magnetic stripe of the student IDs, Kelly says.

He then took these separate pieces of information and was able to match the student’s ID card information with the user name and password, Kelly says.

After collecting the student information he sent a report to university officials and the student newspaper with the names and data of the 32 students whose information he collected, Kelly says. Nothing illicit was done with the stolen student information.

From the report, university officials were able to backtrack to figure out what the students had in common and where the information had been obtained.

The student hacker sent the information to university officials under a false name, according to news reports. He was charged with mischief to data and unauthorized use of a computer. The penalties for the charges range from fines to jail time. The student voluntarily left Carleton.

Though the student did not use the information in a malicious manner, the question of what could he have done remains. The mag stripe on the campus card can be used to pay for laundry, printing and small purchases at the university, Kelly says. There is a $12 daily spend limit on the card for vending machine or unattended purchases. The card is also used for physical access to two of the residence halls. A PIN is not required for either the payment or access transactions.

If the student had created fake cards using the information, he potentially could have gained access to the secured dormitories or made purchases with the stolen accounts. The usernames and passwords obtained could potentially enable access to email accounts or campus services.

The 32 students impacted had new cards issued and had to change their user names and passwords, Kelly says. Also, because of the incident the university has locked down all print stations, preventing new software from being installed on the machines.

The university also plans to move to HID’s iCLASS contactless smart card for physical access control Kelly says.

Christopher Haley, vice president of product development at CBORD, says many campuses would like to upgrade physical access control systems, but the economy is making it difficult.

Fraud and social engineering also pose threats to campus card programs

While there may be high-tech fixes to prevent hacking, university employees also need to be prepared to battle good old fashion social engineering and face-to-face fraud, Haley says.

New York University’s card program has had some issues with individuals trying to pass bad checks, says Ann Marie Powell, director of NYU Card Services. The university has different summer programs where non-students stay on campus, use IDs and load value on to the card to pay for items around campus.

In one instance NYU caught a man who had passed bad checks at other campuses before NYU and had already registered at another New York area university when he was arrested by the New York Police Department, Powell says.

NYU was able to catch the fraudster because it had the proper procedures in place, Powell says. The university needs to make sure the check clears before the funds are placed in the campus card account for use.

Hacking and fraud can take on many different aspects on the college campus. Universities need to be prepared to do battle online as well as in the real world. Someone needs to step up and make sure universities are prepared for the myriad of threats that can threaten systems on a regular basis.

The incidents at Harvard, Carleton, and NYU are each very different in nature. This highlights the wide range of potential vulnerabilities that exist in campus card systems. The following chart lists a number of these threats though there are many other areas that require vigilance from campus card administrators.

Credential threats:

• Create duplicate, valid ID cards and use them for access or payments.
• Using campus card office’s own issuance equipment
• Using other issuance equipment
• Obtain valid ID card under a false identity

Data threats:

• Steal data from the card program’s internal systems (e.g. personal data on cardholders)
• Intercept data in transit between card system and peripheral or external systems
• Obtain access to email containing one or multiple sets or subsets of cardholder data
• Access stored credit and debit card information from revalue systems either online or offline
• Steal computer equipment that holds cardholder data

Infrastructure threats:

• Hack card readers to gain access without proper ID or obtain products without proper payment authorization
• Sniff lines to intercept data between reader and system