I'm kind of curious - since this was for a class it was kind of allowed but was there any fine lines that you weren't allowed to cross when doing research for the exploit? I assume as long as you didn't hurt the university's reputation (such as getting bad press) or caused massive amounts of monetary damage you would probably not get into trouble.
We had pretty strict guidelines to follow to be apart of the InfoSec class. We basically signed a waiver at the beginning saying that if we did exploit something, we would be subject to expulsion. It was a "theory" based class and all actual research had to be done within a certain IP range in a particular computer lab.
With that said, this was the final report that I made in the Winter of 2013. I presented it Spring 2014 to the University staff. And now, graduated, with over a full 12 months behind it, I felt comfortable to post it.
Even though I made a blank card, it was still encoded with my student ID number. That was the only reason it was allowed. The point of trying it was to prove that the name or discretionary data did not affect the card working.
While I definitely toed the line, I tried to be careful not to break any of the rules of the class.
These folks found a gaping security hole that can be exploited to gain physical access to secured areas as well as charge fraudulent financial transactions. I can't imagine the university getting upset with checking out a library book.
You would be astonished at how crazy people can get. Honestly, the author of this study took a huge risk and got lucky. If you're thinking of doing anything like this in similar circumstances, DON'T carry out similar actions without first obtaining written permission for each specific action.
In your judgement how common do you feel this exploit would be across other university IDs in the country, or just IDs in general? Did your research uncover any data in that regard one way or the other?
I'm just remembering my ID card...and my sister's...and my brother's. We used those for literally everything.
While my research was specific to OSU, I do know that this is a larger issue than just my alma mater. I collected student IDs from other colleges, but did not publish them as I didn't want to get into hot water.
The thing is though, a lot of these magstripe systems have problems. We brought up in the presentation that Walmart at the time was having a large problem with people encoding stolen credit card data onto gift cards. Cashiers at the time did not check driver licenses when paying with a gift card.
Very interesting. I attended OSU. I bet most of universities have the similar kind of security holes. They probably use the fact that not too many people can exploit those technical security flaws as the single line of defense.
Glad to see another Poke! I agree, you have to be fairly clever to get this far. With that said, the barrier of entry is decreasing every day with things like Coin & loop pay.
I wonder if FERPA, PCI-DSS apply here. We know they are vulnerable about student information, with extra functionality as a payment card, it is getting kinda scary.
It was well written and had simple to follow examples. Plus it was interesting to see such a blatant security hole... Any follow up from the university on it?
I appreciate it. The University definitely took it seriously at the time (the project became a neat recruiting story for the InfoSec class), however outside of taking down the website to check for ID validity, I do not believe there was any other recourse. There was such a high overhead to change systems and reissue the ID's (some professors have decade old ID's), that I think it was viewed as "not worth fixing."
