Last week a Bradley ID card was mistakenly issued to a 60-year-old non-student. He asked the Controller’s Office for one, which he received because he happened to have the same name as an incoming freshman. The incident has since raised questions about the policies of card issuance as well as the security of Bradley ID cards themselves.
An undergraduate student recently discovered and described to The Scout, on the condition of anonymity, a way to access the information on Bradley QuickCards without ever touching the IDs by using student ID numbers.
“In 30 minutes of reading online, I came to the conclusion: cloning magnetic cards would be possible,” the student said. “I had cloned [versions of] cards working within minutes of [trying].”
While the student said they pursued the experiment because they wanted easy access into a friend’s apartment building, this security vulnerability could result in fraudulent use of QuickCard money as well as improper access to dorms, campus buildings and university equipment.
However, there is not yet any indication that such crimes have occurred.
Describing the vulnerability
This security vulnerability is caused by the type of encryption on the magnetic (mag) stripe on the ID cards.
“It’s a known fact you can copy that magnetic stripe technology,” David Scuffham, director of Systems Integration and Security, said. “It’s globally known.”
According to Scuffham, many universities and companies have been implementing FeliCa, which is a SONY system using encrypted chip technology, because of the security issue with the mag stripe.
“FeliCa [chips are] very secure,” Mona Hutchison, systems manager for the Controller’s Office, said. “It’s the most secure technology out there for chip technology, [and] it is a convenience, and I think most students appreciate that.”
Mag stripes require ID holders to swipe at all of the 300 card readers around campus, while FeliCa chips only require a tap on the machines.
Bradley ID cards have had FeliCa chips since 2012, but the cards also still include mag stripes.
“The tap feature can break,” Hutchison said. “The antenna that goes around the outside of the card, if you flex the card, it can break that antenna, which you lose your tap feature when you do that … [This happens] not too often.”
Since both the FeliCa and mag stripe are included on the cards, students, faculty and staff can choose to either swipe or tap their IDs at nearly all card readers around campus.
The vulnerability elsewhere
Sam Snelling, a former student of Oklahoma State University (OSU), studied his school’s ID card system for a project in an information security class. The assignment was to find a real-world vulnerability and come up with a hypothetical plan to exploit it.
“The ID cards were originally intended just to act as identification,” Snelling said. “Over time, they kept just adding use cases … The ID cards were never designed to be secure.”
Snelling gave a class presentation about the mag stripe vulnerability, which is similar to Bradley’s. He then met with the dean of the Spears School of Business at OSU and a representative from the IT Department.
“After this meeting, the website that allowed student ID card numbers to be looked up was immediately taken down,” Snelling said. “They said they didn’t see a large risk of this being exploited … I think we all knew that the university wouldn’t treat this as a top priority vulnerability, as it would just cost too much money to go back and figure things out.”
Snelling published his report on his blog after he graduated, and he said he received hundreds of thousands of pageviews.
“From what I have been told, university officials are not happy that I published it; cashiers now have strict policies to check the picture on the front of your ID card, no changes to physical systems [and] they did not force a re-issue of ID cards,” Snelling said.
The most interesting part of the project was finding out how common this issue is, according to Snelling.
“Students from dozens of universities have reached out to me at this point,” he said.
Looking to the future
Hutchison said the Controller’s Office is looking at options for switching completely to the FeliCa chip technology.
“We are forward-thinking; we are looking ahead,” Hutchison said. “We do know about the issues with the mag stripe. We have for a while.”
Chief of Bradley University Police Department Brien Joschko said the mag stripe on the ID cards will eventually be deactivated.
“[The FeliCa chip] is going to be substantially more difficult to copy,” Joschko said. “We will deactivate the mag stripes once our readers are replaced.”
Hutchison also said the physical appearance of the cards will be changed with security in mind.
“[With the change], they would actually need to have the physical card to make a copy,” Hutchison said.
However, University Spokesperson Renee Charles said some responsibility falls on the ID card holder.
“That can’t be taken care of systematically,” Charles said. “That falls upon the person to not put their number out there to the public.”