Your student ID card may not be as secure as you may think. The magnetic strip on your ID card contains your card number (your 90 ndID number, sans the first 9 and with a two digit number appended to the end, identifying which card you’re on – so if your ndID was 901234 and you’re on your second card, then your card number would be 0123402). The school has made an attempt to secure the magnetic strip by obscuring the card number in a string of random numbers. However, if you know the pattern and have access to just one student ID card, it is possible to identify the pattern and figure out how to extract data from the card.
As the user of a student ID card, I would want the card to be as secure as possible. In terms of confidentiality however, it is unreasonable to assume that the ID number will be confidential because it must be decrypted to be read by card scanners. Instead, confidentiality should be achieved through alternate means, namely a PIN. The University recognizes that it is not possible to fully protect the ID number by making it a non-sensitive internal ID number, one that has little significance outside the organization. In terms of integrity, very light protection is provided by printing the card number on the face of the card so it can verified against what is encoded on the magnetic strip. However, this is easily overcome by simply printing one’s own card that looks like a Notre Dame ID card with matching card numbers printed on the front and on the magnetic strip. The Notre Dame ID card system’s availability depends on whatever the system the card is being used to access – this could be the Registrar’s computer system/Banner, the dorm/University locksmith systems, or another system that utilizes an ID card for access.
The primary vulnerability in the ID card system, then, is the potential for an attacker to create their own ID card by simply acquiring a student ID number through social engineering and writing it to blank card, which they could make (if necessary) look like a legitimate ID card. While attackers could always skim the data off a card’s magnetic strip by swiping it through an illegitimate card reader that copies the data, attackers could also obtain the card data through social engineering. Because the University views the ND ID number as a non-sensitive identifier, it appears all over the place – on most Banner pages (including course schedules) and some professors use it to post grades. Thus, the primary threat here is a threat of disclosure.
Someone could then, in theory, generate their own ID cards to either gain access to dormitories or steal meal plans. The attacker should ideally target freshmen. This is because of two reasons: freshmen are more likely to print out their schedules at the beginning of a semester – and this schedule has both their names and student ID numbers printed on it. Secondly, freshmen are more likely than any other class to be on their first ID card, making it safer to assume that their ID card number ends in 01. As you move up through the classes, there is greater variance as people move onto their second or third (or more) card. All an attacker needs to do is to obtain the student’s schedule printout which they can do through social engineering techniques or just dumpster diving. Armed with the student ID number, an attacker simply needs to strip off the leading 9, append an 01 to the end, and add the requisite number of leading and ending random digits. With a convincingly printed card, an attacker could use the card to steal the person’s meal plan. And, with the owner’s name printed on the schedule, a quick Facebook search can reveal the person’s birth date, and thus their access code into a dormitory.
This, of course, assumes that card readers simply remove the random digits, and append a 9 to derive the student’s ID number, from which they perform a database lookup. A more secure method of encoding an ID card would be not to use random leading and ending digits for obfuscation, but to make these digits derived from other static but not too common information. For example, the random numbers could be replaced with a truncated (first 5 characters) hash of the last four digits of the person’s (freshman year) phone number. Hashing the data keeps it secure, while using the last four digits of their phone number allows for greater variance among the student body. If ZIP code or area code were to be used, for example, there would be a lot of repetition among the student body given that a lot of people come from the same (Chicagoland) areas. Finally, the freshman year phone number is used to avoid the need to issue a new ID card every time the student’s contact information changes.
This system would be more secure because when the card readers derive the student’s ID number and make their database lookup, they should also lookup the student’s freshman year phone number, hash the last four digits, and truncate the hash to just its first five characters – then compare these characters to the leading digits on the ID card. If they match, then we can have greater assurance that the ID card is legitimate and not a socially engineered fake. However, the phone number can also be socially engineered (though the task of getting more information increases the “cost” of creating fake ID cards) and this solution does not eliminate the issue of skimmed/copied ID cards.
Posts
I found this security review to be extremely interesting because my student ID is something that I have used every day for my entire time at Notre Dame without thinking twice. Upon reflection, it really would be extremely simple to gain access to the coding on the card and then steal entry into dorms or a meal plan. I do believe that the university need to acknowledge the potential threat of theft because we pay large sums of money to live and eat here securely.
ReplyDeleteI never thought about the security of my ID card before because I always assumed that the numbers on the card were protected. This concerns me greatly and I agree that the University should hash the last four digits. Hashing the last four digits would certainly be an upgrade from the current procedures taken by the University to protect this information. I researched the University policies for protecting student ID cards. The University explains that the best way to protect this information on the card is to keep it on you at all times. This is worrying that the best way to protect the information is by not losing it . Also, the Student ID card policy does not mention any security measures, such as encryption or Hashing, that are taken to protect the magnetic strip. I found this interesting and hopefully the University will use a more secure method to protect student id's.
ReplyDeleteI have lost my id card a multitude of times, and have never really given any thought to the dangers this can present. I do realize that gaining the card number and being able to create a new card, can give anyone access to the dorms, meal plans, or if you have certain access as many students do for on campus jobs, even access to different buildings. However, I also believe many people do not need to have a card on them to gain access to any of these places. Notre Dame students often live in a bubble thinking that we are safe. If you stand at a dorm long enough, anyone will eventually let you in assuming you're suppose to be there. If you sweet talk the card swipers they also let you in, for free. There are many ideas surrounding ND that have given us a false sense of true security. Though yes I believe ND needs to look at better protection technically speaking with ID cards and encryption standards, I also believe students need to recheck their own personal security standpoints at the same time.
ReplyDeleteI, like the others who have commented on this security review, never gave my id a second thought. I never really saw it as an item that could be stolen or compromised.
ReplyDeleteAlthough the original author makes some great points about the weaknesses in the card system, I think that Notre Dame has done a pretty good job. There is no real serious data (social security number, address, etc) associated with your card. The only two things that it can be used for are meal plans and access to dorms.
As kflynn5 noted, access to dorms would be fairly easy because it seems like most students let anyone in anyways. And the meal plan - you are not allowed to use two meals in the same period. If somebody used one of my meals and I tried to go eat, they would notify me that I already got my meal and deny me. At that time I would realize that my card had been compromised and I think the school would be able to issue me a new one.
Overall I think that kflynn brings up the best point. Notre Dame students need to be more cautious on campus although it is overall a safe place.
The new id card printing machines have the ability of printing and keep maintaining the ID cards more secure from the present cards.
ReplyDeleteشركة رش مبيدات بالدمام
ReplyDeleteشركة تنظيف كنب بالدمام
شركة زهرة الخليج
تسليك مجارى
تنظيف منازل
كشف تسربات
مكافحة حشرات و رش مبيدات
نقل عفش و اثاث