posted 2012-10-05 23:11:30

Hunter OneCards are Vulnerable to Identity Theft

ID cards are insecure and may be forged with trivial effort

John Bolger

Deputy News Editor

A phony OneCard at the turnstiles.
The Hunter OneCard system is not secure, an Envoy investigation revealed.  Attackers can steal students' college identities with little effort – all that is required is knowledge of a student's ID number, as it appears on the face of the card.  Potential criminals can easily make forged OneCards, unabated by any security measures.  Using these forged cards, intruders may bypass the turnstiles and enter private club spaces or laboratories that victims have access to.  Thieves can also deplete a student's OneCard funds by making purchases at the college bookstore, cafeteria and vending machines or by using the printing services at the library and ICIT labs.

The problem with the OneCard is that because the student ID number is not encrypted on the card's magnetic stripe, essentially the OneCard is not equipped with any mechanism to prove it is authentic.  Anyone who has access to a student's ID number may create unauthorized copies of that student's OneCard – stealing the student's college identity.

Hunter College administrators have been notified of the problem and said that an update to the OneCard system and the turnstiles will become available in late October.  The fix will require everyone in the Hunter community to be issued a new OneCard, Chief Operating Officer Len Zinnanti said.  New hardware will also need to be installed on the turnstiles and other access control devices, he said.
Measures to protect against OneCard theft:


“It is important to use encryption whenever sensitive information is being transmitted,”  said Computer Science professor Stanley Wine, who teaches network security at Hunter.  “This is because information transmitted 'in the clear' [unencrypted] may be subject to eavesdropping.  If an ID number is intercepted, it may then be used … [in an] attack.”

Had the OneCard utilized encryption, identity theft would be much more difficult for an attacker – the attacker would need to have stolen or guessed the secret encryption key.  Depending on the strength of the key, a key can take modern computers several hundred years to reverse engineer, making this approach to encryption cracking impossible in practice.  In any good electronic security system, encryption is the very first step to thwart attacks.

Encryption was used as far back as the Roman empire to create secret messages.  An encrypted text is impossible to read unless one knows the encryption key.  Julius Cesar used the “Cesarean Cypher” to ensure that enemy combatants who intercepted secret Roman communications would be unable to read the stolen messages.

As a result of the Envoy's discovery of the vulnerability, the college regulations governing OneCard usage have been changed to prohibit “tampering, hacking, altering, duplicating, modifying or otherwise corrupting the security or functionality of your OneCard.”  Violators of the OneCard policy will have their OneCard accounts “terminated and … may be subject to disciplinary charges, civil and/or criminal prosecution.”  Previously OneCard tampering was punishable under academic dishonesty policies prohibiting the falsification of records.

In an email delivered to all members of the Hunter community Sept. 28, Zinnanti disclosed the existence of the OneCard vulnerability and directed people who witness OneCard tampering to report incidents to Public Safety. A new webpage has been set up for students and staff to submit OneCard abuse reports.

“Hunter had previously been aware of this vulnerability.  A decision was made to proceed as the benefits to students, such as making copies, printing, and purchasing tax free meals, could be done with one card,” Zinnanti said in a separate email, “something that was not available in the past. The technology to address this vulnerability will be available next month. We are informing students to be vigilant and aware of their cards.”

The equipment needed to print forged OneCards is readily available on the Internet, most orders coming with a number of blank cards to write to.  Students who have access to club spaces are especially vulnerable to the attack, as many clubs house computers, printers and scanners, network routers, cameras and other expensive equipment or intellectual property, making clubs a very lucrative target for thieves.  Laboratories also house expensive equipment and, in some cases, dangerous chemicals.

Although blank cards can easily be identified as fake OneCards, giving the perception of security in places like the bookstore, blank cards are not even necessary to pull off the attack.  One can simply overwrite an existing OneCard with the identity of another student, enabling a criminal to discreetly use illicit cards – even in places where human interaction is required.

According to Zinnanti, the new system, which becomes available Oct. 24, will use encryption, making this vulnerability obsolete.  The current OneCard program operates on the Blackboard Transaction system coupled with software from Schneider Electric.  Zinnanti said that “many other institutions use the same technology we currently have but there have not been any known instances of the system being exploited at Hunter College.”   According to Susan Konig, Hunter's new director of communications, the new system will be compatible with Blackboard Transaction.

The Envoy had been investigating the OneCard vulnerability since last semester.  Public Safety and ICIT were first notified that this vulnerability may exist on Sept. 14.  At that time, staff at ICIT told the Envoy that the cards contained a device which prevented the exploitation of the vulnerability.  Four days later the OneCard system went down for eight hours for a Blackboard Transaction system upgrade.  On Sept. 24 the Envoy again contacted Public Safety, this time providing a working OneCard forgery to demonstrate the vulnerability was real.

To demonstrate how easy it is to steal student ID numbers, last semester the Envoy held a “promotional contest.”  In a one-hour period of time on the North Building's third floor, the Envoy tabled, offering students a chance to win a “$20 cash prize.”  The only catch was that entrants had to prove they were Hunter students by showing their OneCards.  30 ID numbers were collected discreetly, roughly one every two minutes.  Criminals call this tactic “social engineering.”

“Social engineering involves tricking or manipulating people into disclosing information they shouldn't or doing things they shouldn't,” said Wine.  “There are an unlimited variety of social engineering attacks, and they can be a very effective means of circumventing computer defense mechanisms by going around them.”

The Envoy has not used any of the collected student ID numbers and has safely disposed of the list.  The contest winner was contacted via email, however she still has not come to collect her prize.

“Social engineering attacks are effective because people have a tendency to be trusting, at least until they have been trained to be aware of this type of attack,” Wine said.

Criminals are not the only concern.  Last semester, the Envoy reported that the FBI visited Hunter College to interrogate a student Occupy Wall Street activist.  Using false pretenses the FBI gained access to Public Safety's office and telephone to summon and question the student.  The Associated Press also implicated the NYPD in spying on Muslim students at CUNY.  Given that the FBI and NYPD have already used overtly brazen tactics to conduct investigations on campus, it is not far-fetched to believe that the FBI, NYPD or other intelligence apparatus would exploit the OneCard vulnerability to break into radical club offices, or other places of interest, to investigate or leave behind surveillance tools.

Besides the lack of encryption, the OneCard suffers from some other alarming security problems.

Currently, men may use their OneCards to access the women's locker room, and women may use their OneCards to access the men's locker room, the Envoy observed.  Also, when a new OneCard is issued, the old OneCard and its ID number are supposed to be decommissioned.  However, sometimes the old ID numbers remain valid unpredictably, meaning someone who found a lost card may be able to use it even if a student has replaced it.  This was observed twice by Envoy editors in September when new cards were issued.  In one case, the Envoy observed an old card which retained access to the club office and OneCard funds, however became invalid for the turnstiles.  Also, the library barcodes on the back of OneCards do not change when a student is issued a new card.