Hacking Oklahoma State University's Student ID (opens in new tab)

Well I'll be honest, didn't expect this post to make it up HN. Happy to answer questions or field comments.

I went to a University in Virginia and ours, and other surrounding VA universities were equally insecure.

We each had a 9 digit code that looked like 10XXXXXXX. These numbers were incremented from one student or faculty to the next.

The only track that mattered was track 2. It had your 9 digit code, followed by a the school code (3 digits), followed by a "lost card digit" that was incremented each time a card was lost (obviously mod 10 here).

So if my ID was 100000001, I went to school 002, had lost my card two times, my current card's Track 2 would say: 1000000010022

Needless to say there are tons of things that can be done here. From getting access to rooms does not, to getting free lunches.

Pretty interesting things. I told my school and they didn't really care at all (as expected). The potential loss from this is so low that it they didn't bother since abusing these issues would get you arrested and expelled pretty quick.

In reality, it is probably pretty serious. This student id is used somewhat as a School social security number. You can take tests as other students or impersonate other students in a lot of different situations.

Nice write up. Just curious, how many of us are still in or near Stillwater (even in OK)?

Universities which use the popular and inexpensive Onity (nee TESA) lock systems, despite their overall problems, gain a bit of security from this problem in that the track used by the locks is written at a nonstandard high bitrate that throws off inexpensive reader/writers. This actually helps prevent duplication, although it's only a measure against people without the resources to obtain the Onity equipment.

Outside of physical tricks like this (and various physical anti-deduplication tricks that are surprisingly limited), duplication is really not something you can ever control. So you need to train people to maintain physical custody of the credential and make it as difficult as possible to guess at a valid credential.

When cards are used for security identification purposes, the easiest thing to do (and this goes for NFC, RFID, etc) is to generate a long, non-sequential, random card value that is related to the identity of the person only by some database you control. That is, write your 9-digit student ID number to the card for convenience, but when checking identity read out a 16-byte random value that you put on the card just for this purpose. This at least requires that an imposter gain access to the card at some point (to skim it).

Ultimately, the best thing you can do in the context of identification cards is to verify the user photograph online. This is done actively by some police departments and guards in high-security installations by looking up the ID in an online system to retrieve the details and photograph of the cardholder for verification. This is also done passively in some high-security installations, for example by placing a monitor above an entry door that displays the photograph of each person unlocking the door, for casual verification by anyone nearby (particularly any guard nearby).

Physical access control is my favorite research area.

Looks like https://app.it.okstate.edu/idcard/ is down.

This isn't just a problem with just universities. I have a card reader as well, and any site that issues swipe-able ID cards is more than likely susceptible. You would be surprised how many use an incrementing ID that you can easily impersonate another user.

The equipment needed to create fake cards (not just blanks) that look good is trivial to purchase.

I would be curious if OSU built or bought this system to issue cards. If they built it, shame of them. If they bought it, shame on them as well. Any security audit would have caught this clearly. Cards like any interface require good design for use and security.

Hey fellow poke! I'm an MSIS undergrad. I actually had this exact idea over coffee, great work.

I am going to take a guess that you failed to publish the contents of encrypted track 3 due to INTEGRAl security concerns from your university?

Nice writeup. I did something much like this in 2002 or 2003. The main difference was that I was malicious, trying to steal money from other students.

I went to Rochester Institute of Tech. The number shown on your card and encoded on the mag stripe were your ID number.

I had plastic card printers and an encoder so making a fake was no problem. The design was simple so it didn't take me long to make one that looked exactly like the real thing.

How did I get numbers to encode? At that time they distributed grades to students in folders outside each department's office. These grade sheets had your full ID number on them. All I had to do was dig through the folders and take grade sheets from people who hadn't bothered picking theirs up.

I think I only used one or two numbers to buy some stuff from The Corner Store. I was mainly doing it to see if I could, credit card fraud was far more profitable.

One of the worst parts about it was that the student IDs were your social security number. Had I wanted to I could have easily used the data and fake IDs for identity theft.

Did the same thing at my university years ago. I was able to duplicate and switch IDs on the fly with just one device (part of a senior electrical engineering project that is way too public). Things like COIN are appearing on the market, making duplication far too easy. Having physical access to student ID cards means you can clone them, you need something that does bidirectional authorization if you want to be secure but that costs too much and takes time to upgrade. Easier to lock down the important stuff with ID + something (fingerprint or PIN) if you really want to solve this problem.

In your node.js script, once you find the first ID number couldn't you just starting testing ID's less than and greater than the found ID since it's more than likely an incremented ID?