Saturday, April 02, 2005

Swiping Away Security

Extra extra, hear all about it! The following is an article that The Diamondback, ostensibly a voice for the student body at Maryland, has refused to publish. Initially, they expressed great interest in publishing my story, and at least one high level editor remarked that it was going to be one of the "hottest" stories of the semester. However, due to the entrenched bureaucracy at the paper, the editors decided instead of letting an independent journalist contribute, it would be better to hand the story off to someone in-house.

The Diamondback has been stonewalling this story since February 7th. When a reporter finally came to meet with me, he did not even know that I was trying to get the story published for the rest of the student body to see. I successfully negotiated a byline with the reporter and his editor (actually, a double byline agreement where we would co-author a new version for the paper), but apparently the editor in chief of the paper did not want to give the impression "that just any student can come in and contribute." Heaven forbid!

I would have published this long ago on my own had I known the way the Diamondback would treat a concerned student trying to get his story published. Nevertheless, I am publishing it before they can claim breaking the story. We've had quite a bit of talk here about how blogging is different, and how it can affect change. Well, one of the greatest things about it is it is a truly independent publishing medium, and it is not hindered by the walls put up by established institutions. In this case, the only major student paper on campus is refusing to release critical information to the student body in order to further its own staff's resumes.

The Diamondback should be ashamed of itself.

While this piece is certainly specific to the University of Maryland, perhaps this will make other students research similar systems at their schools. Also, I defiantly press the "Publish Post" button to demonstrate that, at least on my campus, real, substantive journalism does take place outside of the Diamondback.



Swiping Away Security
By Christopher Conroy


Imagine this: as you head back to your dorm later today, you swipe your ID into one of those ubiquitous card readers that adorn practically every entryway on campus. The little light magically turns green, the door clicks, and you move on with your day, but in the time between your swipe and the green light, you just sent your Social Security number across an insecure network to a central database which the university uses to track student movement, purchases, and behaviors. Even worse, the university does not have any policy to determine who can access this Orwellian database nor does it have any kind of security policy or privacy policy in order to protect this sensitive student information. Sadly, this isn’t make-believe; this happens every single time you swipe your card.

As part of a class assignment for HONR239R (Privacy vs. In Your Face Big Government taught by Professor Jim Purtilo), I worked with Karen Scuderi to submit a series of Maryland Public Information Act requests to the university regarding records pertaining to the swipe card system. The responses we received were extremely surprising, and the student body should take careful note of the information we learned.

The first request submitted by Karen Scuderi inquired about the records kept when cards are swiped, any privacy policy relating to such records, and any records of third party purchase or knowledge of the records. David Robb, University Registrar, answered the request with a brief explanation of the inner workings of the card swipe system. According to Robb, “The ID card system neither collects nor stores any data about [card swipe] transactions.” However, we had very good reasons to believe the card system does actually store data about each swipe because another member of the class was subject to a university investigation into a theft because he had swiped into a building on the night of a theft.

I submitted the second request shortly after the first, but with a more detailed focus. I told the university why I had good reason to believe they keep such records, and I made eight specific requests for information regarding the system. Denise Andrews, University Counsel, responded to my inquiry. There exists no policy or set of guidelines that outline who is permitted to access the database with the swipe card data, and the university lacks any records of any methods used to protect the data. There is also no policy for how long the records are allowed to be kept, and therefore this data is most likely stored indefinitely by the university. According to the University Registrar, no data is stored when we swipe our cards. However, I also asked for and received a copy of my swipe access data for a two-month period last semester. Indeed, a central database keeps track of every single card swipe. When a card is swiped for building access, the exact time, date, location, and access granted or denied is recorded. Entering the Campus Recreation Facility causes a separate entry to be made in a database with the date and time. The card swipe is not only an access card but also a purchase card, and the university also tracks and stores time, location, and purchase information for every transaction at the dining facilities.

The vast amount of information that is stored for every imaginable type of use of the swipe card creates a lot of privacy concerns for our student body. Since the university has neither documented methods for protecting the data nor any list of authorized personnel who have access to the database, we have no way of knowing exactly who is looking at our personal swipe card data. An unscrupulous employee who can access this database could severely abuse this privilege, and there is absolutely no guarantee that this information has not leaked into the hands of a third party. Insurance companies would be particularly interested in the spending habits of students at the dining halls and their CRC attendance records. A determined stalker would dream of having the building access records of their target because after running the data through some simplistic statistical modeling, established patterns of movement embedded in the person’s daily routine would become clearly obvious. Or, a jealous person scared at the prospect of infidelity could keep tabs on their significant other and watch for inconsistencies of where he or she claims to be. Potential thieves could also use the building access data to easily determine when the majority of a hallway in a large residence hall is absent and thus the optimal time to execute a large scale theft. This is by no means an exhaustive list of the abusive possibilities of this data, but it’s extremely illustrative because every single one of these possibilities is not just some unlikely hypothetical. Rather, these are all very real examples that have strong motivations and would be easy to execute.

David Robb, the University Registrar, claims that no information is stored, but I have pages upon pages of my own swipe access data. Robb not only made false claims about the existence of the database, but also he neglected to fully enumerate all of the identifying information found on a student ID card. An acquaintance of mine was able to hook a standard card reader into a computer in order to read the data held on the magnetic strip. The magnetic data is stored in a standardized format, and he was able to write a small program to output this data. Every ID card actually contains the student’s Social Security number in a format that can be easily decoded by any magnetic card reader. This sequence of bits residing in the magnetic strip of our cards is perhaps the scariest part of the swipe card system. The Social Security number is sent—unencrypted— to the central database as a means of unique identification. Therefore, anyone with some basic engineering skills could rather easily set up an intercept on campus card readers. By linking stored Social Security numbers with visual identification or other cues, someone could easily amass a large set of students’ Social Security numbers. A quick Facebook search for many students reveals such information as their birthday and address. Thus, a moderately skilled and determined person could successfully defraud countless students, steal their identities, make purchases in their names, ruin their credit ratings, and even change their class registrations.

There is no excuse for having such a sensitive piece of data as our Social Security numbers residing on our ID cards. Identity theft is a growing problem, and its effects can be severely detrimental and lasting. The key piece of information needed to steal someone’s identity is his or her Social Security number, and the university’s swipe card system is practically begging identity thieves to defraud our campus. The university could just as easily use our university ID as a unique identifier on the magnetic strip in order to protect students. Even if someone doesn’t have the expertise to set up an intercept on the card reader, students frequently misplace or lose ID cards, and whoever finds a lost ID card has access to that student’s Social Security number.

This database is also certainly not being used in the interest of serving students. I misplaced my ID card early last semester, and I had to deactivate it before I had time to conduct a thorough search for it because I was worried someone would spend the money linked to my card. However, it would only take slight modifications to the system to allow a card to be flagged as lost and inform a cashier to retain the card for return to the proper owner if anyone attempts to use it fraudulently. Unfortunately, no such system is in place even though it would not require storing swipe transaction data. The university charges $20 to replace these small plastic cards, and I also inquired about the cost of doing this in my request. Apparently, the university has no records indicating what it costs to produce each additional card. The university needs to justify charging the exorbitant rate of $20 because without documentation of the cost of production, this simply appears to be price-gouging those unfortunate students who happen to lose their cards. Since we have no choice about using our ID Cards, the university has a moral responsibility to provide them to students at cost. I also asked about the initial investment made on the card production system, and the university also has no records indicating what they paid for it.

Ostensibly, the ID card system is an important security mechanism. However, the fact that the ID card presents such a vast array of privacy concerns with the Social Security number embedded in the magnetic strip and a central database tracking and storing detailed information about every swipe, the system is potentially serving to undermine student security concerns. The potential benefits of storing swipe data seem to outweigh the many negative possibilities of abuse of the system. Moreover, the access levels granted to cards in the system are known to contain some errors. For example, an alumnus who requested to not be named informed me that his card still grants him 24 hour access to a building on campus that houses thousands of dollars worth of expensive equipment.

The swipe card system has many severe flaws that raise a great deal of privacy concerns for the student body, and the university was not very forthcoming with this pertinent information. As any student who has been awakened in the morning by a telemarketer on a dorm phone knows, the university does not do enough to protect student privacy. However, the end result of abuse of this information doesn’t just mean that your slumber might be disturbed: Your identity could be stolen, you could be targeted by thieves or stalkers, and some third party like an insurance company might obtain your swipe data and use it against you in any number of ways. Certainly, our campus needs to be aware of these issues, and the administration needs to consider reform before one of these scary possibilities becomes a harsh reality.

32 Comments:

Anonymous Anonymous said...

they should at least use MD5, i mean-- come on, encrpytion isn't that hard.

12:55 PM  
Anonymous Anonymous said...

This is another example in a long line of saftey/security negligences by the campus administration. This sort of thing, combined with the frequent muggings/car jackings around campus and the ludicrously low security of the musical instrument storage at CSPAC, must be addressed.

1:56 PM  
Anonymous Anonymous said...

what happens when you publish this article, and suddenly all those would-be stalkers who weren't aware of this system became aware? maybe the school is trying to look out for your own safety. the less people who publicize something that could be used in such a manner, the better. of course, your publicity could make the school keep better tabs on its records...

~ Rachelmuffin

3:10 PM  
Blogger Chris said...

Rachel- You should get a job consulting for computer security at microsoft. Anyone with a moderate amount of experience dealing with technical security systems will almost assuredly tell you that security through obscurity is a horrible way to go about accomplishing a goal.

It is not the school that is refusing to publish the article, it is the Diamondback. Eventually, the Diamondback probably will publish their own version of the article, but I can't sit on this information any longer.

I can assure you that there were people who knew about this independently of me informing them, and enough people already know from me telling them that any attempt at security through obscurity is already a moot point. Thus, illustrating why it is such an awful system: if one person finds out how it works, the entire system is broken.

People have already successfully implemented hardware for scanning other people's cards, retrieving the social security number, and also "faking" having the card by sending a signal to an electromagnet in a card reader attached to a door. This is NOT hypothetical. This is REAL. Luckily, the people doing this are doing it as a technical exercise of proof of concept, but who knows who else might be so inclined to exploit the system. Therefore, we need to press the administration for change immediately.

5:34 PM  
Anonymous joshua lieberman said...

so what now? lobby the school? you've lit the fire, let's organize. what are specific asks?

8:03 AM  
Anonymous Anonymous said...

Hey Chris! I am so glad that I finally clicked on the link posted on your profile so I could read this article. It just so happens that Tufts U. is going to introduce a similar card next fall. At this point in time, we access our dorm building with a magnetic key which is not specific to individual students.
However (and this is the supreme irony of the situation), I am actually writing an article for the Tufts newspaper about the new ID cards. You can bet I will be asking administrators about security concerns. I just wanted to let you know that students at other schools (me) are reading what you wrote, taking it to heart, and using it to protect themselves. Thank you! Great Job!

Judy

8:42 AM  
Anonymous Anonymous said...

Hey Chris...

I found my way to this through Kyle...and I thought I'd chime in with my two cents.

You did a great job of investigating this story and doing a thorough job of getting to the heart of the problem. Students at other schools planning to make such a card should read the article.

But I have to side with the Diamondback on this one. What you wrote doesn't belong in a student newspaper. Its too personal and not objective enough. If UMCP has a weekly magazine -- if Tufts has one, surely Maryland does -- it would probably fit in much better there.

I can't speak for the Diamondback's editorial staff, but your well-written article wouldn't fit the Tufts Daily's style of a news story. It's definitely a magazine-type piece of writing.

As to why the Diamondback hasn't pursued the article with its own staff...you got me...but in all seriousness, they were wise to not publish "Swiping Away Security," at least as it appears on this blog.

Keep up the good work though, and ask if your brother even remembers me.

--Brian Wolly
Tufts 05, RM Pride Fo-evah.

10:20 PM  
Blogger Chris said...

Wolly- certainly a surprise to see you commenting here. You're not the first to present that criticism, but I have always remained extremely open to editing or even rewriting the story in a format the Diamondback would like. The only reason I haven't done so is because they revoked any editorial control I had over what they're going to (eventually) publish a long time ago. I believe this form works better for the blog, so I kept it.

But, it was certainly not the case that the Diamondback asked me to edit the story with them-- right from the bat they tried to hand it off to someone on staff. Certainly the previous arrangement whereby I would co-author a new version with the staff writer would fix the format issue-- so why did Jonatahn Cribbs (the editor-in-chief) take that agreement away?

6:56 AM  
Anonymous Anonymous said...

For the anonymous poster, MD5 is not a form of encryption.

As for the card swipe system, security is something that is very difficult to get right. The school should not be relying on some joke of a designer/company to provide the card system, just as it should not be relying on cdigix for music.

7:33 PM  
Anonymous Anonymous said...

Hey chris this is tyler at UGA. We had outcry such as this last year and reforms were actually made. We use a card system identical to yours to gain access to most buildings, however, upon swiping your card, your hand is then scanned in a metal box type thing for fingerprint ID to ensure the actual cardholder is the person requesting entry. So, what our student government association lobbied for was the creation of a new student number, not your social, to be placed on your card. So beginning this year each student had a 10 digit number that had no relation to the social. Granted our fingerprints are still crossing the insecure network, I can deal knowing my social is safe and out of the network. Perhaps you can lobby for something of the same nature.

10:42 PM  
Anonymous Stuart McPhail said...

Just saw this article as it was passed around on the ACLU listserv.

I remember the ACLU started looking into this a number of years ago (before my presidency), and it developed into a movement, as suggested, into eliminating the use of Social Security numbers. It’s taken a long time but we've had some progress. That’s why you register for tickets and into the library with the bar code and not your ID number, and why you can use your directory ID and password to log into testudo (they will eventually phase out the use of the SID).

This only solves part of the problem, as it still means the information is still available, but there has been some progress.

6:46 AM  
Anonymous Anonymous said...

Glad to see you finally found a forum on which to publish your concerns.

The university could take some basic steps to make the system a bit more secure:

1. Replace the 9 digit SID with the 9 digit UID. They claim they want to phase out the SID anyway - they ought to follow the rule of thumb across the industries that use magstripe cards - try not to encode any data in plaintext that is not visibly written on the card. There should be little to nothing 'hidden' on the magstripe.

2. As of now, lost/stolen cards are 'deactivated', and new cards are issued. However, this 'deactivation' process is pitifully simple, with the result that anyone who can read the information off a lost card can easily create a new, active card based on the lost card's information. Instead of the current system, the university should give each card something like a random serial number, so that new cards cannot be created from lost/stolen cards.

There are no inherent technical limits in the system that would prevent these measures from being taken - the only limits are foot-dragging and a general unwillingness to accept responsibility.

It will probably always be technically feasible to intercept the information that card readers send, and thus always possible to compromise physical security - but this doesn't mean that the university can't combat the implications of identity theft, which is much easier for the average tech-savvy criminal to perpetrate.

8:39 AM  
Anonymous Anonymous said...

hey chris - i just wanted to keep you updated on my story. it turns out that the card tufts will introduce in the fall is not all like your id card. but at least i had a heads up, and it is great that you are getting so many responses.

11:18 AM  
Anonymous Anonymous said...

How do you know the reader doesn't encrypt the data?

3:12 PM  
Blogger Chris said...

because the chip inside the computer sends a raw data stream without doing any extra computation on it. even if it did encrypt the data, you could easily intercept the swipe before it enters the encryption mechanism therby making it entirely useless. our social security numbers are encoded plainly on the magnetic stripes.

as a side note, i will be "cleaning house" in the comments section. anyone who has submitted a non-substantive comment may find it disappearing in the next couple of days as we may have traffic spikes and I don't want a bunch of useless comments getting in the way of the productive ones. (useless meaning "word" or "what the heck?")

12:21 AM  
Anonymous Anonymous said...

The system itself is pretty secure. There are a great deal of safeguards in place.

The tracking of information about you is commonplace. Look at your credit card or your Giant Food or CVS card. They track you all day long. Look at your internet purchases and your song downloads, they track you as well.

That being said...There are plenty of easier ways to steal your identity and Social Security Number. For $15.00 you can go to the web and buy this information and more. Dumpster diving for this type of information is also common and provides a lot of information for free.

Worry less about the card system and more about this.

7:10 PM  
Anonymous John W said...

I'm curious how the deactivation system for the cards work if you lose one. If your social security number is the unique identifier, how is that the new card is different? If they have a second unique number on the card along with it, I see no reason why they need your ssn on there as well. Although, I have seen the computer software they use to change access to doors, since I recently started a lab job on campus, and they just input your ssn and change the permissions.

(oh, and shoutouts from the CP Libertarians)

7:31 PM  
Anonymous Anonymous said...

hey john w. said...Threre are other unique identifiers in the card that allow for the deactivation of the lost card while still utiliizig the student number wich may or may not be a social security number.

9:47 PM  
Blogger Chris said...

For the poster not concerned with the tracking: CVS does not know how to map your daily movements around campus-- all they know is what/when you purchase at CVS. This is MUCH worse, and has many more possibilities for abuse. Moreover, it's a needless waste of resources.

As far as getting someone's Social Security number for $15 online...it's simply not the case that you can do that unless you happen to know a group of identity thieves who are peddling their already obtained information for others to use as well.

As far as the deactivation goes, there is one character on the card that indicates which number card this is for you. So, if you lose your card and get it replaced, one character changes from a 0 to a 1. (i.e. if you're on your 7th card, you have a 6 for this character)

10:49 PM  
Anonymous Anonymous said...

If you want to join the staff of The Diamondback, you should apply to do so. Until you do, just give them the tip for the story and let them credit you within the story for your research.

6:30 AM  
Anonymous sib said...

Well the University IS working on implementing a new ID instead of a SSN, but it takes time to implement. Also, your swipe is like a credit card. You swipe into your building, and it will log it. It keep track of when and where and what and for how much you buy things to keep your balance in tact, and to ensure no mistakes in your terp bucks and meal points. I mean, it's not ideal, but instead of attacking the University, maybe you should also be attacking the credit card companies, gym membership cards, giant and safeway saving cards, and so on, which all keep your identiy and purchases in a database as well. I am not saying what they are doing is right, but it's not like they invented the wheel here. There are arguments that justify these things, kind of like there are arguments for racial stereotyping etc, which are not 100% right or fair, but the world is not 100% right or fair, not even close.
Of course they can make it more secure. There is always room for improvement. However, Identity theft even happens to the most secure system. There is no way to *prevent* it. As long as there is crime there will be stalkers and identity theft.
The Diamondback not publishing your article is unfortunate, but it does also have a point. If you send an article to the New York Times it better be a really damn good article before they publish it. I am sure that if you were on staff they would publish it, but you have to think of it another way. If you publish this, some random unstable person *will* figure out how to crack it, since you described it in such wonderful detail, and that itself is a security risk. Just to let you know...

8:38 PM  
Blogger Jonas said...

This comment has been removed by a blog administrator.

12:22 AM  
Blogger Jonas said...

This article was very good - I honestly can't believe that the Diamondback refused to give you credit for coming up with the story idea on your own, and writing the actual article before they even got involved.

Even though this lack of security represents a serious threat to students' privacy, (and also possibly faculty as well?) I doubt that the University will take much action. Even though identity theft and stalking is becoming more common, people will continue not to care until they are told that they should. Although this definitely advocates higher security, it is not menacing enough for most people to care. It is only when someone on campus finally is stalked using IDs, or something along those lines, that the University will finally recognize the seriousness of the situation.

Hopefully the Diamondback will come to its senses and print this, but even if it doesn't, keep fighting the good fight.

12:23 AM  
Blogger Kevin Conroy said...

in response to sib's comments:

just because large coorperations get away with privacy violations in terms to data collection doesn't mean that it's okay. even if we're surrounded by data collection mechanisms, that doesn't mean that we should just roll over accept them. i don't care if it's the "norm" or if the "world isn't perfect" - you still have to stand up and voice your opinion about things that you feel are harmful. and this article makes a good point. college campuses don't need to know where you are at all times. they do not have a justified cause for this. more over, it's even less important that they do in fact have this data. what is most disturbing to me is several people contact through a freedom of information request either lied or didn't know about the data, and when they finally did find someone who knew that they data was being collected, they admitted that they didn't have any security policy in place to protect it.

sure, my discover and visa cards track my purchases, but you damn well better believe that it's encrypted along the way and that those companies have strick privacy policies in place to protect your information.

the salient point of this artile is not about the fact that the university is collecting the data (which is quesitonable), but rather that the university is not taking the appropriate measures to secure the data.

5:55 AM  
Anonymous Anonymous said...

Nice article, Chris.

I don't know if it's still the case, but when I attended Maryland (in the late Paleolithic era), you could request to have the administration assign you a number other than your SSN as your SID number.

They would give you a number starting with a 9 and the middle pair of digits as zeroes. (i.e. 9xx-00-xxxx) With the Social Security numbering being what it is, this could not possibly conflict with someone's SSN. It's the same thing they did for foreign exchange students that didn't have SSNs. You learn interesting things when you work in the Registration office.

Anyway, look into that. I'm sure it's not widely known about. Maybe it should be.

--Old Man Henry

6:04 PM  
Blogger Chris said...

I've responded to a lot of the comments posted here, and in a way I would like for them to speak for themselves, but I also don't want it to appear that I have stopped interacting with the readers. So, here we go (and if anyone feels I should stop adding lots of tiny points in these comments, well, post a comment about it!)

There are a couple of major themese of feedback to the story that keep recurring both in the context of this blog and in-person.

Firstly, there seems to be a lot of tension around the issue of whether or not releasing this information to the general public is a good idea because, after all, some wacko could use it to the very evil ends the story is trying to stop. From a more abstract, philosophical stance, I already have major disputes with this reasoning because anyone who thinks deeply about it can figure out what's going on (and there are multiple instances of people who already were doing investigations similar to mine before hearing about my story. Furthermore, from a mere practical standpoint, security through obscurity is almost *never* a good policy, and since more than 1 person already knows about this, we can't trust that it won't continue spreading. So, we might as well give the information out to as many people as possible in order to have any hope of the problem being fixed.

Secondly, many people object with some variation of a "so what?" argument such as "sib." Certainly there are value judgments about the relative potential risk, but the fact of the matter remains that there *is* a great deal of risk. Moreover, Universities account for more identity thefts than financial institutions. This is because financial institutions rely on people trusting them to give them their money (and a Credit Card company for example, ends up losing money as a result of identity theft.) Wheras, in the University some professors still ask kids to write down their SS# on weekly quizzes. We have a long way to go before identity theft isn't a risk on this campus, but it's so EASY to fix that it's ABSURD that the risk still exists.

Lastly, there's the comment that if I wanted to get it published I should just become a staff writer. Well, such an attitude is pretty pernicious given that they won't even have one of their own staff writers publish the story in a timely manner because they don't really understand the issue.

I think it's a bit parallel to the current scare of a security flaw recently found in Firefox. The press is having a field day with it, and non tech-savvy people who know I'm a big Firefox advocate have sent me IMs saying that "ooh, Firefox is actually more insecure than IE because of this hole." That's really not the case by any strech of the matter because Secunia has 80 open holes listed for IE and only 16 for Firefox. Any software the does a heavy amount of interaction over the internet is not going to be perfectly secure, but this hole isn't even that bad -- the VAST MAJORITY of users aren't affected by it, and Firefox's open nature means that there's already a very simple workaround to it (remove all but the default sites for remote software updates to your browser), and I imagine the Mozilla Foundation will come up with a quick fix.

So, in short, to anyone who argues this isn't a big deal or that we shouldn't be telling people about this problem, I encourage you to use Windows with IE and no firewall, and please call me when you get a virus on your computer (I charge $20 an hour, and have fixed many a such machine!)

1:44 PM  
Anonymous Anonymous said...

Hey Chris,

I hope that by now you've realized that what you discovered in your research is past The Diamondback. What I mean is that , sure, you may be irritated because they didn't publish it, but it doesn't really matter any more. Since the paper finally ran a story, and you (apparently) got attention from a different media outlet, your story will be out there.

As for your work, and your ambition to pursue the project, you must be commended. These are amazing findings.

BUT ... I will side with The Diamondback on not having agreed to your conditions. While your research was solid and you had good intentions, there pretty much wouldn't have been any newspaper anywhere that would have published your findings directly. Rather, what they would have done is ran with a story that fully credited you (within the story) as the researcher who made the findings. Really, if what you found winds up to be 100 percent correct, you could have gone with your story even to larger news outlets such as the Baltimore Sun or the Washington Post. However, they wouldn't have considered -- for one second -- publishing something with your by-line. They would have published a story by one of their staff writers and in the story they would have credited you fully. I'm sure The Diamondback probably made you a similar offer.

I understand that what you wanted was to voice the conclusions of your reasearch directly. Unfortunatelly, a newspaper wouldn't have been an efficient way to do it. This BLOG was a good idea, and was a good opportunity for us to see thoroughly what you found. The only thing was that it took as a little bit longer to see it.

That's just the sort of way the industry works. But regardless, congratulations, and thanks for your service to the university community. I just cant fathom that our information is floating around like that.

10:19 PM  
Anonymous DW said...

I would like to point out some flaws in the theory that this topic is better left undiscussed, since it is calling attention to the security holes.

Assume Joe Hacker wants to steal identities. Joe has a basic knowledge of programming. He either attends UMD or knows someone who goes to UMD, and therefore knows about the ID card system. He figures that hacking into this ID card system could be fun/profitable, and does some research. He discovers that he can easily obtain a device that can read the magnetic strip on the ID cards. After obtaining this device, he scans the ID card. Joe discovers a Social Security Number on that card. Now, even if he doesn't take the extra steps to hack into the Campus network, he can get SSNs from lost/stolen ID cards.

Joe Hacker starts with only a basic knowledge of hacking and ends up with as many SSNs as he wants.

Anyone could have reached the same conclusion as Chris did, without any help from this website. Anybody could do exactly what Chris has already done, and be stealing identities right now.

Question: Do UMD personnel have similar ID cards? If so, could someone fake an ID for a staff member and enter an area that contains expensive equipment? Someone who could do that would have limitless access to almost anything on Campus.

3:26 AM  
Anonymous Jen Taylor said...

Has anyone considered the legal implications of all of this? It's most certainly illegal to make social security numbers public. While this is not entirely public, it's not exactly private, either. And the fact that the school charges $20 to offer you the security of a replacement card when yours is lost is stolen... it's almost like blackmail. "Pay us or we'll let your personal information just float out there."

I've contacted the Social Security Administration in hopes of discovering the actual legal limits of Social Security disclosure. I'll let you know if/when I hear back.

3:31 AM  
Anonymous Response from SSA - From Jen said...

Thank you for your inquiry.

The Social Security number (SSN) was originally devised to keep an accurate record of each individual's earnings and, subsequently, to monitor benefits paid under the Social Security program. However, use of the SSN as a general identifier has grown to the point where it is the most commonly used and convenient identifier for all types of record-keeping systems in the United States.

Specific laws require a person to provide his or her SSN for certain purposes. While we cannot give you a comprehensive list of all situations in which an SSN might be required or requested, the following require an SSN:

-- Internal Revenue Service for tax returns and
federal loans
-- Employers for wage and tax reporting purposes
-- States for the school lunch program
-- Banks for monetary transactions
-- Veterans Administration as a hospital admission
number
-- Department of Labor for workers' compensation
-- Department of Education for Student Loans
-- States to administer any tax, general public
assistance, motor vehicle, or drivers license law
within its jurisdiction
-- States for child support enforcement
-- States for commercial driver's licenses
-- States for Food Stamps
-- States for Medicaid
-- States for Unemployment Compensation
-- States for Temporary Assistance to Needy Families
-- U.S. Treasury for U.S. Savings Bonds

The Privacy Act regulates the use of SSN's by government agencies. When a federal, state, or local government agency asks an individual to disclose his or her Social Security number, the Privacy Act requires the agency to inform the person of the following:

-- the statutory or other authority for requesting the information;

-- whether disclosure is mandatory or voluntary;

-- what uses will be made of the information;

-- the consequences, if any, of failure to provide the information

If a business or other enterprise asks you for your SSN, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.

Giving your number is voluntary, even when you are asked for the number directly. If requested, you should ask why your number is needed, how your number will be used, what law requires you to give your number, and what the consequences are if you refuse. The answers to these questions can help you decide if you want to give your Social Security number. The decision is yours.

For detailed information, we recommend our publication at the following Internet address:

http://www.socialsecurity.gov/pubs/10002.html

12:46 AM  
Anonymous Lindsey said...

Hey--read your article from a link from a link in the Diamondback website or something. I think I was one of the people who's card your friend scanned to see if it would get my information. Was he doing it in the QA Hall basement?? :) Now I feel special. Glad something is finally going to be done about it with the new ID cards.

9:15 PM  
Anonymous Axes Network Card Readers said...

8linesuperstore offer the best affordable prices and direct wholesale for any other Systems.

10:17 PM  

Post a Comment

<< Home