Thursday, April 27, 2006

Switch to UIDs

The system has thankfully been changed, and all students are being issued new cards which use the UID instead of the SSN on the magstripe. While this is a step forward for the security against identity theft, it only exacerbates other weaknesses in the system: half of the hardware required to attack the swipe card system is now out of the equation. You no longer need a skimmer to obtain access to someone's swipe card and all the priveleges and money that grants you.

The Diamondback was kind enough to interview us and publish an article (albeit over a year late and after we could have had the opportunity to avoid a mistake like using the UID on the magstripe). Minor corrections for the article:
1) Daniel Ramsbrock is not currently a graduate student. He is completing his undergraduate degrees in Computer Science and Criminology in May 2006. He will be a graduate Master's student at UMD in the fall of 2006 in the area of Computer Security.
2) The article mentions finding someone's swipe history but does not accuratley describe how to do this. It is assuredly possible, but not via the methods described in the article.
3) The article mentions a "challenged response" protocol for proximity cards. This refers to the challenge-response method of authentication where the reader issues a random 'challenge' string and the proximity smart card responds with an encrypted version of that string. This avoids transmitting the secret number stored on the card.

They also published a staff editorial, which we believe summarizes the important issues in a more accurate fashion than the article.

A better change to the system would have used random ids to link students' cards to the database because then an attacker would need to use skimming hardware, and a successful attack will only yield access to the card--not an SSN or other, more harmful, information.

I must also clarify one point, in my original "Swiping Away Security" article, I did say that it would be just as easy to use the UID instead of the SSN. This was meant merely to illustrate that any arbitrary number could be used to uniquely identify a student and not as a specific recommendation. I used the UID as an example because everyone knows what it is, but we could just as easily generate a random string of numbers each time a card is issued. I have no reason to believe this off the cuff remark was actually used by the administration, but it needs to be addressed given the nature of the new system.

Stay tuned here for updates on these issues. We hope to have a hardware demo with the administration sometime soon in addition to finishing up our paper. Please leave any comments/questions/concerns about the news articles in the comments section on this post.