By Lana Hall
Imagine staggering into the library on project deadline only to discover at the checkout that you owe them $200. The librarian checks your account. Wait — you didn’t take out 10 textbooks on Freud and abnormal sexuality. What’s going on? Confused, you head over to the Hub to get a drink. But the cashier says your One Card has no money on it, even though it’s only January and you’ve barely used your meal plan.
This scenario may seem farfetched, but the Eyeopener has uncovered several serious security flaws with the ubiquitous One Card. The real key to not getting scammed is to make sure you never leave it unattended or out of your eyesight. But bad things do happen to good people, and the One Card makes everybody a prime target.
A LITTLE BACKGROUND
Before 2002, students needed about seven cards to function on campus: a card for meals, one for photocopying and even one for RAC access, One Card manager Glen Toews said.
But once the school upgraded to iClass contactless, a more streamlined system compatible with Windows, all Ryerson students needed was a single card.
The One Card acts as student ID, stores meal funds and allows photocopying, printing, vending and building access across campus.
The One Card system is provided by HID Global, an ID management company that also provides card systems for government and banking use.
Intercon, the company Ryerson hires security guards from, is responsible for handling Ryerson’s HID contract and installing the system.
The One Card holds three technologies that are used on campus. The barcode on the front is for signing books out of the library.
The magnetic strip stores a student’s unique ID number and allows access to stored funds (like a meal plan) and photocopy privileges.
A Radio Frequency Identification (RFID) tag “reads” cards (the readers are the little black boxes with the red and green lights scattered around campus) and can unlock doors.
Kathleen Carroll, an information privacy professional with HID, said the cards are also connected to a host PC that allows One Card administration to add or delete privileges, load money or fiddle with systems hardware.
The One Card also has a photo for identification purposes. Still, the features of the One Card are designed with convenience, not security, in mind.
And these three features can all be undone. (Please keep in mind the following actions are highly illegal.)
SWIPE YOUR WAY TO THE BIG TIME
When someone buys food in the Hub, uses a vending machine or prints something from the CopyRite, they pay for it by swiping their One Card.
However, what they’re really doing is using your student number, stored on the magnetic stripe on the back of the card.
Magnetic stripe encoders can be bought on websites like eBay.ca for as low as $100. If a scammer wants to go comprehensive, ID printers can be bought starting from $1,000.
A scammer buys a box of 500 blank IDs for $100, and suddenly they’re producing hundreds of copycat One Cards. Still, the scammer needs to get their hands on the student numbers.
Most residence students (the targets of choice) have their entire lives dangling from their lanyards. And a big part of that is the One Card.
Unfortunately many students will leave their lanyards on tables and chairs in Pitman or the ILC, or in someone else’s room at a party.
Other ways defrauders can find student numbers include looking on professor doors (many will post the numbers instead of names next to marks) or on tossed essays (most classes require students to write their ID numbers on the covers).
But Julia Lewis, the associate director for the Centre for Environmental Health, Safety and Security Management, said a prof who posts a student’s full ID number is in breach of contract.
“They’d have parts of the number,” she said. “Student numbers are very confidential.
Any identifier of a personal nature is highly confidential. A breach of that is highly serious.”
Still, once the scammer has the numbers in hand, they can use the encoder to change signals or data in a code, or translate from one code to another.
This means that One Card infrastructure information can be snagged or tampered with, and duplicate cards with the same information can be printed.
The One Card is especially vulnerable as the stripe only stores the student number — this is why cashiers at the Hub can manually enter student IDs if the swipe doesn’t work. “The cards don’t have personal information on them,” HID’s Carroll said. “I don’t see why anyone would want to hack into them.”
And other representatives with HID said it’s Ryerson’s responsibility to include encryption protocols on the magnetic stripes.
John Corallo, director of Ancillary Services, said the One Card could “possibly be read by an encoder.”
BARRAGE OF BARCODES
All a resourceful scammer really needs to circumvent the barcode on the front of the card is a quick glance at the numbers below the barcode.
Only the last six digits of the 13-digit number are unique, so if a thief can’t get a hold of a One Card, they can even guess.
The key to manipulating the barcode is a barcode generator, which is available online for free.
Even the most basic of generators allows you to customize for symbology type (how the lines are oriented), size of the barcode, text font for the digits and output format.
The Eyeopener printed off several barcodes in seconds. While a printed barcode is not going to fool the average librarian, the library’s self-checkout machines aren’t quite as vigilant.
Designed for convenience, these machines don’t have secondary ID verification (like a PIN), so a fiend could borrow and then sell the textbooks elsewhere while an unsuspecting student racks up hundreds of dollars in fines.
Librarian Brian Cameron said barcode duplication and system tampering wouldn’t surprise him. “The barcode would have to be precisely the same size,” he said. But he admits it’s plausible.
“Ultimately, it’s a private piece of information,” he said. “You wouldn’t show your driver’s license to anyone would you?” Cameron also said the library is equipped with a PIN system but it remains turned off.
“They haven’t really recommend we use it,” he said.
OPEN DOORS = OPEN PROBLEMS
The One Card’s RFID signal device allows card holders with the right clearances to unlock doors outside normal hours or open restricted areas.
To do so, Ryerson must modify the access privileges associated with a person’s ID number. The problem is that the little black scanners across campus can’t make sure the person using the card is the same person on the card.
“The challenge for us is when students lose their cards, and the cards are passed on to other people,” said Lewis, who added lost student cards have been a greater security concern.
“It is a vulnerability,” she said. “Our concern is if it doesn’t get reported.” Lewis said if a student has, for example, access to the Student Campus Centre and loses their card but doesn’t report it, then campus security can’t lock their number out of the system.
In the meantime, whoever finds the card has unfettered entry to the building. “If we know your card can enter a key area, then we can change it,”
Lewis said. Lawrence Robinson, campus security manager, said the card readers can record every number to a central database.
He wasn’t sure how long the records are kept, but “it goes back a ways.” And the first person they go to is the student whose name matches the card.
“If somebody uses somebody else’s card, and something goes on inside we can track it back to the original student,” he said.
“If you only report your card was stolen months after and there are lots of thefts in connection to your card, it doesn’t exonerate you.”
Forging One Cards will land scammers more than a slap on the wrist.
Constable Wendy Drummond, a media relations officer with the Toronto Police, said someone tampering with barcodes or card systems could be charged with fraud or impersonation with intent.
A conviction could lead to a jail term of up to 10 years. Meanwhile, HID Global offers extra anti-counterfeiting features, such as digital watermarks, ultraviolet or infrared ink and holograms, options nearly impossible to duplicate or deconstruct.
But Ryerson has yet to take advantage of them. Toews said there haven’t been problems with ID theft at Ryerson, so there hasn’t been a need to upgrade.
“But it’s a good point,” he said about the threat of student card re-programming. “That’s very true. I mean, this isn’t the Pentagon, it’s a university.”
Ultimately, Toews said, it’s the student’s responsibility to keep tabs on their card. But the One Card system doesn’t allow students easy access to their records.
To monitor their account activities, students must request printouts from the One Card office during business hours and pay a fee.
Giving students access to records online is an option, but Toews said it’s expensive and hasn’t been approved by the university.
Sara Melo, a first-year retail management student, wishes her records could be more accessible to her. “It’s your card. You have to pay to see what you’ve been doing with it?” She said. “That’s crazy.”
And Miranda Morris, a first-year film student in the image arts program, said she tries to be careful about leaving her card around.
“It doesn’t surprise me,” she said of the card’s security problems. “The school’s not that great with security anyway.”