April 23, 2003

I.D. Fraud Hits Colleges

Print More

The card systems that form the backbone of most college campuses has come under scrutiny recently after a self-described hacker, Billy Hoffman, published a guide on how to hack into his school’s card system.

Hoffman, who is better known on the web as Adicus, and his “research” partner Virgil Griffith were scheduled to discuss vulnerabilities of the Blackboard Transaction System at a recent annual hacking convention known as Interz0ne. Hoffman attends the Georgia Institute of Technology and Griffith is a student at the University of Alabama at Tuscaloosa. Prior to this presentation, Hoffman published an article, “CampusWide Wide Open”, on the same topic in a recent issue of 2600 magazine.

Moments before their scheduled talk, the head of the conference was served with a cease-and-desist letter from Blackboard’s attorneys.

Blackboard, better known as CampusWide, OneCard, or BuzzCard, is the most popular card system on college campuses. It is a localized debit-card system linked and databased to everything from building entrances to laundry, snack machines and dining halls.

According to Tony Salerno, Cornell dining system manager, the University adopted the Diebold card system in 1991 for unspecified reasons. Security was a non-issue at that time.

Brad Stephenson, general manager of Diebold Card Systems Division, credited Diebold’s history in the banking industry. Before producing ATM machines, they produced safes, clear proof of their dedication to security.

“We have 150 years in the security business,” said Stephenson.

Although Cornell’s card system is fundamentally different from CampusWide’s, Salerno still has taken notice of the recent events.

“When we see something like [Hoffman’s] paper, we take a good look at it,” Salerno said. “Obviously, we look at security as a serious issue. We feel that the Diebold system is the safest,” Salerno continued.

Stephenson said in concurrence with Salerno that security is “fluid”.

“Just like anti-virus software updates to keep pace with new viruses, our company needs to update our system to keep up with new methods of attack,” Stephenson said.

The two hackers discovered the vulnerabilities at their schools while exploring the many aspects of the system.

Hoffman and Griffith claim that their hacking was done in the name of research and that they merely wished to point out the failings of the CampusWide network. Hoffman’s website and other hacker-orientated websites have made their cause a rallying point for free speech advocates.

Michael J. Stanton, senior director corporate communications of Blackboard Inc., through a press release on Blackboard’s website, claimed that the company turned to legal actions because they felt that the Hoffman and Griffith were far too explicit in detailing the vulnerabilities of their system.

Stanton claimed the company feared that Hoffman and Griffith’s work could read as a how-to manual for breaking into their system, which would compromise over 275 campuses.

In a follow-up interview, Stanton said that the court ruled in favor of the injunction “because what Mr. Hoffman and Mr. Griffith did was to promote the use of illegal activity. They provided blueprints for how to vandalize property, illegally wiretap our system, and violate Blackboard intellectual property.”

In the press release, Stanton even suggested that one of the pair had been employed by a competitor, but failed to mention which one. Later, Stanton identified Hoffman as the purported consultant, but for legal issues refused to name the employer.

Stephenson and Diebold refused to comment on this assertion that one of the hackers had been a consultant for a competitor.

Stephenson did agree with Blackboard’s suppression of Hoffman’s article, saying if a similar article were published concerning the Diebold system, “We would work to prevent any release.”

Hoffman and Griffith claim that Blackboard’s actions violate their free speech. On the website Slashdot, many people have expressed their frustration on this issue.

One contributor, identifying himself as nehumanuscrede said, “Think of America as the ‘politically correct’ police state.”

Numerous contributors agreed with this sentiment arguing that Blackboard was using the law to control thought and expression.

The online magazine Salon entered the fray last week with an article entitled “The Copyright Cops Strike Again”. The article, written by former Sun editor-in-chief Farhad Manjoo ’00, agrees with many Slashdot contributors who argued that this was a violation of free speech.

Salerno disagreed with this conclusion; he suggested that some restraint should be used in the publishing of such important security flaws.

“My personal opinion is that [Hoffman] certainly has the right to voice his opinion. However, I agree with the order if publicly disclosing certain technical details puts the card holders or others users at risk, financial or otherwise,” said Salerno.

This debate has become very polarized: the Salon article referred to Hoffman and his associate as “researchers” instead employing the term “hackers”.

“I think ‘researchers’ is a generous term … [even] ‘hacker’ is generous,” Stanton said.

“I think they are vandals,” he added.

Stanton elaborated on this by saying that what Hoffman and Griffith had done was to break into the physical architecture of Blackboard’s system and proceed to “illegally wiretap” the system.

Salerno questioned the relative vulnerabilities that Hoffman outlined in his paper.

“I think [Hoffman] makes it sound easier than it is to do and ultimately if someone tries this, the expense will merely be passed on to the customers,” said Salerno.

“Damages are costly and are yet another factor in rising tuition costs,” said Stephenson.

One of the vulnerabilities Hoffman exposed required splicing a laptop into a Coke machine’s connection to the card reader, others required removing casings to the card readers.

Stephenson said that the point of entry attack described in the case of the coke machine, “will fail on our system.”

“I didn’t see anywhere in [Hoffman’s] article claims that he could steal money from your card,” Salerno said.

One frailty of the CampusWide system that Hoffman criticized was that much of the electronic architecture is based upon 1980’s technology. Salerno agreed with this criticism and stated that the key aspect of Diebold’s system, the database software, is based upon modern Oracle software.

This is not an exercise in theoretical security issues for all involved parties though. On April 17, a former Boston College student, Douglas Boudreau, received five years probation for collecting personal information from his school’s card system and abusing it for a total of nearly $2000 in goods and services. Boston College officials could not be reached for comment.

Archived article by Michael Margolis