Date of Completion

Spring 5-1-2018

Thesis Advisor(s)

Benjamin Fuller

Honors Major

Computer Science and Engineering

Disciplines

Computer Engineering | Digital Circuits | Electrical and Electronics | Experimental Analysis of Behavior

Abstract

The “Husky One Card” is the name given to student IDs at the University of Connecticut. It can identify students, faculty, and staff in a variety of situations. The One Card is used for meal plans, Husky Bucks (an equivalent of money, but valid only in the Storrs area), residence hall/ university facility access, and student health services. The current Husky One Card consists of a picture identification on the front and a standard 1-dimensional barcode and 3-track magnetic strip on the back.

The goal of this thesis is to investigate the feasibility of cloning Husky One Cards, the ease with which one can obtain arbitrary student ID information, the robustness of the One Card backend system, and the risks posed by vulnerabilities. Cloning cards is first attempted with a fully-fledged magnetic strip read/writer and then with cheap, readily-available circuitry. Obtaining student ID information is carried out via a social engineering attack. Alternatively— and less trivially—student ID information may be inferred if attributes such as student name, graduation year, and major are known. Included is an analysis of how one may approximate student ID information based on this metadata. The One Card backend system is tested for effectiveness of “red flags,” which are meant to signal when a duplicate card is in use. Potential security enhancements to both the card itself and backend system are suggested at the end of this document. These recommendations account for usability, cost, and deployability.

Download

Share

COinS