Student hacker exposes Carleton U cash, ID card security holes
A Carleton University student has revealed that he stole data containing e-mail passwords, financial data and library account information from 32 students at the university in order to expose security holes in the system.
The card's design for both financial and identification purposes and its "inadequate safeguards against information leakage" could lead to identity or financial fraud, said the 20-year-old student of the Ottawa university in a document e-mailed to the victims Sunday evening under the alias Kasper Holmberg.
The document, which was e-mailed to Carleton University on Aug. 29, recommends that Carleton stop using the card in its current form.
The card, which has both a barcode and a magnetic stripe, can be loaded with cash and used to buy food, books and computer equipment on campus. It contains data such as the student's identification number, computer and e-mail login name and password, and library card number. It can also be used to unlock doors for three campus buildings, including two residences.
The document explained how the information was stolen using keylogging and backdoor software installed on a terminal hooked up to one of the card readers. It also provided the code for the software, which recorded keystrokes made on the computer and opened up security access to it.
In an interview with CBC News, Holmberg said he wrote the software in about two hours and installed it on a terminal in the Carleton computer lab, which was running Windows.
"I haven't read anyone's e-mail. That wasn't really the purpose," said Holmberg.
Card access to residences
Rather than the information itself, he was interested in the way one could access it, he said, adding that he is particularly concerned about the fact that Carleton is using the cards to provide access to university and residence buildings.
Holmberg said he targeted a number of journalism students in the hopes of getting information about the breach into the Charlatan, the university's student newspaper.
However, he wishes to remain anonymous for fear that he could be expelled for his actions. He came up with his alias using an online fake name generator.
Carleton University spokesman Christopher Walters said the university is conducting an internal investigation.
"We think this is a very serious breach of security," he said. "It may even be a criminal matter and involve the police."
However, he said the affected students were informed immediately after the university received the document alerting them to the problem on Aug. 29. The students' cards were reissued, and measures have been taken to prevent the incident from happening again, he said.
"We would want to reassure students and will reassures students that the campus e-mail system and campus card network are safe," Walters said.
He added that systems are being attacked all the time.
Even if copies of student cards were made, the identity thieves could only get into residence and campus buildings that use the cards for access, not individual residence rooms, he said.
When asked about Holmberg's intent, Walters said, "This is a very odd way to draw attention to the security of a system."
University was tight-lipped: victim
Rosemary Quipp, who recently graduated from Carleton's journalism program, said she received the e-mail from Holmberg days after she heard from Carleton's computing services that her account had been breached.
Carleton wanted her to change her password but wouldn't tell her what information might have been taken from her.
She said she isn't impressed by the university's response.
"They should be open about the problem. They should be getting in touch with people, letting them know that their cards could get hacked," she said, adding that she no longer uses computers at Carleton.
"I'm not going to swipe my alumnae card or my campus card ever again until I know that they've figured out some way of making it so somebody can't steal my e-mail passwords."
As for Holmberg, she hopes he doesn't get into trouble even though what he did is illegal.
"Honestly, I sort of thought, good for him that he was trying to expose the holes in this security system at risk to him[self]."
- The journalism graduate quoted in the story is Rosemary Quipp. She was originally identified as Rosemary Quinn.Oct 25, 2013 1:04 AM ET