Carleton University made headlines last month because a student hacked the campus card system and was able to collect some students’ personal information. But this wasn’t the whole story, says Kathleen Kelly, campus card coordinator at the Ottawa, Ontario university.
“I would use the term ‘hacked’ loosely,” says Kelly, also president and chair of the Corporate Relations Committee at the National Association of Campus Card Users. The student was able to access students’ personal information, but he didn’t break into the campus card system.
The student installed software on a print station in a computer lab at Carleton and was able to capture information off the magnetic stripe of some student IDs, Kelly says. In the university’s computer labs there are print stations equipped with magnetic stripe readers. After a student prints out a job, he goes to the stations, logs-in with user ID and password, swipes his ID and authorizes the job to print.
On another PC in the computer lab the hacker installed key-logging software to capture the students’ login and password information. From there the student was able to connect the login information with the data from the mag stripe, Kelly says.
After collecting the student information he sent a report to university officials with the names and data of the 32 students whose information he collected, Kelly says. From that report, university officials were able to figure out what the students had in common and where the information came from. Nothing illicit was done with the stolen student information.
The mag stripe on the campus card can be used to pay for laundry, printing and small purchases at the university, Kelly says. There is a $12 daily spend limit on the card for vending machine or unattended purchases. The card is also used for physical access to two of the residence halls.
The 32 students impacted had new cards issued and had to change their user names and passwords, Kelly says. Also, because of the incident the university has locked down all print stations preventing new software from being installed on the machines.
The student, Mansour Moufid, sent the information to university officials under a false name, according to news reports. He was charged with mischief to data and unauthorized use of a computer. The penalties for the charges range from fines to jail time. The student also voluntarily left Carleton.