The Tech - Online EditionMIT's oldest and largest
newspaper & the first
newspaper published
on the web
Boston Weather: 47.0°F | A Few Clouds

Dealing Students A Wild Card: Dorm Desks Make a Mockery of MIT Card Security



Stacey E. Blau

"I want to assure you personally that in no way is your security in hazard when you leave an MIT Card as collateral at the EC desk. While I do not know what happens at other desks, I can assure you, and I'm sure so will the desk captain, that all the desk workers treat your IDs with the utmost importance and do not make any bad use of them."

That came from a piece of e-mail sent over my dormitory mailing list last week by a desk worker. The mail was completely misleading and pretty disturbing; I'd hope that most people read it and dismissed it as they would dismiss any exaggeration that a claimant could never make good on.

The fact is that MIT Card security is a serious issue that students should pay attention to. Claims by desk workers, or anyone else, that students can ignore the matter are not especially helpful. The simple fact is that it's easy to duplicate the contents of the strip on your card; you need only a card and a card writer. Cards at desks provide the former, and about $400 will get you the latter. Small devices that read and capture card info cost closer to $20. This being MIT, it should come as no big shock that some students have the desire and hardware to take advantage of the possibilities.

One of the more significant events in the ongoing MIT Card debate was a security assessment of the card released in March 1995 by Andre M. DeHon '90, then a graduate student in computer science. DeHon's assessment stated that "the level of security provided by the card is laughable." (The report is still available at < I > h t t p : / / w w w . a i . m i t . e d u / people/andre/mit_card/security_assessment/security_assessment.html.)The day after the report came out, the Department of Housing and Food Services, which issues the MIT Card, told dormitory desks to stop accepting the card as collateral for the items like movies, pool cues, or keys that they lend.

The decision was soon reversed, and dormitories have been able to use the card as collateral ever since. A quick survey of current dormitory desk practices reveals that at nearly all desks, the MIT Card is the preferred - if not the required - form of identification residents must hand over when they borrow desk items. Many desks will accept driver licenses instead, but desk workers report that most of the time, residents hand over their MIT Card.

None of this, of course, would be much of a big deal if the MIT Card was nothing more than a photo ID. But MIT has gradually added more and more functions to the MIT Card, particularly monetary transaction capabilities, which have turned the card into a veritable credit card. You use it for your meal plan. You can use it for your laundry and even on some campus vending machines. Anyone with a meal plan probably has several hundred dollars on his or her card. If that isn't cause to be concerned about leaving your card with someone at a dormitory desk or anywhere else, I don't know what is.

As is the case with much modern technology, the conveniences of the card as a credit card and its subsequent value as a piece of collateral at dormitory desks far outweigh any security concerns that people have. That, of course, is exactly the sort of negligence that people who take advantage of such things prey on.

Even if students don't know better, MIT should. But MIT makes no effort to educate anyone about the risks involved in using the MIT Card, even as it adds more and more functions to it. The fact is simply that the card system is wide open to abuse. Desk workers can do anything they want with cards left at desks. A more ingenious person can spoof card readers on dormitory entrances or on washing machines or vending machines and record the cards' contents.

And once someone has your card information, the attacker can essentially be you when he or she uses your card to buy dinner at Lobdell, make a purchase at a vending machine, or enter your dormitory. Replacing your card means nothing; the algorithm that changes a card's encoding when a new one is issued is painfully simple and easy to deduce. Once a person has your card data, any future card you get is compromised, too.

The dangers of the card system carry over into the expansion of the card readers on building entrances around campus. As if the threat of the end of MIT's open campus were not enough, the card reader system doesn't really offer anything in return. The promise of extra security is a false one. The same trespassers will trail into buildings and dormitories, and the people who care enough will have an easy time capturing card information and making their own. The logic that the danger is always people on the outside is totally misguided; what happens when it's MIT students who are the ones doing the copying?

The level of security that the MIT Card offers is indeed laughable. But what's even more unacceptable is that MIT doesn't bother to educate anyone about the dangers involved in using the card. At best, the card system relies on the hope that people won't abuse it. But no serious security system can be built around hope, especially one like the MIT Card system, where the safeguards are barely even there.

At a place like MIT, you'd expect people to have a clue about these very obvious risks with technology, especially when money as well as building and dormitory security are at risk. But that would amount to making the assumption that MIT's bureaucrats are as smart as its academics. You could add that assumption to the list of laughable things around here.