The University of Insecurity

by chiLL p3ngu1n

I work for a well known university that recently stopped using Social Security numbers for identification purposes because of security risks.

Instead, we now use a unique, nine-digit, Social-like number.  However, the first three digits are all the same: 555

So it's more like a six-digit number.  Each student is given this school ID number when they register for classes the first time.  They are issued incrementally, the first number (555-000-001) going to the person who has been at the university the longest that still owes us money.

Problems

Months before going live with the new system, I had several concerns with it.

First off, Socials were more random, so if digits were transposed there was little chance it would pull anyone up.

However, with an incremented number system, 555-276-012 and 555-267-012 both bring people up.  So the odds of posting payments to the wrong account are increased dramatically.

When bringing this up, I was told to "just be careful."  I also mentioned that even if we're not using Socials locally (in our office), people still have to use them in order to enroll in our payment plans and for Financial Aid.  So I was unclear as to why we needed a full on change in the system.

They told me that this decreased the probability of stolen identities.

More Problems

Since the program has gone live, not much has changed.

Really, the only place you are required to use your new ID number is our online site, CatNet, where you can register for classes, look up your schedule, review which Financial Aid you've been awarded, change your local and permanent addresses, and so on.

In fact, if someone were to walk into our offices and not know their new ID numbers, we've been instructed to look them up by name.

A few months ago, I realized that there was a huge security issue in our new system and reported it immediately.  Nothing changed and the hole remained.

I reported it a few more times, but all I got was a response that basically said to stop sending them letters and that they weren't going to fix it for whatever reason.  I think the basic consensus was that it would probably never happen because people don't understand the system and that they would worry about it if it ever happened.

Ironic

It's almost funny how this new system is much more vulnerable to identity theft than the original one.

Since the numbers are incremented, walking up to an office and saying 555 before six random numbers will pull someone up.  You can get a lot of information this way: how much they owe, their addresses, what classes they're in, etc.  Mostly unimportant stuff.

But let's say you walk up to the Billings Office and give them someone's name (let's say your roommate's).  They will look you up by name, and then you can ask some B.S. question like "Do I still owe anything?"  In any case, before you leave, ask them for your ID number because you "Keep forgetting it but you want to remember it real bad."  Hell, they'll even write it down for you.  Now comes the fun part.

CatNet is, by default, set up to use your ID number as the username and the last six-digits of your Social as your password, which can be changed at any time.

Unless you have no Social on file, in which case it becomes the last six-digits of your school ID.

Now, the odds of you just randomly finding someone who has no Social on file are pretty slim; I've only run into a handful of them myself.  But if you go to the Registrar s Office you can fill out these neat things called Confidentiality Request Forms.

These bad boys keep anyone but a few real-high-ups from looking at things on your account.  It makes certain things like phone numbers, addresses, and Social Security numbers disappear.  They don't actually disappear, but access to them is highly limited.  They are usually used in cases of stalkers or parents who are trying to steal the student's residual checks.

So here's the trick: now you have the 555 number of the person, which is all that passes as proof-of-identity nowadays.

So go to the Registrar's Office and fill out one of those Confidentiality forms.

Next, call up CatNet support and complain that you lost your password, or that it's just not letting you in or whatever.  I'm not sure how their office works because I've never been there, but either they just have a "RESET PASSWORD" button or they actually check to see if you have a Social on file and manually change it to that.

Either way, just give them your 555 number and magically the password is the last six-digits of it because your Social is not accessible to them.

Now you have unfettered access to all of their information, including phone numbers, local and permanent addresses, their Financial Aid, plus the ability to charge books straight onto the account, add or drop their classes, or even withdraw them from the university altogether.

But most importantly, you get their Social Security number.  And what can you do with their Social Security number, phone number, and permanent address?  Apply for a credit card! I fail to see how this system is more secure, or secure at all.

Seriously kids, don't try this at home.

Identity theft is a major crime.  I only wrote about this because it s such a large hole and the administrators here refuse to fix it.  If I were attending this university I would hope that there were people looking out for me, which is the point here.

Hopefully, someone else will show this to someone higher up and this problem will be corrected very soon.  Since most people don't know or understand how the system works, they fail to understand how much they are at risk.

Knowledge is Power.