It's stunning how bad many card issuing systems are (as noted in the post, AmEx et al). When I was in college all of the administrative buildings, student common areas as well as many of the student housing areas were controlled by magstripe. Meals were also kept track of by card.
I knew from people losing their cards which continued working some places but not others there was a relationship in the issuing. I got a reader, decoded the card (zeropadded student ID, issue number, and XOR checksum).
I found other places to find the student ID number, and could enumerate a few issue numbers. I built this spoofer: http://www.instructables.com/id/Arduino-Magstripe-Emulator/
Then I could get into my friend's apartments (as a POC with their permission of course).
I disclosed and got a thank you (I built a good relationship with my IT dept over the years), but never figured out if they fixed it.
When I was in school our student IDs were our social security numbers and encoded directly on our ID cards. Grades were left in folders outside the department office with our full SSNs on them. You could easily take someone else's grades, encode their SSN onto a card, and spend their money.
I'm pretty sure that, aside from the magstripe security issue, that practice (grades left in public identified by SSNs and/or student ID #s) has been a FERPA violation forever. Or since the 1970s, at least.
The law changed in the early 2000's. About a year after I discovered this they changed the ID numbers on the grades to the last 4 digits and shortly after that they moved away from SSNs.
No, there was no change in FERPA In the early 2000s, except changes in 2000 and 2001 to add additional allowed disclosures (the 2001 changes were party of the USA PATRIOT Act.)
Now, lots of places in the 1970s and 1980s, and some into the 1990s and 2000s, may have been engaging in the practice of posting grades by SSN or student ID #, even though posting by either had long been explicitly prohibited by FERPA regulations.
What did happen in 2001 that may be relevant to awareness of the rule is the publication of a finding in response to a complaint for posting with the last 4 digits of the SSN.
It could have been "good enough". Remember the whole "keeps an honest man honest" bit. Retooling their security system might cost a lot more than some spoofed meals, and we all know doors & tumbler locks are never impervious.
Yeah, until a man gains easy access to 17-year-old girls' housing, then everyone will flip out. I mean, it's one thing to break stuff to get in, or conspicuously pick a lock, it's another to casually slide a card like everyone else and leave no trail other than maybe video surveillance or access logs showing the same card being used at two ends of campus faster than possible (which nobody will check until something bad happens and they go looking at that data.)
I had a similar experience at my university. I found easy unauthenticated sourcing of most of the data needed to clone the card of anybody by name. The issue number was the only thing to guess, but easy to bruteforce on something low-stakes like vending machines. The card was used for food, a debit-card-like system, automated door locks to semi-public buildings and on-campus housing.
With the permission and cooperation of the university security, I made a card of a high-level security guy (who could have been targeted using the public/semi-public org chart) and swiped into their datacenter where all the university data is hosted, along with that of some partners with sensitive data. Luckily the innermost parts need an RFID or something which I didn't have access to, but potentially I could have tailgated or social-engineered my way into that. They weren't interested in letting me research whether I could crack the RFID. :(
I was told my demo made a big splash, but IIRC I checked a year or two later and my source for the ID data was still wide open. There's having imperfect locks and then there's leaving all your keys out in public.
It's true, I didn't consider this enough. But I had a way to create a key without ever possessing the original. If it could only be copied from the original, as even a semi-competent implementation of a magstripe would be, there would still be the chance that someone notices a theft of a key, and it's just harder to pull off if you have to find and covertly steal a key.
My point is that being able to trivially hijack arbitrary identities without even knowing the person let alone physically finding them, is not "good enough." It'd be like if you could make arbitrary car keys with just a VIN, and the VIN is displayed prominently, it would be silly to say "Well now, it keeps honest people honest, so it's good enough."
I think the problem with these systems is that "good enough" should be much more "gooder" than it is, due to being a solved problem for most cases.
For example, if you happen to need a unique ID for each card, and you roll your own "random id generator" you might happen to encounter pitfalls that would've been solved by using UUIDs.
Or you try to get some sort of hash value from the card info (to verify validity or whatever) and instead of using a known hashing algorithm you try to roll your own.
And I would guess a long list of etceteras.
So when a system that should be for the most part trivial to implement correctly is full of these holes then people like GP will start poking around and ultimately start finding a lot of issues that would make it actually not "good enough".
I mean sure, keys are just there to keep honest people out, but if you can use a standard key that would foil both honest AND a few opportunistic dishonest people then why are you instead trying to use your own "custom key" that happens to be much easier to defeat? Especially if said standard key is not really that much harder to implement.
I knew from people losing their cards which continued working some places but not others there was a relationship in the issuing. I got a reader, decoded the card (zeropadded student ID, issue number, and XOR checksum).
I found other places to find the student ID number, and could enumerate a few issue numbers. I built this spoofer: http://www.instructables.com/id/Arduino-Magstripe-Emulator/ Then I could get into my friend's apartments (as a POC with their permission of course).
I disclosed and got a thank you (I built a good relationship with my IT dept over the years), but never figured out if they fixed it.