{"id":209,"date":"2008-03-16T19:23:24","date_gmt":"2008-03-17T03:23:24","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/03\/16\/security-review-husky-cards-with-smart-card-technology\/"},"modified":"2008-03-16T19:23:24","modified_gmt":"2008-03-17T03:23:24","slug":"security-review-husky-cards-with-smart-card-technology","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/security-review-husky-cards-with-smart-card-technology\/","title":{"rendered":"Security Review: Husky Cards with Smart Card Technology"},"content":{"rendered":"<p><font face=\"Calibri\"><strong>Summary<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">The Husky Card is a University of Washington student\u2019s lifeline.\u00a0 It provides student identification, building access, public transportation, and access to monetary funds for use on and around campus.\u00a0 <\/font><\/p>\n<p><font face=\"Calibri\">Starting in 2009, the Husky Card will get an upgrade to smart card technology.\u00a0 This is in response to the local public transportation agencies\u2019 ORCA (One Regional Card for All) project which implements an electronic fare system.\u00a0 Following implementation of this system, Regional Transit will no longer accept the current U-PASS stickers and will require smart cards.<!--more--><\/font><\/p>\n<p><font face=\"Calibri\"><strong>Assets and Security Goals<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">The Husky Card identifies of University of Washington students<\/font><\/li>\n<li><font face=\"Calibri\">It provides access to Husky Card Account for accessing student funds for use on campus<\/font><\/li>\n<li><font face=\"Calibri\">It allows unlimited use on Seattle-area public transport systems<\/font><\/li>\n<li><font face=\"Calibri\">It allows after-hours access to campus buildings<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Adversaries<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Any person seeking to impersonate a student<\/font><\/li>\n<li><font face=\"Calibri\">Any person seeking unauthorized access to campus buildings<\/font><\/li>\n<li><font face=\"Calibri\">Any person seeking to illegally withdraw or use funds from a student\u2019s Husky Card Account<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Weaknesses<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Small size.\u00a0 Card can easily be dropped or lost.<\/font><\/li>\n<li><font face=\"Calibri\">Embedded Smart Chip broadcast range.\u00a0 An adversary may be able to scan cards in a crowd or during a pass-by to obtain information or locate an individual.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Defenses<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Student photograph will be prominently visible on card to help avoid potential misuse by unauthorized individuals<\/font><\/li>\n<li><font face=\"Calibri\">UW claims the Smart Card only has a broadcast range of a few inches<\/font><a name=\"_ednref1\" href=\"http:\/\/cubist.cs.washington.edu\/Security\/wp-includes\/js\/tinymce\/blank.htm#_edn1\" title=\"_ednref1\">[i]<\/a><font face=\"Calibri\">, thus limiting potential unauthorized scans.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Risks<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">The addition of the embedded smart card chip in the Husky Card can lead to numerous issues involving student security.\u00a0 If the broadcast range of the chip is strong enough, students can be identified and tracked throughout campus or anywhere card readers are stationed.\u00a0 Should the UW decide to utilize this technology for use with the Husky Card Account, such as by implementing smart card payment readers in local businesses that accept the Husky Card, illegal account withdrawals and unauthorized purchases may be simplified since the Husky Card may no longer need to be presented to the merchant and may simply be waved over a reader instead.<\/font><\/p>\n<p><font face=\"Calibri\"><strong>Conclusion<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">All in all, the addition of smart card technology may not have a great impact on student security if the broadcast range is kept, as the UW states, to a couple of inches.\u00a0 Greater impact may be seen if the smart card technology is extended to the monetary functionality of the Husky Card.<\/font><\/p>\n<p><font face=\"Calibri\"><\/p>\n<hr SIZE=\"1\" width=\"33%\" align=\"left\" \/><\/font><\/p>\n<p><a name=\"_edn1\" href=\"http:\/\/cubist.cs.washington.edu\/Security\/wp-includes\/js\/tinymce\/blank.htm#_ednref1\" title=\"_edn1\">[i]<\/a><font size=\"2\" face=\"Calibri\"> Husky Card Project. 16 March 2008. http:\/\/www.hfs.washington.edu\/husky_card\/default.aspx?id=953<\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary The Husky Card is a University of Washington student\u2019s lifeline.\u00a0 It provides student identification, building access, public transportation, and access to monetary funds for use on and around campus.\u00a0 Starting in 2009, the Husky Card will get an upgrade &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/security-review-husky-cards-with-smart-card-technology\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":28,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-209","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=209"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/209\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}