College ID – The Only Card a Hacker Needs
Like many families, I’m packing up my freshman daughter and sending her to a university this fall. We have been absolutely bombarded with mailings from the college she finally accepted, colleges she has not accepted, student credit card offers, to student loan terms. I swear that her college could lower tuition if they consolidated their mailings to once weekly, or moved say 80% to online notifications.
Another mailer showed up today. I have seen this one before except for a different campus, Temple University in Philadelphia and that campus’s onsite bank, PNC Bank. The mailer attempts to sell students on the merits of opening a bank account. In the case of Villanova, it is a Wells Fargo checking account. Fees waived for students! Yay! Villa students can choose to connect their student ID card, their Wildcard, to their bank account. The Wildcard student ID is used for all things a typical student ID Card is good for – events, building access, and dining hall services. According to the literature, the connected Wildcard can then be used for. This way they can use it as a debit card for PIN transactions. For Temple University students, they can open a PNC account and connect it to their campus student ID card, or “Owl Card.” The Owl Card can then be used at ATMs to withdraw cash.
I both cases, connecting the student ID to a campus bank account is an optional service. Both banks provide a service fee free account to all students.
Should I Connect a Student ID Card to a Campus Bank Account?
Both campus banks provide a free bank account to students and then offer some conveniences. PNC allows students to use an ATM for cash with their connected Owl Card. Villanova students have more options. A connected Wildcat card can be used on and off campus as well as for ATM withdrawals.
A while back I wrote about social engineering as a hacking method. Social engineering means using human interaction to gain pieces of personal data. The ultimate goal of social engineering is to gain access to some higher data, like bank account password or other login information. For example, I want to get to someone’s bank account access, one way is to start by working on access to an email account. Since it’s possible the email is one of the ways to reset the online banking password. Crafty hackers can gain access to an email account find finding your email address on social media accounts.
A campus ID hooked to a bank account affords a plethora of personal data that can be used in a social engineering attack. The student ID has a photo which is used to tell use gender. We can also guess at age based on the photo and the fact that the student is enrolled in college. Next, we know the bank name and student’s name. We can surf social media for the student’s name and get more information – date of birth, email address, hometown, pet’s name, etc… All of these are common password reset questions.
So why connect a bank account to an acceptable form of photo ID? Because it’s too easy to get to more information. Reading the “in case of loss” terms on Wells Fargo’s Wells Fargo web page, applicants can see that in the event of card loss, extra steps are needed. This is because the card is so connected. Students must contact their campus authorities and then contact the bank to get the account shut down.