Dartmouth ID Magnetic Stripe

Dec 29, 2016 - 7:50 pm

It's been a while since I've played with the Dartmouth ID's, but my brother got me a Magnetic Reader-Writer for Christmas, so I've been having a blast messing around with it. I wrote a bit about the magnetic stripe over 2 years ago, but most of that was conjecture from one VERY out of date article I found online. So, let's take a look at what's on it now!

Before we dive into the current information, here's a very brief recap. The cards use a Hi-Co magnetic stripe, which was 3 tracks. The first track of any magnetic stripe has a much larger character set. According to the previous article,

Initially the tracks were used for Dash, DDS, and building access. The College decided to remove building access from one of the tracks to free up room for BbOne.

It's likely that the first track was used to keep track of building access, due to the complexity of the information it needed (depending on if it used an external server, or evaluated the credentials locally on swipe).

But enough of that! Let's look at what's on the current cards. Disclaimer: I've only tested this with two Dartmouth ID's, both in the same year, so it's possible that some of this isn't universally applicable.

Here's a sample card:

Track 1:
Track 2: ;100172***=0111?
Track 3: ;000000000000000000000?

The first track is unused. The second and third tracks start with ';' and end with '?' because that's the magnetic sentinel data. It can be safely ignored. Track 2 takes the form of the DashID, followed by =0111, for unknown reasons. The third track is 21 0's. This seems unlikely to be important information, and is more likely zeroed data from whatever was on that track before. It's strange that this is still written to the cards though, as presumably every card initially has three empty tracks.

This brings a lot of attention to the failures of Dartmouth's DashID solution. If all you need to be able to use someone's money is that number, and they're roughly incremental, then that's a massive failing on the part of the college.

In fact, until I pointed it out, Dartmouth's primary card money vendor, CBORD, offered a portal where by merely entering in a DashID number, you could add money to the account. However, this page also included the name of the account to which you were adding it. By brute forcing incremental numbers you could easily determine a wide range of DashID's, and who they belonged to before changing the magnetic swipe on your card, and using their money. After pointing this out, it was modified, but the underlying mechanism for DashID's is still the same. If you don't care about who's money you're using, it's just as easy to rewrite your card to use a different number.