Swipe Card Hack Prompts Complaint

The company that provides the technology for Harvard’s Crimson Cash system filed a criminal complaint this week against two hackers who allegedly threatened to expose security flaws they said they found in the system.

The complaint alleges that a student at the Georgia Institute of Technology, which uses the same software as Harvard, broke into the system, posted information about it on his website, and claimed that he would publicly disclose his finding at an upcoming hacker conference.

According to Harvard University Dining Services spokesperson Alexandra McNitt, the security of Harvard’s Crimson Cash is not in question.

“Our system is as secure as any other system. If anyone attempted to hack into it, they would be prosecuted for felony to the fullest extent of the law,” McNitt said.

The University processes $5 million in vending, laundry and photocopying transactions and five million meal counts annually with the system, created by Blackboard Inc.

The company, which supplies more than 400 colleges and corporations across the country with its electronic purchasing system, filed the complaint with the Superior Court of Dekalb County, Ga.

The complaint alleges that Billy Hoffman, a student at the Georgia Institute of Technology, broke into a switch box located in a campus laundry room to examine the wiring of the system.

Hoffman then allegedly posted photographs and description of the system on his website www.yak.net, as well as claims that he would publicly disclose his findings at an upcoming hacker conference, the complaint says.

According to Blackboard spokesperson Michael Stanton, there is no threat of security flaws in the system.

“This was not a cyberhack. It is a case of property damage, vandalism, and defrauding a university,” Stanton said. “At no point was any financial information of our clients in danger. After Hoffman broke into the switch box, he could monitor transaction information but had no access to actual accounts.”

In the complaint, Blackboard alleges that Hoffman’s actions were a violation of the consumer fraud and abuse act.

Hoffman’s website stated that the “signals to and from several Blackboard readers have been captured, as well as how data is stored on the cards,” according to the complaint.

Hoffman also claimed he would make replacement drop-in readers for the system at Georgia Tech, which, in effect, would give students free laundry service without compensating the university, Stanton said.

On his website, Hoffman wrote that he would make compatible systems “and give them away” if Blackboard did not make the system more secure, the complaint says.

Virgil Griffith, a student at the University of Alabama at New College who has a link to Hoffman’s page on his website, is also named as a defendant in the complaint.

Blackboard also filed a cease and desist order this week, calling for Hoffman and Griffith to remove the Blackboard logo from their websites and cease from disclosing any information about the system or the card readers.