The Crimson Cash service is provided by Blackboard Inc., a Washington, D.C.--based company that has installed similar systems in more than 400 schools and businesses. According to material posted on the Internet by the two student hackers, the weakness of Blackboard systems arises from the reliance on physical rather than electronic security: transaction information travels unencrypted between card-swipe terminals and servers. According to the hackers, the wiring that carries this information is often easily accessible, making it very easy to tap into the system. A hacker can then record and emulate the signals transmitted when a person uses the system to make a purchase or to add money to their balance, opening up a wide range of possibilities for exploitation of the system.
The response by Blackboard has been less than reassuring. They secured a restraining order to stop the two hackers from sharing their findings and issued a statement criticizing them for illegally dismantling a Blackboard device in the process of discovering the problem. The statement also downplays the significance of the security flaw, saying that it is only by physically tampering with its devices that hackers can abuse the system.
“This is not hacking; this is vandalism,” the statement says, with the expectation that this distinction will comfort fearful clients. The threat to users of the system, however, is very real, whatever name Blackboard wishes to give it.
The students claim that they approached Blackboard when they first discovered the problem, but that the company was unreceptive to their findings. They say that threatening to share the information with other hackers was a last-ditch effort to get the company’s attention. In its statement, Blackboard acknowledges the frequent cooperation between hackers and technology firms in improving security, but its response to this incident offers little evidence that it is truly willing to engage in such cooperation.
The crux of the problem lies in the fact that the findings of the two students are hardly extraordinary, and their process for exploiting the system would not be hard to duplicate. It may only have been a matter of time before someone stumbled upon the glitch, and the rumored ability of some computer science concentrators to procure free sodas from the vending machine in Maxwell-Dworkin Hall suggests that such hacking has already struck the Crimson Cash system.
Blackboard seems more interested in covering up the problem than in actually fixing it. The company has given no indication that it will take measures to improve security, and seems to have devoted most of its attention to playing word games and directing blame for the problem against the two students.
Blackboard’s apparent reluctance to deal with the problem means that it is up to Harvard to protect the interests of Crimson Cash users. The University should actively pressure Blackboard to improve the security of its systems, and should be prepared to switch to another service if Blackboard is unable or unwilling to do so. Although the cost of installing a new system would surely be high, the present system with its security glitches may soon become intolerable if exploitation of the sort described by the two hackers becomes rampant. The considerable volume of money transacted through the system and the information that could be gleaned about the purchasing habits of Crimson Cash users cannot be left vulnerable. Crimson Cash users have too much at stake for Blackboard and the University to be passive on this issue.