After Security Breach, Harvard Unveils New IDs

Encryption technology in new proximity ID Cards to strengthen security in FAS Buildings

The Faculty of Arts and Sciences (FAS) announced last week that students, faculty, and staff will receive new identification cards that use contactless Smartcard technology when they return to campus this fall.

The upgrade comes less than a year after Theodore R. Pak '09 was caught creating duplicates of the Harvard University ID (HUID) cards belonging to University President Drew G. Faust, Assistant Dean of the College Paul J. McLoughlin II, and Dunster House Superintendent H. Joseph O'Connor.

Pak's hack revealed a significant security flaw in the more than 15-year-old swipe card system, as he was able to gain access to buildings and gates across campus with only knowledge of HUID numbers and a $200 card reader bought from eBay.

Assistant Dean for Physical Resources Michael N. Lichten said that the Pak incident "was a motivator for us to move more quickly in putting the new system in place."

Prior to the Pak incident, HUID numbers were available to a number of individuals at the University including undergraduate User Assistants, Harvard University Dining Services workers, building managers, and freshman proctors. The University has since strictly restricted the access to these numbers, putting in place a number of protocols that limit how and when they can be displayed and accessed by members of the Harvard community.

The new cards are intended to bolster the security of FAS buildings by adding crucial encryption technology and more complex security procedures.

Lichten said that unlike the previous card system, which functioned directly on unencrypted HUID numbers, the new proximity cards will carry encrypted information that must match data saved by the security system on who is given access to each building.

Lichten said that the encryption makes the system more difficult to hack, but he said he is "not sure" if it is more secure than the swipe-access cards that Harvard has used in the past.

Harvard joins other universities including Princeton, Yale, and MIT, who have long since adopted this or similar systems. Harvard's, a recent iteration of this technology, will support both proximity and the older swipe access cards and will also contain a second black stripe intended for use in future software upgrades.

The cards will largely do away with the need to swipe into dorms and Houses, allowing students to simply bring the card close enough to a reader to gain access.

"I think students will find it easier to use at their Houses," Lichten said. "It will make access quicker."

The security scare caused by Pak's forgery highlighted a significant vulnerability to student and faculty members' Crimson Cash accounts, which are directly linked to HUID numbers and are considered financial account numbers by the Commonwealth of Massachusetts.

In 2007, the Massachusetts state legislature passed a law that required all financial account numbers to be protected and mandated that notice should be issued whenever an incident compromises the security of that data.

In January, months after Pak was first discovered in November, FAS issued an advisory to students asking them to check for suspicious activity on their accounts.

A recent security advisory posted by the Office for Information Security and Privacy stated that HUIDs "should not be used as financial account numbers… [and] in cases where it is used that way today, a plan should be developed to adopt an alternative approach as soon as possible."

Crista Martin, director for marketing and communications for Harvard University Dining Services, said that Crimson Cash would still be accessed through the swipe portion of HUID cards in residential dining halls and retail locations such as The Greenhouse Café.

While there are no plans to separate Crimson Cash accounts from HUID cards, Martin said future use of the cards' second magnetic strip and a transition to a random 16-digit iso number should help the University comply with state law.

New readers will be installed in all FAS residential facilities and select other campus buildings. Lichten declined to comment on the cost of the upgrade but said that it is "certainly not a trivial undertaking."

Only college undergraduates and students at the Graduate School of Arts and Sciences will be issued the new cards in this first stage of the upgrade, leaving students at Harvard's 12 other graduate schools with the older HUID cards.

Lichten said that this should not pose a problem for students attempting to access the University Library system or other campus buildings with older cards. New cards can be issued to graduate students who have a legitimate reason for gaining access to undergraduate facilities, such as House tutors, according to Lichten.

Pak pled guilty in Cambridge District Court on charges of breaking and entering with intent to commit a misdemeanor and trespassing. He was sentenced to three years probation and 200 hours of community service.

According to court documents, Pak admitted to forging HUID cards as well as State identification cards and distributing them to friends.

John "Jay" L. Ellison, secretary of the Administrative Board, the College's principal disciplinary body, said that he would not comment on the status of Pak's enrollment or any of the other students named in the investigation. Pak is no longer listed on the official College facebook or Harvard phonebook directory.

He did not return calls for comment yesterday.

—Zachary M. Seward contributed to the reporting of this story.

—Staff writer Abby D. Phillip can be reached at