I'm kind of curious - since this was for a class it was kind of allowed but was there any fine lines that you weren't allowed to cross when doing research for the exploit? I assume as long as you didn't hurt the university's reputation (such as getting bad press) or caused massive amounts of monetary damage you would probably not get into trouble.
We had pretty strict guidelines to follow to be apart of the InfoSec class. We basically signed a waiver at the beginning saying that if we did exploit something, we would be subject to expulsion. It was a "theory" based class and all actual research had to be done within a certain IP range in a particular computer lab.
With that said, this was the final report that I made in the Winter of 2013. I presented it Spring 2014 to the University staff. And now, graduated, with over a full 12 months behind it, I felt comfortable to post it.
Even though I made a blank card, it was still encoded with my student ID number. That was the only reason it was allowed. The point of trying it was to prove that the name or discretionary data did not affect the card working.
While I definitely toed the line, I tried to be careful not to break any of the rules of the class.
These folks found a gaping security hole that can be exploited to gain physical access to secured areas as well as charge fraudulent financial transactions. I can't imagine the university getting upset with checking out a library book.
You would be astonished at how crazy people can get. Honestly, the author of this study took a huge risk and got lucky. If you're thinking of doing anything like this in similar circumstances, DON'T carry out similar actions without first obtaining written permission for each specific action.
