You are here


Stop, Thief!

Identity-theft threats seem to be a constant, thanks to porous networks and laid-back users. But there are some key strategies campus leaders can use to help keep the bad guys at bay.
University Business, Oct 2008

“Identity theft may not be your fault, but it could be your problem,” says Dan Holden of IBM’s X-Force research group, which examines identity theft. “It’s hard for any organization to achieve a high level of prevention and control, but it’s worth the effort to try.”

Although many higher ed institutions lock down their networks, eschew the use of Social Security numbers as identifiers, and train IT staff to protect student privacy, identity theft is still widespread on college campuses, Holden notes.

Still, there are ways administrators can—and should—help protect students, staff, guests, and their own good names from falling into the digital hands of identity thieves. Here are six prevention practices.

IT needs to protect a range of users, from professors on the brink of retirement to 18-year-olds who have just claimed their side of the dorm room, and it is useful to understand that different groups have unique perceptions of what constitutes private information. “Kids raised on Facebook and MySpace don’t have much of an idea of privacy. They believe everything is up for public consumption,” says Stephen Katz, founder and president of the consulting firm Security Risk Solutions and former chief information security officer at Citibank.

Students may also feel that if a breach does happen, they’ll be protected anyway, a view that has been bolstered by the type of identity-theft control provided by credit card companies and banks. Having a strong grasp of what students believe about privacy will help shape user education efforts, Katz notes. “They learn not to go into each other’s lockers and backpacks, so they need to shift that learning to data, and realize that some things really should be kept private.”

Distributing information online or in printed form about identity theft might get some students and staff members to pay attention, but making education mandatory will net even more.

Iowa State University officials, for example, are pilot testing a two-hour online identity theft seminar that students, and even parents, can take. The material was developed through testing with law enforcement and insurance industry representatives, notes Steffen Schmidt, professor of political science at ISU and co-author of The Silent Crime: What You Need to Know About Identity Theft (Twin Lakes Press, 2008). “The workshop reminds people that this type of theft is a massive, exploding problem that’s almost out of control now,” he says. “People always think it won’t happen to them, and they don’t think it’s a really serious issue.”

To tailor the course toward students, Schmidt and others at ISU focused on how students conduct themselves online, pointing out how information sharing can lead to potential personal data breaches.

For students, address social engineering situations that could result in identity theft, such as sharing a password with a visiting friend or giving out personal information to a new roommate.

For IHEs who are developing their own efforts, Schmidt advises getting to know students’ habits to make the workshops or seminars more relevant. For instance, if many students use Facebook, a program could play up the dangers of sharing information on that site.

Also important is to address social engineering situations that could result in identity theft, such as sharing a password with a visiting friend or giving out personal information to a new roommate. After all, in 2007, one-third of all identity theft was done by someone known to the person whose identity was stolen, notes Matt Shanahan, senior vice president of marketing and strategy of software provider AdmitOne Security. Say a friend of a friend requests a password for access to a WiFi connection. “Now you’re vulnerable, because he or she can access all your files, and essentially become you,” he says. Describing these types of scenarios will be helpful for students, because they can see themselves in the situation, rather than talking in generalities.

Even one piece of information can be dangerous, since thieves may have several parts of what they need and require only one more, such as a person’s bank routing information or mother’s maiden name, says IBM’s Holden. “There’s been a lot of phishing activity lately, where someone gets an e-mail that’s supposedly from their bank or the IRS, where they’re supposed to call and just verify some info,” he says, noting that this combination of e-mail messages with phone confirmations is increasing, since many people are aware they shouldn’t be giving out bank information or personal details over e-mail. “They might think that because they’re talking to a real person, it’s legitimate,” he explains.

Another useful user education tactic, according to experts, is to highlight how an individual could be affected financially by identity theft. For example, students should learn that a hit to their credit rating could change financial aid in the next semester. Encouraging students and staff to check their bank transactions online frequently, and to look over their credit reports at least once or twice per year, can create better awareness about keeping their identities safe.

Even highlighting tactics as simple as not using laptop bags (since they’re bull’s-eye targets for thieves) and putting cable locks in place can be helpful.

Parents can also be involved. According to Schmidt, many parents have expressed interest in taking ISU’s ID theft seminar. Since personal data is often part of student aid packages and enrollment, parents and guardians are at risk as well. They can therefore be powerful allies in convincing students to take more care in how they share information.

A major security measure has been the use of encryption, which takes data and attaches long strings of numbers and text so that the information can’t be understood by unauthorized users—it needs to be decrypted to get the true data. But slapping on all this extra digital gobbledygook to numerically-based data has been tricky, Katz says. For example, credit card or Social Security numbers would get lost when an encrypted data string would swell to a format long enough to provide security, he says.

But recently, Format Preserving Encryption (FPE) has been introduced, allowing ID numbers or bank routing info to be intact and maintain “referential integrity,” explains Katz. With FPE, a school can integrate data-level encryption into legacy application frameworks without the kind of database re-engineering previously required.

Another big encryption breakthrough has been encrypted USB drives. These little portable storage units, sometimes called flash drives or thumb drives, have sometimes been the bane of IT departments, since they can carry viruses that could infect a network. Also, if a lost or untended thumb drive is found, any personal data could be retrieved simply by plugging the drive into the nearest computer.

At Boston Medical Center, a university research hospital, the use of drives is widespread, and IT Director Brad Blake has instituted a policy that only drives with encryption are allowed to be used. “Locking down data on USB drives isn’t easy, but it’s part of what can make data more secure,” he says. “It’s similar to having a policy on anything that can be carried around and potentially lost.”

Students should be informed that any device—such as an iPhone, iPod, or cell phone—can contain data that could be used for identity theft. Education efforts should cover ways to protect these and USB drives as a good backup to encryption.

Responsibility for identity protection is shared among users, IT staff, software providers, and others, but to truly create a strong strategy that includes education initiatives and technology purchasing, a separate group should be created, according to Shanahan.

“For the best protection, there should be an integrated strategy that looks at the issue from end-to-end,” he says. “That’s in contrast to each department coming up with their own approach. Until someone owns it and does risk management, you’ll always be patching up the holes that will inevitably occur.”

Part of the risk management group’s effort should be the creation of a centralized data warehouse, he says, which prevents the kind of fragmentation that occurs when data is in departmental silos. Shanahan has seen many universities pool data in this way and develop risk management committees that address security policies and procedures. “Think of identity protection in a holistic way,” he advises. “Creating more unity will make fraud-monitoring tools more effective and give more clout to user education.”

Many students and staff have their own computing resources, but there’s also dependence on public machines, such as those found in libraries, and ensuring that these machines are safe can be tricky, says Steven Zink, vice president of information technology and dean of University Libraries at the University of Nevada, Reno. “I’ve seen people walk away from a terminal with all their personal information still on the screen, even banking data,” says Zink. “Sometimes they just get distracted and don’t even think about it.”

The university uses Deep Freeze, a security program from Faronics that resets a computer to its original settings on a regular basis. This erases any stored cookies, input data, and even malware and viruses that may have crept into the computer while it was idle.

A working group should address how to deal with lost or stolen laptops—a common way for information to be obtained by thieves. This type of loss is particularly challenging because laptops are so popular, notes David Hawks of Absolute Software, maker of Computrace laptop security software, which can detect changes in hardware (including missing computer memory or drives) and helps track and recover stolen computers. “People are putting their personal information on university assets like laptops, so there need to be added security measures,” Hawks says. “From an identity thief’s perspective, getting a machine is ideal, because not only will it have university information, but also a user’s personal data like passwords, banking information, and credit card numbers.”

Even if there’s some encryption, it can be fairly easy for thieves to use computer forensic tools to tweeze out valuable data, he adds. Using a program to wipe data remotely is a strong option, and establishing procedures for erasing data from broken or donated machines is crucial. Some laptops that land on eBay still have plenty of usable information even though a user might have put personal files in the digital trash.

“To create enough identity protection, you need a layered approach, where there are best practices around password security, encryption, user education, and loss prevention,” says Hawks. “You’d be amazed at how many people don’t know how to protect their data, so an IT department has to do everything possible to do the protection for them.”

Elizabeth Millard, a Minneapolis-based freelance writer, specializes in covering technology.