You are here


Thwarting ID Thieves

What most colleges and universities aren't doing to avoid identity theft and fraud--but should be.
University Business, Jul 2011

American colleges and universities are breeding grounds for innovative ideas and open information sharing. Pair that with a large number of systems on a given network and a vulnerable student population with fresh credit and you've got an appealing target for identity thieves.

"In my opinion, the college and university crowd is probably at the highest risk of any age population," says John Sileo, an identity theft expert and speaker and founder of The Sileo Group. His reasoning? Students are just coming into their own in terms of having credit, and colleges and universities host "incredibly private" information, like social security numbers and financial records.

Despite the need for awareness, Sileo says, institutions of higher education are generally not his main audience because, "unfortunately, a lot of the universities aren't there yet. The progressive universities are there; they understand that information is power and that these students are being raised in a world where the main currency now is information. So it's relatively easy to work for those types of universities that get that. It's more difficult to get engagements with universities who still sort of have their heads in the sand."

In 2010, 8.1 million U.S. adults were victims of identity fraud, according to the Javelin Strategy & Research 2011 Identity Fraud Survey Report. That's 3.5 percent of the U.S. population losing an average of $4,607 and 33 valuable hours.

'The hackers are smart, they're capable, they're experienced, they're automated, they're worldwide, they're persistent, and they're creative.' -Larry Conrad, EDUCAUSE Higher Education Information Security Council

The EDUCAUSE Higher Education Information Security Council (HEISC) is one resource that aims to get college and university leaders paying attention to the threats. David G. Swartz is an HEISC co-chair and assistant VP and CIO at American University (D.C.). Formed in July 2000, the HEISC helps 2,000 CIOs and information security managers, primarily in North America, address their security concerns, explains Swartz, pointing out that colleges and universities are more difficult to protect than, say, a corporation.

"We have a very open kind of climate," says Swartz. "One of the challenges is, how do you balance the kind of openness you want with the type of controls you have to put in place to protect your information and your community? It's a very difficult balancing act."

It's also difficult to balance new technologies--which come with new threats--with security. Gone are the days when hackers were "teenagers or smart computer types" breaking into a system to post a pornographic image on an institution's Blackboard or registration site, quips Larry Conrad, vice chancellor for information technology and chief information officer at The University of North Carolina at Chapel Hill and HEISC co-chair. "The hackers are smart, they're capable, they're experienced, they're automated, they're worldwide, they're persistent, and they're creative," he says.

And Swartz and Conrad have enough experience fending off these hackers at their own institutions. UNC-Chapel Hill has 60,000 separate IP addresses connected to its campus networks, and wards off 30,000 hacking attempts per day, every day. Swartz says he fends off thousands of attackers per month at American U.

When identity theft happens at a college or university, 'the image comes off that they're not taking care of their students' data, so how are they taking care of their students?' -John Sileo, The Sileo Group

With numbers like that, it's important to start paying attention, identify where your institution's risks lie, and learn how to protect against identity theft and fraud.

To start, officials must "understand what type of data they're actually storing as an organization," says Josh Abraham, senior security consultant and security researcher with Rapid7, a company that provides vulnerability management, compliance, and penetration testing solutions for web application, network, and database security.

By taking the perspective of a potential attacker, such as an internal user to an institution, for example, Abraham helps their officials understand where sensitive materials are stored. "From this level of access we paint a picture of a worst-case scenario and how they would go about dealing with that," he says.

At The University of North Carolina at Chapel Hill, the IT department wards off 30,000 hacking attempts per day so students like these don?t have their education interrupted by an identity theft.

The University of Houston System has been working diligently to find and monitor the safety of personally identifiable information within networks of its campuses and administrative offices. "As time goes by and more people are affected by [identity theft], the more people become concerned and want to do something about it," says Mary Dickerson, the system's chief information security officer. She has begun using software from Identity Finder that scans every file on a system looking for anything that could be considered personally identifiable information, such as credit card, social security, and driver's license numbers. The software creates a report, and based on that, Dickerson can choose to delete the sensitive information, delete the file where it resides altogether, or make arrangements to move and protect the information.

Because Dickerson knows that some of the most sensitive personally identifiable information can be obtained from credit cards, devices that process credit card transactions at the University of Houston have their own separate network. On a typical campus, credit cards are accepted at food service venues and bookstores and, at many institutions, tuition can be paid by credit card.

Since an identity can easily be stolen by obtaining credit card information, this is one area colleges and universities not only should pay attention to, but are required to pay attention to. The Payment Card Industry Data Security Standard (PCI DSS) states that organizations accepting payments from major credit card companies must prove they have valid controls around cardholder data to reduce fraud incidences. Compliance testing is required for organizations such as higher ed institutions that handle credit card transactions.

When Elgin Community College (Ill.) needed to ensure it was PCI DSS compliant earlier this year, it turned to CDW-G to help identify any gaps in its existing compliance effort before going to an official PCI auditor, says Jason Marchant, information security officer at the institution.

"One of the good outcomes that came of this is just increasing awareness of information security in the environment here," he points out. "A lot more people in the college have a better understanding of what information security is and what PCI compliance really means to us as an institution of higher education."

Mike Belton, senior security engineer for CDW-G, says it's all about finding a good balance between what an organization is already doing, and what the standard expects. "That's where an organization like [Elgin], where they have a relatively strong information security initiative already in place, really shines through. They've got all the moving pieces, but sometimes you need someone to put the dance together," he says.

One of the easiest ways to protect against identity theft and fraud is to make sure everyone using the internet on campus knows the risks involved and basic ways to protect themselves. In Texas, this type of education is a state requirement.

'You can do a great harm in the trust of the people that you deal with, alumni in particular, or friends of the university, if they simply don't think they can entrust their information to you.' -Larry Conrad, EDUCAUSE Higher Education Information Security Council

"Part of our effort in making the awareness training so relevant to them is it's important to keep university information safe," says Dickerson. "But we want them to be good internet citizens, as well."

Faculty, staff, and students at the University of Houston are required to take an online training course that helps them safely use social media and protect themselves against identity theft. The interactive course materials and subsequent quiz are developed by students, for students. "The feedback that we've gotten is ‘Wow, this is really cool, I didn't know this,' " says Dickerson. "It's been very well received."

According to the Javelin Identity Fraud Survey, 58 percent of U.S. adults used social networking last year. Despite 85 percent of social networking users age 18 to 24 utilizing privacy settings on these sites, experts say there are still huge security risks associated with social networking.

Swartz says the main problem in the social networking realm is that there's a certain amount of trust inherent when sharing information with a group of "friends" in an online community. "The danger is someone within that setting could pretend to be somebody they may not be, but you think they are."

And it's this trust relationship that isn't easy to tackle or control. "A trust relationship is more difficult to identify in a systematic way," says Abraham of Rapid7. Outsiders utilizing it is one way many organizations are saying they have had security issues, he adds.

"If you and I are both friends on Twitter or Facebook and I were to send you a message to go to a website, there's an implied trust," says Abraham. "If an attacker were able to leverage that sort of trust relationship, they may be able to send you a message as me to ask you to go to a website and be able to gain access to your work station."

Identifying a scam may sound simple, but Abraham says the public as a whole doesn't have a good understanding of the risks of social media, which is why educating a campus community is incredibly important.

Occasionally, even when following best practices, security breaches happen. In the event of a breach, it's important to provide support for those affected and the entire campus community.

"Quite frankly, when any one of us becomes a victim of identity theft, it's a very personal crime," says Joe Reynolds, identity fraud product manager for Travelers Insurance. To help client schools support their communities in the event of an identity theft event, Travelers offers identity fraud insurance to recover lost wages, lost time off, attorneys' fees, and any other costs associated with reconciling the fraud. The company also offers identity fraud resolution services that Reynolds describes as "a handholding consulting process that takes a lot of the guesswork out of getting the identity fraud event resolved."

When two student workers stole sensitive materials from Eastern Michigan University in March, the communications staff immediately notified the campus community and the media. A Data Security Breach Information portal was created online featuring updates, a question-and-answer page, and information about what students could do to monitor their information to determine if it had been compromised. "We wanted to make sure everybody was aware of this and knew it was happening so they could let us know if they believed they were a victim," says Walter Kraft, VP of communications.

Identity theft is a big business that can seriously hurt business. Sileo relays the story of marketing company Epsilon's data breach in March, when email addresses of customers from thousands of its client companies were stolen.

"It will cost [Epsilon] upwards of a billion dollars, and all they lost was emails. You can imagine if it was a file with a social security number in it or a credit card number," he says. As a result, the company's stock "plummeted" after the breach and it began losing clients.

But it's not just a matter of dollars and cents. When something like this happens at a college or university, Sileo says, "the image comes off they're not taking care of their students' data, so how are they taking care of their students?" The trickle down of an information breach can hurt recruiting efforts and alumni and donor relations.

"It's a damage to the reputation of the institution and that damage is real," asserts Conrad. "You can do a great harm in the trust of the people that you deal with, alumni in particular, or friends of the university, if they simply don't think they can entrust their information to you." This, he says, can hugely impact an institution's ability to raise money or have good relations with the public, and in turn the value of a degree from a given institution.