Identity-theft threats seem to be a constant, thanks to porous networks and laid-back users. But there are some key strategies campus leaders can use to help keep the bad guys at bay.
By Elizabeth Millard, University Business
, October 2008
“Identity theft may not be your fault, but it could be your problem,” says Dan Holden of IBM’s X-Force research group, which examines identity theft. “It’s hard for any organization to achieve a high level of prevention and control, but it’s worth the effort to try.”
Although many higher ed institutions lock down their networks, eschew the use of Social Security numbers as identifiers, and train IT staff to protect student privacy, identity theft is still widespread on college campuses, Holden notes.
Still, there are ways administrators can—and should—help protect students, staff, guests, and their own good names from falling into the digital hands of identity thieves. Here are six prevention practices.1. Pinpoint different perspectives on privacy.
IT needs to protect a range of users, from professors on the brink of retirement to 18-year-olds who have just claimed their side of the dorm room, and it is useful to understand that different groups have unique perceptions of what constitutes private information. “Kids raised on Facebook and MySpace don’t have much of an idea of privacy. They believe everything is up for public consumption,” says Stephen Katz, founder and president of the consulting firm Security Risk Solutions and former chief information security officer at Citibank.
Students may also feel that if a breach does happen, they’ll be protected anyway, a view that has been bolstered by the type of identity-theft control provided by credit card companies and banks. Having a strong grasp of what students believe about privacy will help shape user education efforts, Katz notes. “They learn not to go into each other’s lockers and backpacks, so they need to shift that learning to data, and realize that some things really should be kept private.”2. Create formal education workshops.
Distributing information online or in printed form about identity theft might get some students and staff members to pay attention, but making education mandatory will net even more.
Iowa State University officials, for example, are pilot testing a two-hour online identity theft seminar that students, and even parents, can take. The material was developed through testing with law enforcement and insurance industry representatives, notes Steffen Schmidt, professor of political science at ISU and co-author of The Silent Crime: What You Need to Know About Identity Theft (Twin Lakes Press, 2008). “The workshop reminds people that this type of theft is a massive, exploding problem that’s almost out of control now,” he says. “People always think it won’t happen to them, and they don’t think it’s a really serious issue.”
To tailor the course toward students, Schmidt and others at ISU focused on how students conduct themselves online, pointing out how information sharing can lead to potential personal data breaches.
For students, address social engineering situations that could result in identity theft, such as sharing a password with a visiting friend or giving out personal information to a new roommate.
For IHEs who are developing their own efforts, Schmidt advises getting to know students’ habits to make the workshops or seminars more relevant. For instance, if many students use Facebook, a program could play up the dangers of sharing information on that site.
Also important is to address social engineering situations that could result in identity theft, such as sharing a password with a visiting friend or giving out personal information to a new roommate. After all, in 2007, one-third of all identity theft was done by someone known to the person whose identity was stolen, notes Matt Shanahan, senior vice president of marketing and strategy of software provider AdmitOne Security. Say a friend of a friend requests a password for access to a WiFi connection. “Now you’re vulnerable, because he or she can access all your files, and essentially become you,” he says. Describing these types of scenarios will be helpful for students, because they can see themselves in the situation, rather than talking in generalities.
Even one piece of information can be dangerous, since thieves may have several parts of what they need and require only one more, such as a person’s bank routing information or mother’s maiden name, says IBM’s Holden. “There’s been a lot of phishing activity lately, where someone gets an e-mail that’s supposedly from their bank or the IRS, where they’re supposed to call and just verify some info,” he says, noting that this combination of e-mail messages with phone confirmations is increasing, since many people are aware they shouldn’t be giving out bank information or personal details over e-mail. “They might think that because they’re talking to a real person, it’s legitimate,” he explains.
Another useful user education tactic, according to experts, is to highlight how an individual could be affected financially by identity theft. For example, students should learn that a hit to their credit rating could change financial aid in the next semester. Encouraging students and staff to check their bank transactions online frequently, and to look over their credit reports at least once or twice per year, can create better awareness about keeping their identities safe.
Even highlighting tactics as simple as not using laptop bags (since they’re bull’s-eye targets for thieves) and putting cable locks in place can be helpful.
Parents can also be involved. According to Schmidt, many parents have expressed interest in taking ISU’s ID theft seminar. Since personal data is often part of student aid packages and enrollment, parents and guardians are at risk as well. They can therefore be powerful allies in convincing students to take more care in how they share information.3. Rediscover encryption.
A major security measure has been the use of encryption, which takes data and attaches long strings of numbers and text so that the information can’t be understood by unauthorized users—it needs to be decrypted to get the true data. But slapping on all this extra digital gobbledygook to numerically-based data has been tricky, Katz says. For example, credit card or Social Security numbers would get lost when an encrypted data string would swell to a format long enough to provide security, he says.
Commonsense ID Theft
- Buy a shredder and use it to destroy all personal information or mail before throwing it away, particularly credit card offers or forms that include Social Security numbers.
- Don't throw credit card receipts in the trash.
- Change passwords monthly, and choose ones that won't be obvious, such as ones that include your birthday or your pet's name.
- Don't carry extra credit cards, Social Security cards, passports, or other documents unless necessary.
- If possible, pick up new checks at the bank rather than having them sent to your home.
- Limit the number of credit cards you own, and cancel any inactive accounts.
- Keep a list of credit card accounts and bank accounts in a safe place, so you can call the companies if cards are missing or stolen.
But recently, Format Preserving Encryption (FPE) has been introduced, allowing ID numbers or bank routing info to be intact and maintain “referential integrity,” explains Katz. With FPE, a school can integrate data-level encryption into legacy application frameworks without the kind of database re-engineering previously required.
Another big encryption breakthrough has been encrypted USB drives. These little portable storage units, sometimes called flash drives or thumb drives, have sometimes been the bane of IT departments, since they can carry viruses that could infect a network. Also, if a lost or untended thumb drive is found, any personal data could be retrieved simply by plugging the drive into the nearest computer.
At Boston Medical Center, a university research hospital, the use of drives is widespread, and IT Director Brad Blake has instituted a policy that only drives with encryption are allowed to be used. “Locking down data on USB drives isn’t easy, but it’s part of what can make data more secure,” he says. “It’s similar to having a policy on anything that can be carried around and potentially lost.”
Students should be informed that any device—such as an iPhone, iPod, or cell phone—can contain data that could be used for identity theft. Education efforts should cover ways to protect these and USB drives as a good backup to encryption.4. Establish a risk and compliance group.
Top ID-Related "Don'ts" for Students and Staff
Even sharing some quick tips for students and staff will help them be more adept at identity protection. The creators of Identity Finder security software, which searches through files and e-mail for personal data so it can be shredded, offer these cautions to share with end users:
- Don't store personal information on your computer unprotected.
- Don't share personal data, such as Social Security number or even birth date, on MySpace or Facebook.
- Don't assume the school can protect you completely.
- Don't forget to configure peer-to-peer file sharing programs so they're secure.
- Don't neglect to perform software updates and fixes weekly or monthly, if these are not handled by the school's IT department.
- Don't leave your laptop unattended.
- Don't click on e-mail messages that contain hyperlinks to websites.
- Don't enter private information on public computers, such as those in the library.
- Don't e-mail or instant message personal info, since these communications are usually not secure.
Responsibility for identity protection is shared among users, IT staff, software providers, and others, but to truly create a strong strategy that includes education initiatives and technology purchasing, a separate group should be created, according to Shanahan.
“For the best protection, there should be an integrated strategy that looks at the issue from end-to-end,” he says. “That’s in contrast to each department coming up with their own approach. Until someone owns it and does risk management, you’ll always be patching up the holes that will inevitably occur.”
Part of the risk management group’s effort should be the creation of a centralized data warehouse, he says, which prevents the kind of fragmentation that occurs when data is in departmental silos. Shanahan has seen many universities pool data in this way and develop risk management committees that address security policies and procedures. “Think of identity protection in a holistic way,” he advises. “Creating more unity will make fraud-monitoring tools more effective and give more clout to user education.”5. Find ways to secure public computers.
Many students and staff have their own computing resources, but there’s also dependence on public machines, such as those found in libraries, and ensuring that these machines are safe can be tricky, says Steven Zink, vice president of information technology and dean of University Libraries at the University of Nevada, Reno. “I’ve seen people walk away from a terminal with all their personal information still on the screen, even banking data,” says Zink. “Sometimes they just get distracted and don’t even think about it.”
The university uses Deep Freeze, a security program from Faronics that resets a computer to its original settings on a regular basis. This erases any stored cookies, input data, and even malware and viruses that may have crept into the computer while it was idle.6. Create a loss prevention plan.
A working group should address how to deal with lost or stolen laptops—a common way for information to be obtained by thieves. This type of loss is particularly challenging because laptops are so popular, notes David Hawks of Absolute Software, maker of Computrace laptop security software, which can detect changes in hardware (including missing computer memory or drives) and helps track and recover stolen computers. “People are putting their personal information on university assets like laptops, so there need to be added security measures,” Hawks says. “From an identity thief’s perspective, getting a machine is ideal, because not only will it have university information, but also a user’s personal data like passwords, banking information, and credit card numbers.”
Even if there’s some encryption, it can be fairly easy for thieves to use computer forensic tools to tweeze out valuable data, he adds. Using a program to wipe data remotely is a strong option, and establishing procedures for erasing data from broken or donated machines is crucial. Some laptops that land on eBay still have plenty of usable information even though a user might have put personal files in the digital trash.
Absolute Software, www.absolute.com
AdmitOne Security, www.admitonesecurity.com
IBM X-Force, http://tinyurl.com/6aa22x
Identity Finder, www.identityfinder.com
Security Risk Solutions, www.securityrisksolutions.com
“To create enough identity protection, you need a layered approach, where there are best practices around password security, encryption, user education, and loss prevention,” says Hawks. “You’d be amazed at how many people don’t know how to protect their data, so an IT department has to do everything possible to do the protection for them.”
Elizabeth Millard, a Minneapolis-based freelance writer, specializes in covering technology.
Labels: Dr. Politics, Iowa State University, isu center for information protection, mccoy, Michael McCoy, mike mccoy, NSF, Steffen Schmidt