Getting schooled on identity theft

The e-mails were convincing, at least to the more than 100 Temple University computer users who sent in their user names and passwords.

But the messages weren't actually from the school's TUmail system. They were from hackers on a phishing expedition, seeking to utilize the Temple accounts to send spam. The troublemakers hit multiple colleges over the summer, collecting personal data with nothing more than a random e-mail.

Identity theft can be as simple as that: Someone hijacks your e-mail account to pester your friends with offers for male-enhancement devices. But more seriously, it can mean someone uses your name to buy, cheat and steal, ruining your credit and reputation in the process.

College students are particularly vulnerable. According to the Federal Trade Commission, the identities of about nine million Americans are stolen each year. And almost 30 percent of all identity-theft complaints come from people ages 18 to 29 years old.

"Students don't check their credit scores. They have a couple of addresses under their name already. It's very easy for someone to take their identity," said Stamatis Astra, senior vice president and general manager for IdentityTruth, a company that monitors its customers' credit. "This can go on for many, many years. Ninety percent of the time, it's only noticed when someone is applying for a car or home loan."

Credit card companies eager to tap into students' future earning potential send them multiple preapproved card offers, which are often carelessly thrown away. Identifying information like Social Security numbers and addresses are included on many documents, such as student loan applications to registration papers. Dorm mates who seem trustworthy are allowed access to personal computers and unattended backpacks.

Once someone's identity is compromised, it can take from a few months to many years to clear up the problems. Jay Foley, executive director of the Identity Theft Resource Center, knows one woman who has fought to clear her name for 12 years.

"Thieves know students have to share their personal information to get medical care, financial aid, and all those different groups have to store it somewhere," said Todd Davis, CEO and cofounder of LifeLock, an identity protection company. "Sometimes they're 10 feet tall and bulletproof in college. They don't worry about it. The identity thieves count on that."

Other people, like Tim O'Rourke, do worry about it. He is Temple University's chief information officer and vice president for financial services. The idea of someone stealing personal information from university students or staff "is my biggest nightmare," O'Rourke said. "We haven't seen a lot of it, but it's something we're very, very vigilant about. I lose sleep over it because it could happen tomorrow."

Other universities have been victimized: In 2006, hackers stole names and Social Security numbers of tens of thousands of Ohio University students and alumni. That same year, UCLA announced that a security breach had compromised the personal information of as many as 800,000 students, faculty and staff.

This summer, a Texas man was charged with using the identities of University of California-Irvine graduates and medical students to file fraudulent tax returns and receive refund checks. Those whose identities had been stolen learned of the theft when they tried to file their own returns.

"Students are a highly viable target because there's not a lot of predefined activity already there," said Foley, whose nonprofit organization promotes awareness about identity theft and helps victims resolve their cases. "[They] don't have a credit file, so what address I get in there first becomes the address on file. It also makes it more difficult to clean up the mess."

Foley says students should ask four questions before turning over any personal information: Why is this needed? Who gets access to it? How is it protected? How is it disposed of?

"If you can't get a good answer to those four questions, the company or the person who is asking doesn't have any serious business getting that information," Foley said.

Universities are doing their part to keep student information safe.

Gone are the days when professors would post grades outside a classroom next to a Social Security number. Local colleges like Temple, the University of Pennsylvania and Drexel University have stopped using Social Security numbers as student identification numbers. One Tennessee university went so far as to install scanners that read the right hand of students who want to do things like use the recreation center.

Temple gives students pamphlets on how to keep safe from identity thieves and sends e-mails with tips to guard private information. Employees also can purchase an identity insurance policy through the university, and TUSecure requires students and staff to change passwords every six months. The passwords must be a combination of letters and numbers; O'Rourke said a hacker with a simple password-cracking program can figure out a six-letter dictionary-word password in 10 seconds.

"If you want to protect your identity, be paranoid. Understand there are bad people out there trying to get your personal information every day," O'Rourke said. "If you think that way, I think you'll protect yourself."

Students can also hire private companies like IdentityTruth and LifeLock to keep guard over their information.

"College students think, 'Do I really need it at 10 bucks a month? That's beer money,'" said Davis, of LifeLock. "But you're 25 times more likely to have your identity stolen than your car stolen. If you lock your car and take your keys with you, you should take the same precautions with your identity."