Colleges on their guard against ID security threats

While Boston College warns 120,000 alumni that their Social Security numbers may have been stolen by Internet thieves, computer administrators at other Boston-area colleges say they long ago took steps to reduce the threat.

James Stone, director of consulting services for the Office of Information Technology at Boston University, said his school and many others throughout the United States once routinely used Social Security numbers for identification on internal files and documents. But by the late 1990s, BU officials began to doubt the wisdom of this approach.

''It was clear that identity theft was an issue and this was a vulnerability," Stone said.

In 1998, BU replaced Social Security numbers with internal ID numbers that would be useless for identity thieves.

Jeff Schiller, network manager at the Massachusetts Institute of Technology, is also a 1979 graduate of the school. When he arrived, MIT used Social Security numbers for student IDs, but Schiller said things were changing by the time he graduated. ''We stopped doing that ages ago," he said.

A thief armed with a person's name and Social Security number can run up thousands of dollars in fraudulent debts, said Evan Hendricks, author of the book ''Credit Scores and Credit Reports" and editor of the newsletter Privacy Times. Even if the thief gives the wrong street address, credit agencies will issue a credit score based on the stolen identity if the Social Security number checks out. ''It's pretty darn useful," Hendricks said.

That's why Boston College was concerned after discovering earlier this month that a computer used in alumni fund-raising had been attacked by an unknown hacker. A program was planted on the machine that could help the intruder attack still more computers.

There was no evidence alumni data were stolen, but the school decided to take no chances, sending warning letters to the 120,000 alumni whose files were stored on the computer. It was an expensive decision: Sending that many first-class letters would cost over $44,000 in postage alone.

Stone and Schiller said that colleges have to collect Social Security information, including for financial aid programs and for the taxation of wages earned in on-campus jobs. But there are many campus agencies that don't need the numbers. In the Boston College case, the intruder broke into a computer used by students making fund-raising calls. They needed alumni names and phone numbers, but not Social Security numbers.

''A Social Security number at Boston University is a need-to-know or need-to-use piece of information," Stone said.

BU keeps such data on a mainframe computer that isn't directly connected to the Internet. Access is limited in various ways, including electronic ''tokens" that generate single-use passwords.

MIT takes a similar approach. ''If a system has no need to have this data, it shouldn't have it," Schiller said.

Even though MIT stopped using Social Security numbers for identification about a quarter-century ago, Schiller said only last year did the school begin to systematically purge unnecessary Social Security data.

Boston College has now adopted the same approach, spokesman Jack Dunn said.

Hiawatha Bray can be reached at bray@globe.com.