Simon Fraser University students were shocked to learn last week that a Chinese couple stole 500 pages of information on 150 students from a computer or computers in a campus lab. The couple used it to make fake student cards, which they then used to steal transit passes.
The fraudsters were caught and deported. But Jim Garnett from B.C. Transit Police says the crime should serve as a warning to students that public machines on campus aren’t always safe.
The information that was stolen appeared to have been lifted using keystroke loggers, devices the size of a small USB key that are hidden on or inside computers to record everything that’s typed.
Garnett says there was evidence that the deported couple was trying to steal bank account information, but all they got from that 500 pages were student login IDs and passwords.
We asked Jay Black, the Chief Information Officer at SFU, whether he agrees with Garnett’s assertion that campus labs aren’t as safe as students may think. Here’s what he advised.
“Yes, the transit policeman is correct. One needs to be careful with any device one uses, especially devices one doesn’t control and trust,” says Black. “But we can’t operate a computer lab and not expect students to enter their user IDs and passwords,” he adds.
Black says that his team is vigilant for people doing strange things in labs. They also conduct physical checks for keystroke loggers and will consider increasing the frequency of those checks.
“But you’re in the same kind of one-upmanship with those methods as spammers,” says Black, “because the latest generation of keystroke loggers is much harder to detect.”
That’s why he believes a better solution is stepped-up education about safe computing practices. Avoid typing sensitive information on public computers, for example.
Black says than an even bigger concern for those using campus computer labs is whether anyone is looking over their shoulders or using cell-phone cameras to record what you’re typing.
Black also suggests that students make sure their own Internet-enabled devices are password protected. Laptops, cell-phones are tablets are commonly targeted by thieves on campuses.
And, says Black, students should change their passwords frequently.
Black’s main message is that campus labs will never be totally risk-free, so protect yourself. “We can operate a computing lab and give students some reasonable assurances that the lab is secure,” he explains. “But with some sufficiently determined adversary, we won’t be able to assure that.”