Anonymity Makes IT Security a Must for Higher Education InstitutionsJoel Rosenblatt | Director of Computer and Network Security, Columbia University
When I was an engineering student, I used state-of-the-art computer systems; punch cards and batch jobs on a mainframe. Computer security consisted of a large man and a locked door, and authentication amounted to having access to an account where the computer usage charges went. As time went on, the internet and personal devices changed computers from a tool you used to an integral part of life. Today, the university experience includes a large online component and we are even seeing entire degrees available online with little or no physical contact; a trend that will only become more prevalent in the future.
In terms of security, authentication (who you are) is one of the largest challenges. In 2012, there were 369,132 identity theft complaints in the United States alone. Identity theft is one aspect of the online education problem. People usually think of credit card fraud when thinking about identify theft, but let’s take a closer look at how an online degree works.
You sign up with an online university by creating an account and password. Most of the time, people will use their email address and the same password they use for everything. If you travel, a convenient way to check your email is in the business center found in almost every hotel today. As it turns out, some of the computers in those business centers have key logging programs installed on them so, while you are checking your email, the bad guys are stealing your email address and password. By looking through your email, they notice you have messages from the online university about your recent graduation, so they log in (using your email address and the same password) and they now have a copy of your new degree.
The other aspect of this is that no one knows who is really on the other end of a network connection. Let’s imagine a situation where your promotion at work depends on you (not you in particular, but a less-than-completely-honest version of you) getting a college degree. You have never been particularly good in classroom situations, so you decide to get an online degree. After signing up, you realize you will actually need to log in and take the classes, so you decide to look for a better way. You have a friend who was good in school, but is always looking for a way to make a fast buck. For a small investment, you convince him to take your classes and, at the end of the process, he has some money and you have a promotion. As someone who works for a university, I must recommend that actually getting the degree is a much better way to go.
In both of these scenarios, the problem is authentication. Doing it right is tricky and can be expensive, and it will always depend, to a certain extent, on the honesty of the person presenting the credentials.
As was pointed out in a cartoon by Peter Steiner in The New Yorker, “On the Internet, nobody knows you’re a dog.” 
– – – –
 http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf Consumer sentinel network data book for January-December 2012 – Federal Trade Commission February 2013
 http://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you’re_a_dog The New Yorker (1993). “On the Internet, nobody knows you’re a dog”. University of North Carolina at Chapel Hill – reprinted for academic discussion. Title 17 U.S. Code. http://www.unc.edu/depts/jomc/academics/dri/idog.html. Retrieved October 2, 2007.
Author Perspective: Administrator
While this article helpfully identifies some of the key challenges for universities (in terms of introducing online degrees) I would have liked to see some more discussion on what universities can do to mitigate some of these concerns and improve their IT security.
Thank you for highlighting an aspect of identity theft I had not previously considered.
In response to the commenter above, I would say that one best practice for postsecondary institutions is not to send out highly important and/or confidential information to students via email. There are other ways to provide sensitive information, for example, by requiring in-person pickup (although I recognize this can be an issue for some students) or having the student log on to a secure learning management system (such as Blackboard) to access it.
I agree with what you’re saying, but I think it’s also important to note that the problem of authentication did not start with new technologies or online education. Higher education institutions have struggled with authentication since their inception. That’s why students are required to present their ID cards before writing in-person exams. In fact, technology may actually be what helps us to address the problem. I’m speaking here of new developments in facial recognition technology, new methods of encryption to protect private information, etc. I could see universities and colleges starting to introduce these systems in the coming years to better protect themselves and their students.