UCSB administrators are booting up an improved security system to help prevent students from stealing identities and falsifying grades online.
Associate registrar for computer processing Pat McNulty said U-Mail and other UCSB online systems are getting a boost in security after UCSB student Nancy Ramirez allegedly used the school’s eGrades application to change several grades through the Internet. Students received e-mails last Friday requesting they create and answer a secret question that – along with their last name, social security number, perm number and birth date – will allow them to reset their password for U-Mail if they forget it. The username and password that students use to access their U-Mail accounts is also called the UCSBnetID. McNulty said faculty and staff are temporarily unable to reset their UCSBnetID passwords online and must go to the UCSB Directory Service office in person, as Ramirez allegedly used only the social security number and date of birth of two professors to reset their passwords and gain access into the eGrades system.
McNulty said faculty and staff passwords previously could be reset online using their name, employee ID number, social security number and birth date. The UCSB Directory Service is not aware of any other security problems with the UCSBnetID system, McNulty said. He said the recent crime proved the system insufficient to protect staff from identity theft.
“The events with eGrades made it more clear that we needed to improve the way passwords are reset,” McNulty said. “We have so many things to do, but this made [password security improvements] go to the top of the stack.”
Matt Dunham, U-Mail manager of electronic communications, said using a secret question and answer to reset an online password is recognized as a good security practice and will help protect the system.
“The way these perpetrators used eGrades was obtaining not-so-secret information to change the password – really easy information to come by,” Dunham said. “We recognized that [our old system] isn’t the best way. Online, you need to make it as difficult as possible for someone other than the person to reset the password without using a photo ID.”
McNulty said students currently use their UCSBnetID to access U-Mail and financial aid services, while faculty and staff use theirs to access eGrades. McNulty said the original uses for the UCSBnetID for faculty and staff did not necessitate the security measures now being executed.
“eGrades was the first system [accessible by UCSBnetID] that people care enough about to break into,” McNulty said. “Now we are tightening up the security, because originally it was used [by faculty and staff] only to access the campus directory, no one had used if for security.”
Dunham said all campus departments requiring login information, such as Housing and Residential Services, the registrar’s office and GOLD will eventually use UCSBnetID exclusively. The result will be a single sign-on system or student portal, requiring a UCSBnetID and password to access the services, though he said the completion date is unknown.
“We’re evolving to the student portal; a lot of universities have gone this route,” Dunham said. “All the work with the netID is grounds for a forthcoming student portal.”