- A student at Boston College (BC) was indicted by a Middlesex County grand jury last week on charges that he surreptitiously installed keystroke monitoring software on campus computers, then used the software to steal personal information from more than 4000 individuals who used the machines.
The student, 21-year-old Douglas Boudreau, was charged with a variety of crimes, including six counts of interception of wire communications, eight counts of unauthorised access to a computer system and two counts of larceny over $US250, according to a statement released by the office of Massachusetts attorney general Tom Reilly.
Boudreau, who is a senior computer science major at BC and a resident of Rhode Island, allegedly installed the keystroke monitoring software on more than 100 computers located in six public areas around the BC campus including the campus library, the student computing center, the student services centre and the residence hall where Boudreau lived, according to Massachusetts assistant attorney general John Grossman.
Once installed, the software allowed him to secretly monitor and save every keystroke entered on those computers, which were used in common by members of the BC community.
Information was forwarded from the compromised machines to a remote computer system that Boudreau accessed between April and September 2002 when the theft was discovered, Grossman says.
Using the information, Boudreau is said to have compiled a database of personal information for around 4800 BC students, employees and staff containing information such as computer passwords, confidential access codes to BC buildings, social security numbers and credit card numbers.
Some of that information was used by Boudreau to reconfigure his campus identification card, known as an "Eagle Card," allowing him to pass off purchases at the campus book store, dining hall and laundry facilities to other student accounts, according to the attorney general's office.
Boudreau allegedly racked up more than $US2000 in bogus Eagle Card purchases using the information he obtained, according to the attorney general's office.
BC's campus police and IT staff discovered the scheme in the course of investigating fraudulent transactions at the campus bookstore and took steps to secure the affected computers and contact Boudreau's victims. The case was then passed to the attorney general's office by Boston College campus police.
Boudreau was suspended from Boston College following the allegations and is scheduled to appear in court in September, Grossman says.
The case is not the first involving keystroke capture technology that the Massachusetts attorney general's office has investigated, but it is the first by the office that has led to an indictment, he says.
While declining to identify the software used by Boudreau, Grossman says that consumers should be careful about what information they enter on publicly accessible computers.
In addition, organisations or companies that provide public computing resources should be aggressive in securing those machines from "spyware" such as keystroke capture applications and should consider periodically reformatting computers to remove unauthorised software, Grossman says.
Finally, antivirus software vendors should consider developing features to scan for spyware, he says.