This is just a heads-up regarding the CSS Profile and Noncustodial parents. There is a security loophole in the Profile with regards to noncustodial parents. After completing the Profile for my son, I sent very specific instructions to his father to complete the noncustodial portion of the Profile. I included a link to the video that outlines the process for the NC parent, step by step. I also emphasized the fact that NC parent needed to create their own College Board login first. In addition, his father had filled out the NC Profile several years ago for my other child. Well, instead of creating his own College Board login, he tried to create one for my son. When it said there was already a College Board account on file for my son, his father was able to reset the password over the phone by using the security question. Side note: security questions are mostly family-related and would be easily known by both divorced parents - and it was chosen by my son years ago when he set up CB account. Anyway, once his father got access to his College Board account, he changed the email and password to his own (father). And then had complete access to my CSS Profile account and was able to see and download my completed application! On the CSS Profile site (and in the video) it stressed how divorced parents can’t access each other’s confidential information. But through this loop-hole, they clearly can. In addition, College Board never sent a warning email that the email or password had been changed. So it was just by chance that I found this unauthorized access. They really need a secondary password for the Profile since it is attached to the CB student account.
If you are the custodial parent, I recommend changing the CB security question to something the noncustodial parent can’t guess. Or create a dummy answer with your child.
This is not a security issue with the CSS Profile. It’s a a security issue with your security question. Call and change those!
Right…it is prudent to keep your passwords such that someone else can not guess them. If you have any other passwords like this…you might want to change those too.
So really, the (shared) security question response is the actual problem, not a loophole.
But I get the OP’s issue. Many of the security questions are known by others - mother’s maiden name, street you lived on in 2nd grade, town where you were born. If the couple had been married a long time or known each other since 2nd grade, the answers aren’t hard to guess.
CSS let the father change not only the password but the email to which future info would be sent.
This is something that Ive long noticed, not for CSS or FAFSA, but for other similar security questions. So many of the answers could be known by others.
There needs to be some questions that former relatives can’t guess the answers.
Changing the email is also a serious issue. See if your son can change that. And I would contact CSS Profile and ask them to include some question choices that are not easily known by others.
Either that…or don’t give the real names as your security questions. No one at the College Board cares if these are real or not.
The CB should never have changed the password over the phone. Their response should have been to send a password reset to the email on the account. This is standard practice. The OP is right, the CB should be more careful given the data that they possess.
I have enough trouble remembering the real answers!
After I filled out all the FAFSA documents and FSA ID, I realized I should have had the same answer for everythign. What is your mother’s maiden name? Blue. Color of first car? Blue. Street you lived on in second grade? Blue.
“Loophole” might not have been the correct term. It is complicated because Profile is College Board’s form. But they have different service centers and there is no crossover for help. I have been trying to figure out how this can happen without even an email to the original email address to say “your email has been changed.” To give more context: My son set up his CB account several years ago. Used his email, made a strong password, picked a security answer that was secret enough (most people wouldn’t know). He used it for his PSAT’s and SAT’s and AP exams. No problem and no issue with his other parent (who he has had a distant relationship with for past 14 years). The problem is that the custodial CSS Profile is attached to the student’s CB account. There is not a separate password option. I have an issue with this in general, because not all parents want to share their complete financial situation with their kids. I think it should be a secondary password. Anyway… The noncustodial parent is supposed to create their own CB login and then create a noncustodial CSS Profile. They are linked by the student’s FinAid ID. I am pretty tight with passwords and security questions. But never occurred to me that someone could change the email and password for the College Board account over the phone. Or that he would do that in order to access my financial information.
When he called College Board, he didn’t even know the existing email address or the login name. He just called with my son’s name, DOB, and answered the question. CB gave him my son’s login name and let him change the email and password by phone. Once he got that far, he clicked on the link for CSS Profile. Changing it for CB also changed it for my linked Profile. The only reason I noticed the password and email was changed was because I tried to log in and was locked out of the College Board and Profile account. I could not reagain access until the phone center opened the following day.
I have since changed my son’s CB account question/answer to something that can’t be known or guessed. But hindsight is 20 20. I have also talked to multiple people at College Board and at their other (totally separate) phone center for Profile. Basically, CB claims that they only changed the password/email for the “SAT” account and didn’t give anyone access to Profile. Profile tells me that they have nothing to do with passwords and email addresses. I guess my main point is that there should be separate security credentials for each part. In the instructions for the noncustodial parent, Profile emphasizes how secure the system is and how the custodial parent and student will not be able to see any of the noncustodial parent’s information or financial data. Ironic that it does not offer the same protection for the custodial parent.
I am also writing up a lengthy description of what happened to send to College Board. They have already escalated my case. But it has been difficult to discuss over the phone because of the separation of CB and Profile in terms of customer service. I would like to see some changes to the security protocol for the CSS Profile.
The College Board is not a customer-centric organization. Their primary goal is to get your money. Everything else (including securing your personal information) is secondary. Just my opinion, based on some past experience but reinforced by your trevails.
"Due to the College Board’s monopoly in administering exams, they generated $1.1 billion of revenue in 2017 and likely generated over $1 billion in revenue in 2019.
The College Board has grown operating profit margin to roughly 14%. Therefore, the College Board is expected to make $150 – $160 million in profits for 2019. Finally, the College Board also has over $1.1 billion in cash and investments according to public records.
Thanks to hefty profits, the President of the College Board makes over $1 million dollars a year while several of its executives make $300,000 – $500,000 a year in salary and benefits."
https://www.financialsamurai.com/how-much-does-the-college-board-make-off-the-sat-and-ap-exams/
Really bothers me when people victim-blame, especially when they haven’t bothered understanding the problem.
Thank you for this heads-up. I’ve noticed that CB is weirdly difficult about security — not difficult in a good protective way, but difficult in an often-counterintuitive way that forces people to show info to each other in a way that shouldn’t happen.
Unfortunately, many organizations are bad at security in ways that increase inconvenience without increasing security (note that “social engineering” is often a weak point in the security system, as shown by your example). Or they penalize individual test taking “cheaters” suspected only because of large score increases, while recycling entire old standardized tests for later use, enabling large scale cheating.
But also, after the student gets actual financial aid offers from colleges that use the CSS Noncustodial Profile, anyone who has access to the actual financial aid offers and one parent’s financial information can reverse engineer approximations of the other parent’s financial information using the colleges’ net price calculators. So, even if the College Board’s security practices were not as poor as you discovered, approximations or estimates of your financial information could be leaked to the other parent.
I agree that CB doesn’t care that while the answers are real or not, it can be very hard for the person to remember a random answer they once gave to increase privacy.
It wouldn’t be too hard to come up with a few questions that could be answered truthfully, but wouldn’t necessarily be known to another person. There could be 10 questions where the person could select 2 to answer with answers that likely no one would be able to guess. One question could even be a passcode.
But questions like: your first pet’s name, the street name of your childhood address, your mother’s middle name, the model of your first car, or your paternal grandfather’s first name are usually easily known.
And frankly, when those questions are presented, there should be a warning to choose questions that partners, family and friends would not know the answers to.
I will add…it’s odd that no email was received by the student about this (did the student check?).
I’ve really changed passwords for some sites, and I’ve always gotten an email saying “your password to Name the Site was recently changed. If you did this, you can ignore this message. If not, please contact us.”
Anyone else?
@thumper1 I agree that it is very strange that no email was received y the student. The College Board account was associated with an email dedicated to college related business. There was no email sent there (not in junk folder either). And no email to the parent email on the account. I had my son check all of his other email accounts, just in case. There was nothing sent. I think that is a problem.
Maybe because he changed the email and the password at the same time? I have not been able to get a straight answer from College Board. Just a confirmation that he called and changed it over the phone at a specific date and time.
@mom2collegekids I agree that there should be more options. And a warning about choosing secure questions. Most of all, I think that there should be a different login for the Profile instead of using the College Board login.
@momamh we’re you able to get it changed back to something for your son…and you?