Over the past year, several university employees around the country were targeted by successful phishing attacks.
Cyber criminals sent emails to employees, appearing to come from their university, that warned them about an issue requiring them to log in to their employee portal. When the employees clicked the link to what appeared to be their university’s legitimate login portal, they landed on a page that was hosted by the criminals. Criminals were able to successfully use the victims’ credentials to modify direct deposit information so that salaries could be re-routed to an account they controlled.
These types of attacks, called phishing attacks, are an attempt to steal login credentials, and as a result, gain access to your online accounts. This is how they are able to take your money or your sensitive information. With your credentials in hand, they can behave online as if they were you.
One way of defeating this type of fraud is for online systems to require an additional factor for authentication. This factor should be something the attacker has no way of accessing. It will prevent an attacker from pretending to be you, even if they have accessed your credentials.
Factors in authentication are:
- something the user “is” such as a fingerprint
- something the user “knows” such as a password
- something the user “has” such as a smartphone.
In direct response to these attacks, a new feature has been added to Atlas, in addition to the web certificate authentication that is already in place. It requires users to enter the last four digits of their Social Security Number to better authenticate their identity when accessing their personal sensitive information.
Multi-factor technology will be added to Touchstone, called Duo Security, that in the future will be required when users access critical MIT services and applications. This feature is not yet available to the MIT community.
Read the full story in IS&T News
REN-ISAC Advisory: University Payroll Theft Scheme (.pdf)