New internet safety measures have been taken to ensure IU accounts are secure from phishing.
A new application being implemented at IU is Duo Security, a two-factor authentication system that protects sensitive information such as access to social security numbers or bursar accounts.
The system requires users to log in twice to access these features of their account.
“If somebody were to take your username and password, they would also need to get your phone or some other factor they’ve registered,” said Daniel Calarco, chair of the Office of the Vice President for Information Technology’s SafeIT task force.
Approximately 38 percent of IU employees, both students and full-time, have a duo device set up. In January, workers will need to use this application to access any programs that sit behind the Central Authentication System.
One of the reasons for this new system is because of an incident that occurred last spring. Thousands of IU users received emails that were posed as messages from the University.
These emails told recipients to click on the link attached to the message, then prompting users to enter their usernames and passphrases.
Close to 800 people gave up their credentials without realizing the emails were a scam. This process, sending emails and links that look similar to a trusted source, is called phishing.
“We get thousands of reports of phish,” Calarco said.
Brad Wheeler, vice president for information technology and chief information officer, gave a cybersecurity report on the Spring 2016 “Staff Portal” Phish at the Bloomington Faculty Council two weeks ago.
While the filters caught over 2.1 billion bad messages last year, there are still emails that get through the barrier. Wheeler said not all spam is caught and terminated at the source.
“Technology is pervasive,” Wheeler said. “The professionalization of the bad guys and consumerization of technology that makes our work convenient is one of our challenges.”
Calarco said once the system knows there is a phish, any account that has accessed that site on the IU network will have its passphrase scrambled. In addition, the site is blocked so no one in the future will make the same mistake.
With as similar to the IU website pages these fake sites are, Calarco said, there are a lot of users that don’t realize they’re being tricked.
“Over the course of any year, hundreds of employees will fall for phishes and turn over information, and we have to scramble their passphrases as a result,” he said.
Sometimes phishes aren’t aiming to steal financial information or credentials, Calarco said. Sometimes they will steal personal documents or family photos and bargain these items with users to make a profit. Calarco advises users to be cautious.
“They’re going to adapt and keep coming after us, that’s why folks really do need to be vigilant,” Calarco said.