Tech talk and internet security took up much of Tuesday’s Faculty Senate meeting in light of increasing instances of compromised accounts, including compromised payroll deposit among a few faculty members.
Beginning on March 15, all users of MyBGSU will be required to utilize a two-step authentication process when logging into their accounts.
According to the University’s Chief Information Officer, John Ellinger, this added layer of security is necessary to protect faculty, staff and students against hackers utilizing tools such as “phishing” emails.
“The last 90 days have seen some extraordinary security activity,” Ellinger said. “Not just for ourselves, but for a lot of other institutions around this country.”
The activity Ellinger is referring to is the more than 450 instances of compromised personal accounts that have occurred already in 2017.
This number is up from 250 compromised accounts in all of 2015 and 1000 compromised accounts in 2016.
“We’re not talking about the access to, or use of, or theft of any University data,” Ellinger said. “What I am talking about is personal information.”
Ellinger’s main takeaway point from the meeting is to never give your password away to anybody else.
Many of the above statistics of compromised accounts come about from phishing emails, which are often determined to be fraudulent by Information Technology services. IT services, however, is often unable to catch a phishing email before a few faculty, staff or students click on a link that could jeopardize their account security.
Ellinger summarized one instance of a phishing email that led to payroll checks being deposited into bank accounts set up and controlled by hackers.
On January 24, 2017, a few faculty and staff members realized their paychecks had not been automatically deposited as usual. A day and a half later, IT services discovered the plot of a hacker.
A phishing email sent on January 11, 2017 included a link reading “get your pay here.” Four University employees clicked on this link, which compromised their accounts to the point that the hacker(s) was able to log into the accounts and change the bank account information for automatic deposit.
Beginning March 15, the use of two-step authentication process using a software called Duo will be required whenever logging into MyBGSU. This added security will increase the difficulty of hacking into accounts by adding an extra wall of protection.
Students and faculty can, however, access Canvas without logging in through MyBGSU, and therefore without using the Duo two step authentication process. Canvas is accessible directly at bgsu.instructure.com.
“In Ohio we’re probably the only University that has put this (Duo) totally in front of everything,” Ellinger said.
Indiana University put this added verification step in February, and Ellinger speculates that other universities, including Ohio University, will soon follow.
“The bad guys are always going to try to figure out a way around it,” Matt Haschak, who works on security and infrastructure for IT, said. “This is a major hurdle, this is a major step…we’re building a wall.”
Haschak said that if the wall is enough of a hassle for potential hackers, they will no longer see University accounts as a target.