In late October, when University of Idaho students, faculty and staff opened their inboxes, they found a notice informing them of the threats to email security UI accounts had been receiving.
“In the last two years, we have had 165 accounts compromised that we know of,” ITS Chief Information Officer Mitch Parks said.
In response, UI recently mandated multifactor authentication (MFA), making all accounts require a user verify their identity with another device.
“The thing that we’ve seen has been about protecting peoples’ paychecks and their personal information on VandalWeb, but it’s also (about) protecting all kinds of university data,” Parks said. “Attackers are after research data, they’re after whole library periodicals that we have access to, or they’re trying to use our accounts to attack someone else.”
Blake Coker | Argonaut
Parks said that phishing in particular has been an ongoing problem for many years.
“College students are inexperienced in life and cash strapped,” UI junior Avery Brock said. “We are all looking for golden opportunities and we don’t always ask ourselves if something is too good. We are also prime targets as we often don’t know how to monitor our credit, or how to ask the right questions to make sure we are secure.”
“The attackers have gotten better and better, and people’s ability to detect that it is a phish has only improved a slight amount, so even the best users on campus sometimes will fall victim,” Parks said.
A phishing email is a message that is trying to trick information out of you, he said. While often they are trying to get your username and password, there are other kinds of phishing where they might ask you for other data directly.
There is no telltale sign of a compromised account, which makes the process of finding these accounts more difficult and time-consuming, Parks said.
“It may be that we get a phish reported to us, so we take a look at those and say ‘Oh, that was sent to 300 people,’ and then we go look and try and see if anything suspicious is happening on those accounts, and try to purge out that message before they can click,” Parks said. “Probably the number one way is people reporting it.”
However, accounts will not always be reported in time to prevent a further breach.
When attackers have copied the UI login page, they have a much higher success rate, so the university investigates those more thoroughly, Parks said.
“Sometimes we don’t find out until that compromised account sends out their own batch of phish or spam, and we get those reported to us,” he said.
Even if a UI account is reported, the full extent of the breach may not immediately be known.
“A good number of the ones we know that have come after us have been after direct deposit,” Parks said. “And that’s a direct thing that has affected some folks. We had almost 30 direct deposits changed in the last year from attackers. And if we hadn’t been very vigilant on getting passwords changed on accounts we knew were compromised it could have been a lot higher.”
Concerns can be even greater for faculty accounts, since there is not only direct deposit and W-2 information on VandalWeb, but student information as well.
Faculty and staff comprised 81 percent of the compromised accounts, Parks said.
“Partially (this is) because all of our directory information is more public than the students’, at least that’s what we attribute it to,” he said. “Unfortunately, it only takes one compromised account inside to pretty much get that whole list of usernames.”
Parks said on certain occasions one compromised account is then used to phish other UI accounts, and sometimes even accounts not tied to the university at all.
“They may know that a particular department at UI is working with some other organization, and might trust their emails,” he said. “And so they are after one of our accounts so they can attack someone else.”
While MFA might not be the quintessential solution, it acts as a strong deterrent.
“The phishing can still happen,” Parks said. “The username and password may be compromised, but they won’t be worth as much to the attacker because there is a multi-factor authentication going on there, and unless they can trick you into approving their login, even with username and password they’re not going to be able to get in. So one of the results of that is attackers will just move on from us to somebody else.”
This cycle could continue to repeat, being completely dependent on the different security measures of each institution.
“This is a little bit of the old joke about running from the bear in the woods,” Parks said. “You don’t necessarily have to run faster than the bear, you have to run faster than the other guy. So, we’re hoping MFA will at least make us a little faster than the other guy for a while.”
Parks said the university took good steps back in 2009 to increase the password length. Long passwords only help for brute force attacks, where someone tries to guess the password repeatedly, he said.
While the university continued to become more protected, attackers found more ways to exploit security.
“It is much easier for attackers to just ask for your password with a phishing message, and once you give it away, it doesn’t matter how long it is,” Parks said. “We’ve had compromises where the user gave away a beautiful long password that the attacker used to do other things with.”
Brock said this was not the first time he heard of a phishing attack on campus.
“We saw this last year when a phishing job post made it to Vandal Handshake and was emailed to every student,” he said.
“All students should be informed that the US government will never call you,” Brock said. “If they email you, it will be something unimportant, and if the email address is not .gov, it is fake. All government addresses and emails and phone numbers can be easily verified. There should be a class, if not a handout or section of freshman orientation that covers how to spot phishing offers.”
Parks said the preferred method for MFA is the Duo mobile application. Duo alerts you to either approve or deny the login on your phone when the notification comes up.
Upon doing this, checking the “remember me” box on the web browser for most UI websites will then remember a user’s login for 14 days.
On Jan. 31, students who have not enrolled in MFA will be prompted to enroll upon login.
Parks said there are currently over 1000 students who have already enrolled, and that number is likely to rapidly rise on the last day of January.
Students who do not have access to a cellphone can receive their code over a landline, or pickup hardware tokens to log in with a number. These tokens are available at the Student Technology Center.
“It’s a pretty simple little device, you just press the button and it gives you a number,” Parks said. “The number is only good once and it’ll get you in. We’ll have a bunch of tokens in mid-December, and hopefully that’ll be enough to address everyone who needs one.”
Parks said that while the token is a good alternative, students should still try and use the mobile app.
Parks said phishing emails are reported to the university almost every day, and over the past year there were over 1000 reports of phishing emails.
There are quite a few different reasons as to why UI accounts are more susceptible to attacks.
“It’s easier for an attacker to get our information, it’s more public,” Parks said. “As opposed to just a general Gmail account where they don’t know what they’re getting.”
For many students who are not familiar with phishing or other threats, it still remains easy to fall victim. There is always a possibility that information is at risk, but steps will be continually taken to prevent this.
“This is a step to improve all of our account security, all of our data security,” Parks said. “Pretty much everything is on the table. It’s a changing world, and this is a really key component to improving account security, but we will be looking for other ways to improve that in the future…we want your feedback. There’s a feedback form on the website, or you can send an email.”
Max Rothenberg can be reached at [email protected] or on Twitter @m_rothenberg