The Help Desk messages on Outlook announced the initiation of a two-step verification
process. Due to a spike in phishing emails targeting students, the Office of Information Technology has taken the initiative in countering the scams. Steve McDevitt, the Chief Information Officer, spear-headed the new program implementation.
Explaining the original problem, McDevitt said, “part of the problem is that passwords are easily guessable…most people use the same password at lots of different places. So if one website is compromised then bad people, who compromised the website, usually have access to others.”
McDevitt, describing the transition into the MFA system, said “the platform that we selected is called Okta…and that’s what students use currently to get into Canvas… a student worker to get into Workday, to put in their time…or upper-level classmen who are using Qualtrics… we’re already using Okta to get into those, and so that is the change that’s occurring next week.” The new program is a similar step to the systems already used, according to McDevitt.
“So multi-factor authentication (MFA) is something like your ID and your password, but it’s also something that you have, which in most cases is your phone…I literally know zero people who would ever leave their phone.” The multifactor authentication system will primarily be used through the phone if everything goes according to McDevitt’s plan.
“We’re requiring it for your campus email, your answer.edu email… it’s going to work on your phone…you’re going to be prompted to go through and put in the code or, verify that it’s you on your phone…most people have a strong pin on their phone, they use face ID. And so there are all kinds of layers of security around your phone, which is why your phone is a strong way to authenticate.”
McDevitt described that the scams start with initial contact. In an example, McDevitt said, “ a text message back and forth with the ‘hiring manager’… the link to the application was their name, their date of birth, or social, their driver’s license number… then they basically get ghosted.”
[Anonymous Student] was almost scammed in the same way. They had received an email with information similar to the $ 400-a-week gig. The student, explaining the phishing email, said, “ it seemed fairly legitimate to me… it had that little thing on the bottom that a lot of professionals will have, shame on me for not checking the account that it came from, which did not correspond to the site…that was the dead giveaway.[Anonymous Student]’s advice for scam prevention: “Just check the email account.”
McDevitt warned, “the police, the FBI, or the IRS, they’re never going to call you and say they want you to pay a fine, give up your ID, or Venmo money. All of these weird behaviors that people seem to fall victim to… the basic attack vector… create a sense of urgency or an opportunity too good to be true…All official transactions from the IRS have to happen in person or via the U.S. postal mail. Those are the only two ways that can happen…if you ever have a problem with your bank… call the number from the back of your ATM card or your credit card. That’s their phone number… Don’t trust what you find on the internet.”
Another scam attack includes the sense of urgency from an email, where a student is told that their account will be deleted if they don’t sign in within a certain deadline. McDevitt said, “I guarantee you that the college will never disable your account as long as you’re a student in good standing here… even after you graduate, we leave your email available for a full year after graduation.”
Mcdevitt continued his point about being proactive, saying, “it’s an opportunity to better protect our identities, and who we are. and the assets of the college…also protecting the faculty’s research, data, and content that we’re creating…an opportunity for us to provide better protection for that information.
An [Anonymous Monk] was concerned that some of his brothers would not understand the new email system. He asked, “how does the change affect the use of our email?” McDevitt said, “we’re going to make some adjustments, there’ll be some technical details. The idea is that you do it [the MFA] once during the day.” McDevitt referred to this time length as a “session” that lasts the entire day, or even longer, on a mobile device. A session could be valid for up to 180 days, depending on the Okta verification. “The app is your friend and if they[the monks] need help, we have the Help Desk in the Library.”
The change was driven by Federal regulation and by Saint Anselm College’s Cyber Security insurance carrier. The Office of Information Technology also added that they have a “rigorous” internal review to improve the safety and protection of Saint A’s digital assets. A new requirement from the insurance carrier is a “multifactor authentication for sensitive systems containing financial or sensitive data,” according to McDevitt.
The Multi-factor authentication gives Saint Anselm College a higher level of assurance that users are who they say they are, not just a username and password anymore. The security in smartphones, with the Okta app on it, allows different ways to authenticate identity.