In 2019, Texas State’s Information Security Office documented hundreds of incidents of phishing, by far the most common threat to Texas State student accounts. In 2020, we took steps to help students fight back.
Phishing is one of the biggest outside threats to everyone’s digital identity. Through faked emails, fraudulent websites, malicious text messages, and even voicemails; phishing is used to steal credentials, personal information, and money from victims all over the world. The most common way for someone to get phished is through email, spam or spoofed messages, and often victims won’t know they are compromised until it is too late.
The Information Security Office made Duo multi-factor authentication available to faculty and staff in 2017 – providing an extra layer of security that significantly reduced unauthorized account logins from phishing attacks.
In 2020, we extended that safety to students as well. Duo is not just for faculty and staff anymore; it is for everyone.
It can be easy to discover someone’s password, especially if they are not taking password security seriously. If someone is using poor practices like reusing passwords, using passwords that are too simple or easily guessed, or sharing logins with people who don’t guard the security of those credentials, a phisher or hacker can exploit those vulnerabilities and gain access to a victim’s account.
Once a victim’s account is compromised, it is only a matter of time before consequences occur. One tactic of phishers is to use a compromised account to send out malicious emails to the friends and professional contacts of a victim, impersonating that person and using that credibility to send more phishing emails. Or worse, they send malware and use the victim’s identity to steal from others. Not only does this have consequences in terms of real dollars but can also harm someone’s reputation or lead to unintended harm against their friends, family, and professional colleagues.
Duo helps to defend your account from being compromised by adding a second factor of authentication, an extra layer of security. Authentication comes in three types: something you know (password), something you have (a device or token), and something you are (thumbprint or face ID).
A password is a good first line of defense, if constructed properly, but can still be overcome by a savvy hacker. Impersonating a device or token is much more difficult. Correctly spoofing a password and a device at the same time is highly unlikely, except in the event of physical theft.
Since phishers are likely not operating out of your neighborhood or dorm, the risk of someone having your password and device simultaneously is extremely low.
In light of all of this, the decision to roll out Duo to students was an easy one, made to ensure that we are offering the same level of protection to our students as we do our faculty and staff. All Bobcats deserve to feel confident in the knowledge that their accounts are secure.
Joel Ausanka is an IT Project Coordinator in the Information Security Office.