The Education Department is encouraging universities to increase their identity management security systems as hackers target students with phishing scams to steal student loan refunds, according to a report from The Washington Post.
Colleges that may have been affected received warnings from the Education Department to help them take action to protect students from falling for the fake emails.
“The nature of the emails suggests the attackers have done research to understand the school’s communication methods, and the attacks are successful because students provided the information that had been requested by the rogue operations,” the Education Department reported according to the Post. “Once the attackers gain access, they change the student’s direct-deposit destination to a bank account controlled by the attacker. Then the money intended for the student is sent to the attacker instead.”
The Education Department is encouraging schools to update their security systems, including their identity verification systems.
Multifactor Authentication Boosts Network Security
According to the Education Department, hackers involved in these phishing scams are exploiting higher education institutions’ common use of single-factor verification, highlighting the importance of multifactor verification and identity management on campus.
“Federal Student Aid strongly encourages institutes of higher education to strengthen their cybersecurity posture through the use of two-factor or multifactor authentication processes,” according to the Education Department announcement. “These types of authentication rely on a combination of factors, for example, username and password combined with a PIN or security questions or access through a secure, designated device.”
While two-factor authentication, or 2FA, may seem like a popular choice for account protection for some, a Pew survey published late last year found only 10 percent of Americans could correctly identify what multifactor authentication looked like. According to a survey of students at the University of Indiana, a majority considered their passwords to be “long enough,” and thought they did not need the additional support of 2FA, CNet reports.
This means it is up to university IT teams to educate users about the importance of 2FA, and to offer easy pathways to implement it.
For example, students logging in using Chromebook tablets can choose to have a one-time password pushed to them through a separate app like Google Authenticator. Faculty using laptops can register a hardware token that will offer a designated password at the push of a button.
Not All 2FAs Offer the Same Protection
While the Education Department recommends two-factor identification, some experts believe some versions of two-factors can give universities a false sense of confidence against modern-day phishing techniques.
Single-use passwords sent through SMS text messaging is a common 2FA practice. However, there are a number of workarounds for resourceful hackers, according to security reporter Brian Krebs.
For example, an attacker may be able pose as his or her target and trick a mobile provider into switching the target’s device to a new SIM card that the attacker controls.
Alternatively, the attacker, acting as the target, could request the target’s number be switched to another provider, again giving the attacker access to the single-use password sent to the original phone.
Another unreliable, but growing, form of 2FA are security questions, according to Joe Diamond, director of security product marketing management at Okta.
“38 percent of MFA users are using security questions today, compared to 30 percent last year,” Diamond writes in a blog post. “One challenge here is that answers to security questions can often be found in public records.”
Using apps like Google or Microsoft authenticators, which create a new randomly generated code every 30 seconds, is ideal. However, having any form of two-factor authentication system is the most important part, Krebs concludes.