IU implemented the two-step login system DUO two years ago. IU officials say that DUO was 99% effective in blocking phishing attempts against IU users.
However recent reports show that hackers found a new method to infiltrate two-step login systems by sending a false email that asks the user to log in through an identical looking, but fake web page. And then using the credentials earn through that process, the hackers will log in through the actual website in real-time to also make the user enter the special code used in two-step login systems. Other reports say that a security researcher created an open-source hacking tool that will allow hackers to launch these kind of attacks easily
Daniel Calarco, the Chief of Staff of the Office of the Vice President of Information Technology, says that both students and staff can be targets of these cyber-attacks. The targets can differ from the hacker’s purpose. Calarco says that the hacker’s purpose can vary from attempts to obtain intellectual property to simply trying to make the user send a gift card to them. The cyber-attack in Pennsylvania State University targeted intellectual property and tried to compromise their School of Engineering. Calarco says that in “Spear Phishing” situations, where the hacker impersonates a target and tries to earn the target’s trust to obtain sensitive information, faculty and staff would be more likely to be a target.
Calarco says that IU is not planning to implement a new system to block these kinds attacks because DUO is effective in preventing these kinds of attacks as long as the user is aware of where the DUO push is coming from. Calarco says that the DUO app is the safest login option among the three login option because the “DUO” app shows the IP and location of the push. If the push is coming from a suspicious location or IP, you can press deny to block the attempt. Calarco says that other options such as SMS and voice call can be vulnerable because the attacker can obtain the codes through preview screens or emergency calls, even without unlocking your cell phone.
For users who don’t feel safe enough with the DUO app, Calarco says that users can get a device called a Universal 2nd Factor(U2F) token. This device will only allow logins from the device the U2F token is connected to. Calarco says that U2F tokens price between $10~$40 and can be registered through the IU Security Center.
Calarco says that it is important for the user to “think before you click.” Users should always think if the email is from a source they can trust, and think if the hyperlink is safe to click.