After breaches, higher-ed schools adopt two-factor authentication

Payday didn’t go as planned on Jan. 2, 2014, for some Boston University employees. On that day, about a dozen faculty members discovered their paychecks hadn’t been deposited into their bank accounts. Thieves had changed the victims’ direct deposit information and rerouted their pay. BU’s IT security team traced the attack to a phishing email sent to 160 people at the university. The email – which prompted BU faculty to click on a link and confirm their log-in details – led to the compromise of 33 accounts. Thirteen faculty members had their paychecks stolen.

The phishing scam used BU’s logo, had believable formatting, and was well written, said Quinn Shamblin, executive director and information security officer at Boston University. The message purported to be from the school’s IT security office, and contained specific technical information. The only signs it was a fake were a misnamed IT organization and a misleading URL that wasn’t really a BU address.

“Most standard phishing messages have some kind of easy tell – bad English, not formatted very well, etcetera. This one was excellent,” said Shamblin, who spoke at the Security Professionals Conference, an event put on by Educause in Minneapolis. “This fooled 33 very smart people.”

After BU warned faculty and staff of the paycheck heist, the attackers send another phishing attempt that played off BU’s warning and directed recipients to another bogus site. “The folks who sent the original message were actively watching us,” Shamblin said. “They coopted my authority for a second attack on my people.”

That attack went to a greater number of targets and a great number responded. “But we were watching the back end,” Shamblin said. “We had developed some indicators of compromise specifically related to this kind of attack, and so nobody got their paycheck rerouted this time. But they definitely gave it a second good shot.”

Meanwhile, 1,200 miles away, University of Iowa experienced similar attacks. Faculty and staff received a nearly identical message, directing recipients to a phishing site designed to resemble Iowa’s self-service employee portal.

The attackers took their time: after a quiet reconnaissance of Iowa’s system, they diverted funds from a few accounts over a three-month period. The heist singled out high-paid executives, faculty, and clinical staff, said Jane Drews, senior director and chief information security officer at University of Iowa.

“We have enough logging on our HR self-service portal that we can tell every click people make. Someone was in there checking out the whole system and messing around,” said Drews, who presented with Shamblin at the Educause event.

University of Iowa discovered the breach in November 2013, after about 130 additional self-service accounts had been compromised and accessed, and about 30 accounts had their direct deposit information changed. Fortunately, IT caught the breach before the next payroll.

Iowa immediately made some emergency changes. The university blocked all remote access to certain functions within its ERP system, and added a temporary second-factor authentication for on-campus access to sensitive functions. IT security sent a campus-wide email to inform users about the phishing scams and emergency changes. The attackers launched a new phishing campaign the next day to try to collect temporary second-factor credentials and continued to try to gain access, Drews said.

“Every time we’d make a change or do a notification to the campus, they’d turn around and try to use that,” Drews said.

In the wake of the breaches, both universities wound up adopting the same technology — two-factor authentication — to help tackle the problem of compromised credentials.

How to protect credentials

“Phishing is not actually the problem. Neither is the fact that your password can be recorded by someone wearing wearable technology like Google Glass or shoulder surfing. Or the fact that I can take a phone and put a piece of software on it and set it on your table and when you type in your password, it will record the sounds of your keystrokes, do some analysis on it, and guess your password with 80% accuracy. Etcetera, etcetera, etcetera,” Shamblin said. “The real issue is compromised credentials.”

When a simple piece of knowledge is all that stands between the bad guys and money, organizations are at risk, Shamblin said. “Knowledge is a very steal-able thing, and we need to try to make it so that that’s not the only defense. Two-factor is the obvious solution.”

Both BU and Iowa chose Duo Security’s two-factor authentication technology.

Duo’s solution is designed to be simple and to work with mobile devices. There are no tokens required. Duo prompts individuals logging in to confirm their identity using a smartphone app, via text message to a device, via automated calls to a mobile or landline phone, or (when no other method is a good fit) using a secured kiosk. Users of the app can respond with a single button: the user clicks “yes” if the login attempt is legitimate, “no” to report an unauthorized attempt. It works anywhere in the world, and it can work even when there’s no connection.

Both schools were under pressure to quickly boost security in the wake of their respective security breaches. Both set aggressive deployment timelines.

“I was given a directive to fix the self-service problem in three months. We were able to do it in four after a small pilot,” Drews said.

Iowa was already doing a VPN pilot with Duo, so it had experience with the vendor. Plus it already had a small number of licenses. Iowa initially experienced some hiccups with enrollment, so the university opted to build a tool to help users enroll. Once enrolled, most users find it very easy to use, Drews said. “Every different situation that people on our campus have, we’ve been able to provide a solution for them that uses Duo,” she said.

Drews and Shamblin agreed — having support from senior leadership was key to the success of their Duo deployments. Two-factor authentication has a reputation for being a nuisance; tokens are perceived as a pain in the neck. “We had a lot of concerns from our administration and executives about the acceptance of it,” Drews said.

“We all know it irritates people,” Shamblin said of older token-style authentication.

To get ahead of any pushback, both Drews and Shamblin made sure they had support from the highest levels of their respective universities.

BU’s president sent a letter to everyone in the university, for example, endorsing the rollout. “We also had the senior VP of financial affairs, the CIO and myself all standing in front of the university, shoulder-to-shoulder with the president, saying ‘this is a real issue and isn’t going to go away. If we don’t do something about it, we will see this again and again… We need to solve the problem of compromised credentials, and this is the way to do it,’” Shamblin said.

In a bold move, BU decided to make two-factor authentication mandatory for all of its faculty, staff and student employees. (Iowa is moving in that direction, Drews said.)

“We’d had two-factor at BU for about 15 years, but it was focused on administrative personal and people who had access to large amounts of other people’s sensitive information. And it was token based,” Shamblin said. This time around, “we wanted to make this mandatory for faculty.”

Both schools went on a communication blitz – broadcasting notices, sending memos, conducting focus groups, using social media, creating training materials, publishing FAQs, and more.

“In our self-service portal, we implemented banner messages that were customized for the person who was logged in,” Drews said. The banners touted the availability of two-factor authentication with a link to enrollment. “That was our most effective communication – to put it right there where people needed it, and with a click to enroll,” she said.

Reminding people of the phishing attacks and stolen paychecks helped to convince users of the need for tighter security.

“We were able to get a lot of the money back, but we weren’t able to get all of it back,” Shamblin said. “It was real money lost, and the university felt that. That’s the time when you can help people understand the importance of some of these things.”

Given the reaction of faculty and staff, the message appears to be resonating. At BU, Shamblin and his team invited faculty and staff to join the Duo pilot early, ahead of the mandatory adoption timeline.

“We opened it up to an opt-in in July. We sent a message to everybody in the university, saying we’re going to be doing two-factor come the fall, if you’d like to join sooner, click this link. I expected crickets, and I got over a thousand people,” Shamblin said. “A thousand people thought this was a good enough idea to go do it early. I think that says a lot about the cultural readiness for this kind of solution.”