IU community should be aware of new cyberthreat to two-step logins, learn how to protect accounts

In the two years since Indiana University has been using two-step logins, they have been 99 percent effective at stopping phishing attacks against IU users.

Dan CalarcoView print quality image
Dan Calarco. Photo by Indiana University

But on Dec. 17, several media outlets reported that foreign hackers had devised a way to phish users of sites such as Google Drive even if they were using two-step login. On Jan. 9, news broke that a security researcher had developed a tool to make it simple for online criminals to launch these kinds of attacks on two-step login sites, and made it available open-source for anyone to download and run.

As IU Vice President for Information Technology and Chief Information Officer Brad Wheeler wrote in Inside IU two years ago, the university is in an unending struggle against cybercriminals who want to use employees' personal and IU's institutional data for their personal gain. At that time, IU's cybersecurity team implemented two-step logins for certain systems, finally stopping a particularly enduring phishing attack and shifting the cybersecurity battle in our favor. Unfortunately, the shift in the cybersecurity balance is now tilting back toward the cybercriminals.

So what can you do? IU relies on three layers of cyber defenses: human behavior, technical defenses and policies. UITS is working hard to ensure that technical defenses and policies support security for all users. But employees also need to be particularly vigilant to safeguard personal and institutional data and systems.

Human behavior

People make up the university's first and last line of defense. A savvy user will "think before they click," by looking closely at links in emails and the "from" fields of emails and by asking themselves: Do the links go to where I would expect? Does the "from" field match exactly what I would expect?

Or better yet, is there some way to get to that site without clicking? Typing in addresses or using browser bookmarks and logging in to familiar sites will help ensure you visit only legitimate sites.

Savvy users would also use the Duo Mobile app to complete two-factor authentication, as opposed to text messages or voice calls. In addition to being the most convenient way to use Duo, push notifications from the app are more secure because they tell you where that first authentication is coming from. If the app indicates the login is coming from a foreign country or far away from your current location, that's usually an indication of fraud, and you should push the red "X." Watch this video for more information on how to use Duo Mobile.

Technical defenses

Two-step logins are certainly still more secure than just using a password. In addition, IU's cybersecurity experts will continue to block known malicious sites based on threat intelligence they receive.

There are also devices employees can purchase to help protect themselves -- security keys known as Universal 2nd Factor tokens. A U2F token is physically inserted into a USB port to confirm your identity. They have proven effective against these attacks and are compatible with two-step logins at IU. If you are looking for extra peace of mind, the tokens cost between $10 and $50 and are available from major retailers like Amazon and Google.

Policies

Cybersecurity policymakers at IU already require that certain high-value systems be accessed only on-campus or by VPN. This helps safeguard those systems against the type of phishing scams outlined above but may not be possible or practical for all systems. As new threats emerge, policies and best practices are reviewed to ensure that the university is able to stay a step ahead of cybercriminals while balancing user convenience.

Daniel Calarco is chief of staff for the vice president for information technology and chairs the vice president's SafeIT taskforce. Andrew Korty is chief information security officer for Indiana University.