Letter from the CISO, Vol 4 Issue 6
WashU Community:
Over the past year, malicious actors have increasingly sought to compromise your accounts by impersonating you and trying to get customer service people to give them access to your accounts. We have seen this repeatedly at WashU, too. In response, we have improved our processes for verifying your identity. You will realize this when reaching out to the IT service desk for help resetting a password, especially if your DUO 2-factor authentication (2FA) credential also needs to be reset.
WashU is doing more to protect your identity
Over the years, WashU has repeatedly improved the ways in which users have to log in, which InfoSec people call authenticating. Specifically, we used to require just a username and password. A long time ago, we started requiring “hard” passwords with a mix of upper- and lower-case letters, numbers, and symbols. More recently, we began requiring Multi-Factor (MFA) or 2-Factor Authentication (2FA) using DUO for WUSTL Key accounts. And in July of 2021 I wrote to summarize the best practices of using passphrases and password managers. Since then we have repeatedly added features to the DUO 2FA technology and process to improve security in response to new attacks from malicious actors.
The good news is that this has been so effective that the malicious actors have started calling IT Service Desks and trying to impersonate users, convincing some service desk technicians to reset the password and the DUO 2FA device. This isn’t really a new approach, but it made big headlines last year when this caused a great deal of damage at MGM and Ceasar’s Casinos.
In response, WashU IT has greatly tightened our identity verification procedures, requiring users to do much more to verify who they are before completing resets.
Your identity should be verified more rigorously
Whether you are calling WashU or other organizations, you should expect them to be much more demanding when verifying your identity. If you find that your bank or other companies are not more demanding, you might want to consider whether they are protecting your interests as well as they should.
Your bank or online accounts should be more protected, too
Some of this responsibility is yours. Most banks don’t require MFA or a long, hard passphrase. It’s up to you to set them up. It isn’t difficult. It also doesn’t hurt very much, although it does add a little friction every time you log in. Although, when using smartphone apps, they can often use the phone’s built-in facial recognition or thumbprint reader to speed things along.
So, if you’ve selected a unique password or passphrase for your account, set up 2FA, and updated your contact information, there isn’t much else you need to do.
Verifying the identity of the people and organizations that call you
Verifying the identity of the people and organizations that call you
But what are you doing to verify someone’s identity when they contact you?
We can all improve the way we verify the identity of people who reach out to us, claiming to represent our bank or other companies.
Sometimes, malicious actors give themselves away by saying, “I’m calling about a suspicious transaction in your account with X Bank,” when you don’t even have an account with X Bank. But there is much personal data already leaked and stolen, it is easy for malicious actors to avoid these missteps.
So, how do you verify the company that’s calling you?
If your credit card company calls to ask you about a suspicious transaction, is it good enough to check that the company’s name shows up in the caller ID?
Because I’m asking, you know the answer must be “no!”
In fact, it is easy for callers to insert any phone number and company name in the caller ID fields that alert you to who is calling, so you can’t trust them.
That doesn’t mean you shouldn’t listen, and maybe pop open that company’s app to see if there’s also an alert there. But, even if there is, you should probably call the company back using the number on the back of your credit card, an old statement, or obtained from within the company’s app or website before providing any confidential information.
DO NOT look up the number on the internet – malicious actors have so many fake listings for all our favorite organizations that you can’t trust this information.
In short, the best way to verify the caller’s identity is to call them back at a number you’ve obtained from a trusted source and let them verify your identity.
The worst cases
The worst cases are the malicious actors who create a sense of urgency and danger. They require you to stay on the phone with them and tell you not to inform anyone about the terrible thing that is about to happen unless you take dramatic steps to prevent it.
For example, there are many stories of people who are convinced that a law enforcement agent is on the phone with them. The malicious actor convinces them to withdraw large amounts of cash and hand it over to them to keep it safe from the “criminals” who have broken into the person’s bank account. The money is rarely ever recovered in these truly heartbreaking stories.
Once again, my constant plea to you to be vigilant, skeptical, and a little bit paranoid will go a long way when it comes to protecting you. And if you know more about cyber security than your friends – and if you’ve read this far, you probably do – please share this information with them and then help them put it to use.
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading my column and for being a member of the university’s Information Security team!
Good luck, and be careful out there!
–Chris Shull, CISO