The growing trend in sites adding two-factor authentication to their log in process has many feeling more secure in their social media and other online interactions.
With passwords being easy to compromise with phishing attacks, many users have been hoping for something more secure. Two-factor authentication gives a double protection on your account, requiring you to know something (your password), and have something in your possession (a token). The token can be any number of devices, cards or other physical items, often generating unique codes as proof you have the object. Think of ATMs. You need to have the ATM card (the token) and know your PIN in order to access your account and do any transactions at the ATM. One without the other and you can’t get in.
LinkedIn is using a single-use code sent via SMS to whatever mobile number is listed on the account. Your mobile device serves as your token. This code is entered into the site after you enter your password to complete the two-factor authentication. The idea behind this is if your password happens to be cracked or phished, as long as you don’t lose or compromise your phone, you are still safe from attackers logging into your account (though you should change your passwords and do a virus scan to be safe if your password gets compromised!).
Want to enable this security feature for your own LinkedIn account? LinkedIn provides some instructions here: http://www.slideshare.net/linkedin/two-step-verification-on-linked-in.
Many other sites have similar security features so check out your account settings and give yourself an extra layer of protection.
As with any security chain, there are ways this could possibly be compromised. The easy way is if an attacker knows your password and stole your phone. A more sophisticated way is if you get phished for both your password and the code just sent to you, and the attacker users both before the code expires. How likely could these happen? Well that’s up to your security prowess. Read more on our website about creating secure passwords (https://www.rit.edu/security/content/password), avoiding phishing attempts (https://www.rit.edu/security/content/phishing) and best practices when it comes to mobile device security (https://www.rit.edu/security/content/mobile-devices).
Did you know that January is Data Privacy Month?
For the last two years, we’ve focused on remediation and disposal of Private Information resident on RIT computers and we’ve made great progress. Have you thought about disposing of Private Information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) that’s not on your computer? We encourage you to review paper filed, disks, CD/DVDs, video tapes, and any other type of storage media containing Private Information and dispose of those containing unnecessary Private Information appropriately. Don’t forget that retention of RIT information is also governed by the Records Management Policy (C22.0).
Paper files containing Private Information pose a risk both to RIT and to the individuals whose information if in the materials. For example, on April 14th, 2011, Central Ohio Technical College found that course information had been left in a filing cabinet at an off campus storage facility, compromising the Social Security Numbers of over 600 registered students. RIT used a similar system with Social Security numbers until June 2006, when University IDs became the main means of registration and identification on campus. DataLoss DB (http://datalossdb.org/statistics) indicates that almost 25% of breaches have been due to the inadvertent loss of private information, in both paper and digital formats. Disposing of unnecessary Private Information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) will help ensure RIT complies with Private information laws, policies, and procedures.
New York State defines private information (PI) as:
any personal information concerning a natural person combined with one or more of the following data elements: Social Security number (SSN), driver's license number, account number, or credit or debit card number in combination with any required security code. These combinations of information are often used in identity theft.
The New York State Information Security Breach and Notification Act requires that RIT notify affected consumers if their Private information is compromised.
If you’re not sure of whether or not to dispose of Private Information on your computer, check with your manager or consult the Private Information Decision Tree here https://www.rit.edu/security/content/private-information-decision-tree
For more information about the Private Information Management Initiative, check out our PIMI FAQ page https://www.rit.edu/security/content/private-information-management-initiative-pimi-faq and our Document Destruction page https://www.rit.edu/security/content/document-destruction
Data Privacy Month: Are You Smarter Than Your Phone?
Did you know, “Smartphones can predict a user's gender with 71% accuracy, & can distinguish between ‘tall’ and ‘short’ people and ‘heavy’ and ‘light’ people, with about 80% accuracy?” Take a look at this recorded webinar from the January 9 EDUCAUSE Live! Data Privacy Month kickoff event with special guest, Rebecca Herold (the Privacy Professor) to find out just exactly how smart your Smartphone is.
Nearly everyone on a college campus today has a mobile phone, capable of accomplishing amazing tasks while on the go. But, how SHOULD you make use of your smartphone? You are smarter than your phone if you know that you need to make careful choices about using your geo-location feature. You might post a picture to Facebook while on your European trip if there are other people still living at your address back home. But, if your house is empty while you travel, you would be smarter to wait to post until you get home. Do you really want everyone to know you are out alone at midnight by "checking in" at your local donut shop? You are smarter than your phone if you use sound judgment about revealing your location. You’re smarter than your phone if you know you need to think critically about the sensitivity of the data you put on or access through your phone. Do you use your phone for banking, without password protecting the device? Your phone is happy to do it. But you are smarter than your phone if you protect it with a password. If you’re not thinking critically about what you do with your phone, we’ll help you think again!
The webinar covers fun facts as well as 16 ways to mitigate Smartphone security and privacy risks. Topics include tracking, info access, malware, breaches, loss, theft, ID theft, physical security, social media, and apps.
Webinar recording, slides, and chat transcript are available here http://www.educause.edu/library/resources/data-privacy-month-are-you-smarter-your-phone
Watch out for Good Ol’ Scammer Claus: Practice safe shopping online this holiday season
(revised from an article written in the RIT University Magazine by Ben Woelk)
Consumers spent more than $46 billion shopping online last holiday season and will spend even more this year. According to Internet Retailer, this year’s online spending is estimated at $54 billion, and, “This holiday season will mark the fourth consecutive year of e-commerce spending growth.” To cyber criminals, more spending and the busy-ness of the season means more opportunity for identity theft and fraud.
As you begin your shopping, follow these guidelines to help ensure that you don’t become a victim.
- Make sure you’ve protected your computer. According to a survey by the National Cyber Safety Alliance, most home computers aren’t as well protected as their users believe. We recommend that you make sure your home computer meets the requirements of the RIT Desktop & Portable Computer Standard, especially updated anti-virus, before going online.
- Know from where you’re buying. Plug the website name into a search engine. What kinds of consumer reviews are returned?
- Understand the seller’s return/exchange policy before buying.
- If you’re shopping on an auction site, check the seller’s feedback to see what kind of experience others have had.
- Know what you’re buying. Don’t fall for a deal that looks too good to be true. Extremely low prices could be an indication that the item is a counterfeit. The website may also harbor malware that could attack your computer.
If you’re making several purchases, try to combine them in the same order if possible. It saves the amount of transactions you have to make and may also save you money on shipping costs.
- Only send your private information using secure web forms. Make sure the address bar begins with either shttp or https.
- Look for a padlock or an unbroken key on your web browser to confirm that the site is secure. The padlock will be located at the left end of the address bar or in the bottom right part of the browser window.
- Don’t respond to requests for private information. No legitimate retailer will ask you to submit private information by e-mail. Never give out bank account numbers or Social Security numbers online or in response to an e-mail.
- Use a secure payment method. Find out if your financial institution offers one-time use “virtual credit cards” or “temporary account numbers.” These use different numbers than your regular account and expire after a set time period. Credit cards offer the most protection. Federal law limits your fraud liability to $50 for unauthorized transactions. MasterCard and Visa offer zero liability for most debit transactions as well. If you’re not using a credit or debit card, don’t use cash or wire transfers. Use a money order or cashier’s check instead, since these methods are much easier to trace if something goes wrong.
- Keep a paper trail. Print copies of all of your orders and receipts as well as e-mail correspondence and product descriptions. Monitor your bank account and credit card statement after your transactions for any suspicious activity.
- If you suspect something is wrong: Contact the seller and inform them of the problem. Contact your financial institution or credit card issuer immediately to freeze your account(s). If necessary, file a complaint or identity theft report with the proper authorities:
- FTC Identity Theft Form: http://www.consumer.ftc.gov
- NYS Attorney General’s Office: http://www.dhses.ny.gov/ocs/
- Better Business Bureau: www.bbbonline.org
For more information on safe online shopping, visit our Safe Online Shopping and Banking page and the following Web sites:
- NYS Attorney General’s Office: http://www.dhses.ny.gov/ocs/
- FTC: http://www.onguardonline.gov/articles/0020-shopping-online
- Staysafeonline.org: http://www.staysafeonline.org/stay-safe-online/protect-your-personal-information/online-shopping
- Safeshopping.org: www.safeshopping.org/
Digital Self Defense for Incoming Students
RIT Information Security had the privilege of addressing our incoming class of 2800 students during New Student Orientation this fall. With the help of ETC, we're able to make the content available on YouTube.
We had a great time presenting. Let us know what you think of the session by posting a comment!
Phishy Lures Crowds at Move-In 2012
People watching is always interesting at Move-In Day. You see a lot of interesting family dynamics: students with their families 20 feet behind them, students being embarrassed by their parents, parents collecting resource materials while the students walk right by the tables, etc. This year was a little more interesting as Phishy made an appearance to help incoming students become more aware of the dangers of phishing. Many students chose to have their photos taken with Phishy and their younger siblings were excited about another costumed character.
AND--If you have a photo of yourself with Phishy, please post it to the RIT Information Security Facebook Page.