Big Phish on Campus: The Cybercrime Wave Hitting Colleges
Posted May 11, 2017
Millenials are coming of age on college campuses nationwide. Possibly the most technically astute and digitally savvy generation, these students expect digital-first strategies to be the norm throughout the entire learning lifecycle. However, it has recently become apparent that even this generation is not immune to the effects of cybercrime.
This past spring, a wave of phishing attacks hit Dartmouth College, St. Michael’s College and Louisiana State University, among others. In February, at Wesleyan College, an employee was duped into releasing a W2 tax form to fraudsters, via a pitch-perfect phishing email. In March, scammers succeeded in stealing nearly $1 million from Coastal Carolina College, though quick action resulted in $564,000 being recovered.
And Bowling Green State University (BGSU) has seen bank accounts and W2 forms pilfered through stolen login credentials for its MyBGSU portal, which is used to register for classes, pay bills and do other business with the school online.
According to KrebsonSecurity, the number of compromised accounts at BGSU went from 250 in 2015 to 1,000 in 2016 to nearly 400 in just the first six weeks of this year. At that rate, phishers might have succeeded stealing credentials for up to 10 percent of the entire student body by year’s end.
All of this has colleges and universities on high alert. However, current efforts to stem the tide using what have traditionally been seen as secure solutions, such as two-factor authentication (2FA), aren’t nearly enough.
In response, universities are seeking to strengthen their defenses. For its part, BGSU is now requiring 2FA to login to its online portal. In addition to entering a username and password, 2FA entails a second method of verification, such as entering a one-time passcode (OTP) sent to the user’s mobile phone.
As we know, this is predicated on at least two of three demonstrable factors — something you know, something you have or something you are.
The problem is, as we have seen in other industries, cybercriminals have the tactics and tools to steal everything they need to bypass 2FA — from passwords to secret questions to token-generated passwords to device ID data and more. According to Security Intelligence, crooks can use tools to steal credentials that report OTPs in real time so they can log-in before the victim does, or they can hijack active sessions remotely.
The bottom line is that 2FA provides an additional layer of security, but as we have reported previously on this blog, it isn’t enough on its own. To go further, some colleges are turning to solutions, such as biometrics, which at least get closer to that third “something you are” authentication factor.
A growing number of colleges and universities are looking to the next generation of fraud solutions —multi-layered authentication that leverages emerging forms of digital identity intelligence to accurately distinguish between fraudulent and trusted behavior.
This new generation of digital identity solutions authenticate users based on as many as 500 different dynamic data elements, and identify risks by assessing the associations between users and their devices, locations, accounts and behavior, as well as the presence of any threats. 2FA can therefore part of this overall layered solution, used for exceptions or high-risk events rather than as a single point solution.
Security teams at colleges and universities do their best to advise students and staff on following best practices when online. However, they cannot completely control what a student or faculty member does. What they can control is how they prepare for today’s cybercriminal who likely has login credentials and answers to challenge questions. This means taking a good look at digital intelligence. And they need to do it soon, before they receive a failing grade.