A monthly Information Security publication for the WPI community.
This month's focus is MULTI-FACTOR AUTHENTICATION (MFA). Two-factor authentication (2FA) is a security method that adds an extra layer of protection to your online accounts. Instead of just using a password, you need to provide two different pieces of information to prove your identity. Typically, this involves something you know (like a password) and something you have (like a smartphone or a security token). By requiring both of these factors, 2FA makes it much harder for unauthorized people to access your accounts, because even if they know your password, they won't have the second piece of information needed to get in.
In this issue:
- Multi-Factor Authentication: Why an App and What’s with the Numbers?
- MFA Statistics
- Learning with Laughter
- National Cybersecurity Awareness Month
- Meet Women in Cybersecurity (WiCyS)
- MFA Videos
- Cyberattacks in the News
- Diversity in Cybersecurity
- WPI Hub Resources
Multi-Factor Authentication: Why an App and What’s with the Numbers?
Craig A. Shue, WPI Professor and CS Department HeadCraig Shue's WPI Bio
Confirming Your Identity
In computer security, it is challenging to confirm that a person is who they claim to be. Attackers know that they can gain significant advantages if they can impersonate somebody who is trusted, so they come up with elaborate and creative strategies to do so. This means organizations, and all of us, must take additional steps to prevent those attackers from succeeding.
Organizations try to use multiple different ways, called “factors,” to figure out if somebody is who they claim to be. The most common factors are:
- What you know: A secret value, such as a password, PIN, or other value that the person is assumed to have memorized.
- What you have: Often a physical device that a person is assumed to carry around with them, such as a phone, smartcard, or token.
- What you are: These are biometrics that a person can readily present for verification, through devices like fingerprint readers or a camera.
Computers have traditionally used passwords as a first factor for defense, but security experts have long known these are not very effective. We know that good passwords can be hard to remember, unintuitive, and awkward to type correctly. Worse, some techniques allow attackers to eventually discover shorter passwords.
Organizations have started moving to using a “what you have” factor. After all, people are used to physically protecting things, such as wallets and house keys. With most people carrying a smartphone, phones can be a convenient tool to authenticate people. WPI has used phones for multi-factor authentication for years; members of the community can have a one-time code sent to them via text messaging, an application, or even a phone call in which a computer reads off a number.
Why the App?
Unfortunately, attackers have a way to undermine even the text messaging and phone call approach: they can impersonate somebody in an attack against that person’s phone company. The attacker may pretend to be the owner of a phone number and request their phone service be moved to another carrier or to another phone. If that works, the text messages and calls will be sent to the attacker rather than the legitimate user. This highlights the challenge: attackers are pretty good at finding openings they can exploit.
As a result, WPI is moving towards using the Microsoft Authenticator application for proving one’s identity. This works wherever your phone has an Internet connection, even if it is a WiFi access point while traveling internationally. It can also be configured to produce one-time codes even if the phone is completely offline.
Why the Numbers?
In the past, the Microsoft Authenticator application allowed the user to simply press a button, like “approve,” to login. The trouble with that was an attacker could simply issue a flood of requests and a user might press “approve” on one to login just to make it stop. An MQP team and graduate student at WPI worked with me to develop an even more sophisticated attack against the “approve” button approach. This led to a peer-reviewed publication for our team  that confirmed that the simple button approach is unsafe.
So, the next time you are asked to sign in and must type a couple numbers from a phone application, know it is because attackers broke the more convenient options. As time goes on, we will continue to develop better security techniques, with the goal of being a few steps ahead of our adversaries. Exploring Phone-Based Authentication Vulnerabilities in Single Sign-On Systems (September 2022)
% of WPI accounts using the Microsoft Authenticator App has doubled! Over 70% of faculty, staff, student and affiliate accounts now use MS Authenticator, up from about 30% before IT's September email about MFA updates. This is a great response toward increasing security.Multi-Factor Authentication Update 9/7/23
- 99.9% of modern automated cyberattacks are blocked by MFA.
- 96% of bulk phishing attempts are stopped by MFA.
- 76% of targeted attacks are stopped by MFA.
- 81% of hacking-related breaches are due to weak/stolen passwords.
Learning with Laughter
National Cybersecurity Awareness Month
Staysafeonline.org offers materials on NCSAM themes, and so much more! They also have resources for speakers and event planning to support cybersecurity awareness.Staysafeonline.org
Where to Find Information Security During NCSAM?
Find us at the Campus Center tables near Dunkin' on Thursday, October 26 from 11:00am - 12:45pm to learn about the tricks cybercriminals use to steal your treats.Cybersecurity Awareness Table Sitting 10/26
Meet Women in Cybersecurity (WiCyS)
We are a student chapter of the national organization, WiCyS, and we are dedicated to empowering, educating, and supporting gender minorities in the cybersecurity field. We host Coffee Chats with professors, Capture the Flag workshops, professional development events, and external speaker presentations, among other general body meeting topics.WiCyS InstagramWiCyS Club Sign Up
Upcoming WiCyS Events:
October 12, 5-6pm - Finals De-Stressing, Innovation Studio #105
October 26, 5-6pm - WiCyS New England Affiliate Resume Review/Mock Interview, Innovation Studio #105
October 27, 4-5pm - Meet and Greet with WPI Trustee, Beth Schweinberg, Higgins Laboratories 154
MFA VideosWhat is Multi-Factor Authentication? (IBM - 3 min)Demo of MFA Fatigue Attack (<1 min)
Cyberattacks in the News
On September 25 Baruch College announced it had been hit by a ransomware attack. Classes had to move to fully remote for several days.Baruch remains remote amid malware shutdown (The Ticker - Baruch student news)
In August the Colorado Department of Higher Education announced that they experienced a massive data breach in June 2023. The impacted groups included people who attended a Colorado state college or university between 2007 - 2020.Massive Data Breach at Colorado Dept of Higher Education (NBC 9 News Denver)
Hackers used social engineering tactics to compromise multiple casino corporations.Hackers who breached casino giants MGM, Caesars also hit 3 other firms (Reuters)
What's the big deal with cyberattacks?
New Safeguards Rule (University Business)
What started with a [cybersecurity] breach turned into an audit of its entire financial aid program by the Department of Education.
Diversity in Cybersecurity
Kerry Tomlinson, Cyber News ReporterKerry Tomlinson profile
WPI Hub Resources:Configure MFAManage Microsoft Authenticator AppProtecting WPI’s VPNs with MFAThwarting Technical and Social Engineering Attacks
Coming Next Month...
Online Shopping Scams
Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.