October is Cybersecurity Awareness Month. All month long, ITS News will highlight how ITS — and you — keep the University safe. In this guest post, Deric Freeman with the Information Security Office, shares best practices for multi-factor authentication (MFA). Check out all Cybersecurity Awareness Month events, or for year-round tips on staying cybersafe, visit Safe Computing at UNC.
At UNC, we protect our accounts with multi-factor authentication (MFA), but malicious actors use multiple methods to gain access to our MFA credentials. Because it is cheap and effective, phishing is one of their primary methods.
In a recent phishing campaign, bad actors used various scams including offering a job opportunity, threatening to terminate an account or saying an account had been closed.
They did this to trick Tar Heels into providing email addresses, phone numbers and passwords in a Google Form.
Once they obtained this information, they used “push bombing” to get around SMS and app-based MFA and accessed user accounts.
In push bombing, malicious actors repeatedly log in with your stolen username and password. This sends repeated multi-factor notifications to your phone. They might, for example, ask you to enter numbers on your MFA app to match the numbers they’re sending. It’s easy to ignore one stray notification, but malicious actors may send dozens.
They’re hoping to confuse you or annoy you enough that you’ll approve the login.
About the guest writer
Deric Freeman joined the Information Security Office in early 2023 after 15 years at Eshelman School of Pharmacy. Freeman is a North Carolina native, double Tar Heel (Master of Science in Information Science and Bachelor of Arts in Religious Studies) and Durham resident. He enjoys listening to local radio stations and playing along with his Jazzmaster-like custom guitar made by a friend from high school (Hallman Guitars) and his Fender Telecaster.
Phishing-resistant MFA
There are ways you can protect yourself. Phishing-resistant MFA reduces the risk of account takeover if malicious characters gain passwords and MFA codes by push bombing or other methods. In addition, this type of MFA uses convenient authentication methods including fingerprint, face recognition, a PIN (combined with a “Trusted Platform Module” crytoprocessor found in most computers after 2016) and hardware security keys such as Yubikey or FIDO.
Most importantly, the sensitive authentication data and the private key remain securely stored on your device. Therefore, this form of MFA is resistant to phishing methods that use fake login forms or similar methods to attempt to trick you into providing the information necessary for the threat actors to log into the account.
Here at UNC, in addition to the standard multi-factor authentication, you can enroll in Carolina Key for phish-resistant MFA and tighter security control. Like other phish-resistant MFA methods, Carolina Key is convenient and secure.
When you use Carolina Key, you can skip typing your password and approving a Duo push notification and scan your fingerprint or use FaceID to approve your login instead. Carolina Key doesn’t replace MFA on all UNC systems, but it’s available on many web-based applications like ConnectCarolina and Canvas.
Phish-resistant MFA does not eliminate all risks from phishing. You must still be vigilant to avoid suspicious email attachments or links that potentially lead to malware that could expose your device, for instance.Tips
Enable MFA
Enable MFA wherever it is available, especially your personal email and financial services. You are 99% less likely to get hacked if your account uses MFA. Any MFA is better than no MFA, but use the strongest available MFA supported by your service provider.
- If your service provider doesn’t support phishing-resistant MFA, use app-based with number match or one-time password. These are more secure choices than SMS/voice options.
- Enroll in Carolina Key to increase your security posture and reduce the number of times you have to type a password plus approve an MFA push.
Decline and report unsolicited messages
Never approve an MFA notification you did not initiate.
- Decline the notification and change your account password.
- If you receive an unsolicited call or text to click a link or enter MFA code or approvals, report it as spam.
Act if your device is lost or stolen
Always report a lost or stolen device with access to UNC systems to the ITS Service Desk. You can report by using the Help Portal or by calling 919-962-HELP (4357).
- Ask for a critical incident to be created if you believe UNC sensitive information may be at risk.
- If the lost/stolen device is enrolled in Carolina Key, unregister the device from Carolina Key.