Logging into Banner just got a little bit harder. As of last week, all students, with the exception of those studying abroad, have been enrolled in the new two-step verification system that adds an additional layer of security to the Brown network, said Ravi Pendse, vice president for computing and information services and chief information officer.
Two-step verification systems require users not only to enter their username and password to access University resources but also to validate the login by responding to a notification on a smartphone, answering a call on a cell phone or entering a code.
“It combines what you know — your password — with what you have — like your smartphone — and is the best way to keep all of us safe online,” Pendse said. Users can authorize their web browsers for 30 days so they only have to provide the second element once a month, he added.
The added step between the user and the network could be the difference between an account being phished or kept in the hands of its owner, Pendse said.
A phishing attack directs users to a page where they enter login credentials. Users think they are accessing the University’s network, but they are instead providing information to the hacker, said John Spadaro, deputy chief information officer.
“The moment somebody gets hold of your password, it’s game over. Then, there is nothing the computer can do to distinguish between me and a malicious student masquerading as me,” said Shriram Krishnamurthi, professor of computer science.
Once armed with functional credentials, hackers have access to all the information stored in the Brown network, including grades in Banner, data in Canvas and — in the case of University employees — the payroll system in Workday. In one known instance, an employee’s payroll account was redirected in June or July, the months during which employees are notified of pay raises, Pendse said.
More than 400 individuals have fallen victim to phishing attacks since September. Not only are the attacks increasing in frequency, but they are also becoming more sophisticated, Spadaro said. “Some of them are amazingly good. We ourselves look at them and ask whether they’re phish or real.”
CIS takes advantage of in-house talent in the Department of Computer Science as it searches for the most effective way to prevent phishing, Krishnamurthi said.
“They are curious about new technologies but are conservative about adopting them because they have to make sure everything runs all the time,” he said. “This is the right way to do it because your campus access should not be driven by my research prototypes.”
“CIS is made up of a lot of experts and very talented people doing a lot of stuff you don’t know exists,” Spadaro said.
But as Pendse sees it, the cybersecurity team must include the entire campus. The only way to eliminate phishing as a threat is to ensure students do not fall victim to it, but the two-step verification system promises to be an effective safety net, Pendse said.
“It is going to be a great system until someone figures out how to get around it,” Spadaro said. “And they will. I don’t know what the next exploit is going to be, but we have to react to the exploits as they come up.”