When it comes to information security at FAU, the issue isn’t administration’s handling of data systems — it’s students falling for scams.
FAU has never had an information breach and doesn’t sell student data, according to university Chief Information Officer Jason Ball. Instead, it’s normally stolen through phishing, which is when people are tricked into giving out their personal information or downloading data-stealing programs, typically through email.
And the scams are becoming more and more personalized to be convincing to certain demographics — especially college students.
The millennial and Generation Z age groups are the most likely to lose money through scams over any other group, according to the Federal Trade Commission. The FBI even released a public service announcement in early 2017 about a college-focused phishing scam on false employment opportunities.
Access to college email addresses is also fairly easy to obtain and can be found on the dark web, a part of the internet that can only be accessed via certain software and lets its users remain untraceable. ID Agent, an organization that keeps tabs on the dark web, found almost 14 million leaked email addresses and passwords of students, faculty, and staff from 300 universities, according to Agari Data.
The University Press spoke to various campus members to find out more about phishing, as well as other kinds of hacking. We also gathered some tips to help you steer clear of online scams as the internet becomes more and more necessary in our day-to-day lives.
Phishing: how it works and how to avoid it
Dodging a bullet can be more difficult when it knows exactly where your brain and heart are.
Many phishing scams cater to urgency and common sense — a global phishing test from KnowBe4, the world’s largest security training organization, found that the No. 1 email subject line would-be victims clicked on was “Password Check Required Immediately” — but others played on your emotions instead.
Samantha Inguanzo, vice president of the Graduate and Professional Student Association for the College of Engineering and Computer Science, has a parent who recently received an email from one of her clients whose email had been hacked. The client appeared desperate: she claimed she had been robbed and was stuck in Lebanon, needing money transferred through financial services company Western Union.
“You have to think logically to avoid attacks like that, because they’re using your emotion to make you give away personal information,” Inguanzo said. “You have to think for a second: if my friend was really robbed in Lebanon, they would be at an embassy, they would be calling, they wouldn’t be emailing if that was the situation because it’s dire.”
But information isn’t only lost through people being tricked into giving sensitive details out. Sometimes all it takes is a click.
Phishing emails can convince people to download an attached link or image, which instantly installs a malicious program in their computer. At first, the user might not even know anything’s wrong, Inguanzo said.
Every download comes with “metadata,” or data built into the download itself. This metadata can be manipulated to take advantage of the program it’s running on, bridging into other parts of the computer to scoop out information, according to Inguanzo.
“Everything we see is called the ‘front end’ in web design and cyber security … This is not what the program looks like that runs it. Even on webpages, if you bring up the developer tools, you can see the actual code that runs the program and gives you these images and the design that you’re seeing,” she said. “All you do is click to download it and it’s sending out whatever information they programmed it to send to them. It could be your name, it could be whatever information is stored on your computer, which is a lot.”
And other times, even a click isn’t necessary. Social media is another common avenue through which people can lose information, even if the company’s database isn’t hacked, data mining expert Xingquan Zhu said. The professor works in FAU’s Department of Computer and Electrical Engineering and Computer Science.
Algorithms are becoming more adept at gathering information that the user has voluntarily posted online and can interpret that data to predict other things about them or their account — and about 98 percent of college-aged students are on social media, making it an enormously popular pastime, according to the Huffington Post.
“Research can actually pinpoint individuals. If you have a Facebook account, if you have a Twitter account, if you have a LinkedIn account, and assume you use different identities in each of the networks … the research can identify you, link you across the network,” he said.
But there’s still ways to fight against phishing and other kinds of hacking — and one approach is to simply be aware of the possibility.
“Just be careful. We should be able to avoid it,” Zhu said. “You carefully try to read the emails before you click anything, and also have a common sense of don’t open or click on any links when you surf the [web].”
Inguanzo suggests creating complicated passwords, and never saving passwords on computers, where they can autofill the information on command.
She also recommends using Google’s device-monitoring service, which shows and timestamps where all of a person’s registered electronics have been.
If an unrecognizable device appears, it could mean that someone’s hacked in and placed it under the account as a doorway to steal additional information. Users can also use this service to remotely disable a device or put a password protection on it in the event of a theft, she said.
A look into FAU’s information systems
There are multiple ways to get someone’s personal information aside from phishing, though, and that’s typically done by going past the individual to the enormous databases themselves.
On the national level, this type of hacking remains common. Facebook revealed in September of this year that almost 50 million users’ information had been leaked, the biggest breach in the company’s 14-year-history. On the local level, the University of Central Florida’s database was compromised in 2016, releasing around 63,000 social security numbers of students and employees.
Major data systems at FAU are managed through the Office of Information Technology, which is headed by Chief Information Officer Ball.
“There have been no actual reported breaches to date,” he said. “The majority of cases we deal with are students who have their personal credentials stolen through phishing campaigns.”
In the case of suspicious activity, FAU has an “incident response team” that “quickly validates that a breach has in fact occurred, immediately addresses the source of the breach, and works to communicate with the affected parties and required reporting under State and Federal law,” he added.
And according to Ball, FAU doesn’t sell student data to third-party organizations either. Instead, data is used internally to track the progress of students, helping any that are falling behind through programs or advising sessions.
Even after a student graduates, FAU keeps all transcript information intact, which is required by Florida State law.
At FAU, most student data is stored in four “primary” systems: Banner, which holds personal information and records; Workday, where employees log their hours and complete other work-related tasks; Starfish, where students can schedule appointments; and Canvas, where class and grade information is stored, Ball said.
Banner is the most important of the four, where the majority of students’ data is housed in a single server, although another copy of the information is at a disaster recovery site. “Less-sensitive data,” such as what’s collected by Starfish, is held in cloud systems, he said.
To further protect against hacking, the Office of Information Technology is giving students two options to prove they’re the ones accessing sites like MyFAU’s Self-Service. The first involves an automated call to the student’s cell phone upon logging-in, at which point the student can press a button to verify their identity. The second involves smartphone verification app DUO, which involves a push notification process.
The use of DUO has been available since Oct. 15 of this year, but will be mandatory in 2019, the Division of Student Affairs and Enrollment Management said in a newsletter.
Hope Dean is the managing editor of the University Press. For information regarding this or other stories, email [email protected].