The Ohio State University The Ohio State University

 

Information Technology

Author: University Libraries Cybersecurity Awareness Team (page 1 of 5)

September is National Preparedness Month: Be Prepared, Not Scared

August 29, 2019 / / Comments Off on September is National Preparedness Month: Be Prepared, Not Scared

National Preparedness Month, is recognized each September to promote family and community disaster and emergency planning now and throughout the year. The 2019 theme is “Prepared, Not Scared.” See https://www.ready.gov/September for additional information.

Week 1:  Save Early for Disaster Costs  

Week 2: Make a Plan

Week 3: Youth Preparedness

Week 4: Get Involved in Your Community’s Preparedness

 

 

Cyber Safety for Students

August 20, 2019 / / Comments Off on Cyber Safety for Students

As summer break ends, many students will return to school with mobile devices, such as smart phones, tablets, and laptops. Although these devices can help students complete schoolwork and stay in touch with family and friends, there are risks associated with using them.

The following sites include simple steps that can help students stay safe while using their internet-connected devices:

  • OSU Cybersecurity For You: https://cybersecurity.osu.edu/cybersecurity-you
  • Stop.Think.Connect. Toolkit: https://www.dhs.gov/stopthinkconnect-toolkit
  • Stay Safe Online: https://staysafeonline.org/
  • Before You Connect a New Computer to the Internet: https://www.us-cert.gov/ncas/tips/ST15-003

Understanding the Basics of Online Safety and Security

August 8, 2019 / / Comments Off on Understanding the Basics of Online Safety and Security

Shopping, surfing, banking, gaming, and connecting Internet of Things devices such as toasters and refrigerators are some of the many actions performed each minute in cyberspace. These common everyday activities carry the cyber threats of social engineering to gain unauthorized access to data, identity theft, bullying, location tracking, and phishing, to name just a few. How can we decrease our risk from these cyber threats without abandoning our online activities altogether? Here are some basic online tips everyone can follow to help stay secure while online.

  • Set up alerts. Consider setting up alerts on your financial accounts. Many credit card companies and banks allow you to set up alerts on your accounts via their websites. These alerts range from sending you an email or text each time a transaction happens on your account to alerts when transactions meet or exceed a designated spending limit that you set. These alerts keep you in control of your accounts’ activities. These types of alerts are useful because they make you aware of what’s going on with your account quicker than waiting for monthly statements. When you receive an alert about a transaction that you did not authorize, you can reach out to the credit card company or bank immediately. Log into your credit card company and banking websites to set up alerts on your accounts.
  • Keep devices and apps up to date. This familiar tip is useful even if you are just casually surfing the internet. Keeping your devices up to date (including apps and operating systems) ensures you have the latest security fixes.
  • Don’t use public Wi-Fi. In addition to an updated device, the network the device is connected to is also important. Did you have to enter a password to connect to a Wi-Fi network? If you did, that network is more secure than an open one that any device within range can connect to. Whenever possible, use a secure network, especially when banking or shopping online.
  • Consider using a VPN. VPN stands for virtual private network, and its main purpose is to provide a tunnel for encrypted internet traffic. If you are connected to the internet without using a VPN, your traffic is passed through the internet service provider’s servers. The location of your device is known, and if you must connect to a public Wi-Fi network, there is a risk of snooping by other devices on the same network. Connecting to a VPN redirects your internet traffic to a remote server, encrypting the traffic, reducing the snooping risk. There are many options for VPN software today for consumers and businesses. Do your research and decide which one makes sense for your online needs.
  • Create unique passwords. Here’s another familiar tip. Using the same password for many sites is not a best practice. Suppose that one of your accounts suffered a data breach and your password was exposed. If you reused this password on other accounts, it’s likely that someone would be able to access those accounts as well (especially if your user name is an email address). Consider using a password manager to manage all your passwords. Not only do these tools manage all your passwords, they can also create strong passwords and can even autofill your username and password as you go to websites on different browsers.
  • Be vigilant. Be aware, there are fake websites out there waiting to collect your valuable information. Make sure you are on a legitimate site by double-checking the URL website address to make sure it is spelled correctly. Also make sure you see a padlock and https:// in the URL.

Remember that you are in control of your online activities. Following these security tips will give you peace of mind while online.

Privacy and Mobile Device Apps

July 10, 2019 / / Comments Off on Privacy and Mobile Device Apps

https://www.us-cert.gov/ncas/tips/st19-003

What are the risks associated with mobile device apps?

Applications (apps) on your smartphone or other mobile devices can be convenient tools to access the news, get directions, pick up a ride share, or play games. But these tools can also put your privacy at risk. When you download an app, it may ask for permission to access personal information—such as email contacts, calendar inputs, call logs, and location data—from your device. Apps may gather this information for legitimate purposes—for example, a ride-share app will need your location data in order to pick you up. However, you should be aware that app developers will have access to this information and may share it with third parties, such as companies who develop targeted ads based on your location and interests.

How can you avoid malicious apps and limit the information apps collect about you?

Before installing an app

  • Avoid potentially harmful apps (PHAs) – Reduce the risk of downloading PHAs by limiting your download sources to official app stores, such as your device’s manufacturer or operating system app store. Do not download from unknown sources or install untrusted enterprise certificates. Additionally—because malicious apps have been known to slip through the security of even reputable app stores—always read the reviews and research the developer before downloading and installing an app.
  • Be savvy with your apps – Before downloading an app, make sure you understand what information the app will access. Read the permissions the app is requesting and determine whether the data it is asking to access is related to the purpose of the app. Read the app’s privacy policy to see if, or how, your data will be shared. Consider foregoing the app if the policy is vague regarding with whom it shares your data or if the permissions request seems excessive.

On already installed apps

  • Review app permissions – Review the permissions each app has. Ensure your installed apps only have access to the information they need, and remove unnecessary permissions from each app. Consider removing apps with excessive permissions. Pay special attention to apps that have access to your contact list, camera, storage, location, and microphone.
  • Limit location permissions – Some apps have access to the mobile device’s location services and thus have access to the user’s approximate physical location. For apps that require access to location data to function, consider limiting this access to when the app is in use only.
  • Keep app software up to date – Apps with out-of-date software may be at risk of exploitation of known vulnerabilities. Protect your mobile device from malware by installing app updates as they are released.
  • Delete apps you do not need – To avoid unnecessary data collection, uninstall apps you no longer use.
  • Be cautious with signing into apps with social network accounts – Some apps are integrated with social network sites—in these cases, the app can collect information from your social network account and vice versa. Ensure you are comfortable with this type of information sharing before you sign into an app via your social network account. Alternatively, use your email address and a unique password to sign in.

What additional steps can you take to secure data on your mobile devices?

  • Limit activities on public Wi-Fi networks – Public Wi-Fi networks at places such as airports and coffee shops present an opportunity for attackers to intercept sensitive information. When using a public or unsecured wireless connection, avoid using apps and websites that require personal information, e.g., a username and password. Additionally, turn off the Bluetooth setting on your devices when not in use.
  • Be cautious when charging – Avoid connecting your smartphone to any computer or charging station that you do not control, such as a charging station at an airport terminal or a shared computer at a library. Connecting a mobile device to a computer using a USB cable can allow software running on that computer to interact with the phone in ways you may not anticipate. For example, a malicious computer could gain access to your sensitive data or install new software.
  • Protect your device from theft – Having physical access to a device makes it easier for an attacker to extract or corrupt information. Do not leave your device unattended in public or in easily accessible areas.
  • Protect your data if your device is lost or stolen – Ensure your device requires a password or biometric identifier to access it, so if is stolen, thieves will have limited access to its data. Immediately contact your service provider if your device is lost or stolen.

Keeping Tabs on Mobile Devices

July 1, 2019 / / Comments Off on Keeping Tabs on Mobile Devices

With an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer’s operating system (e.g., BitLocker or FileVault).
  • Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you’ll be able to identify and report exactly what information is at risk.
  • Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
  • Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. Do not choose options that allow your computer to remember your passwords.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer’s hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Verify app permissions. Don’t forget to review an app’s specifications and privacy permissions before installing it!
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities.

What can you do if your laptop or mobile device is lost or stolen? Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your device contained sensitive institutional or student information, immediately report the loss or theft to your organization.

Staying Cyber-safe on a Summer Vacation

June 26, 2019 / / Comments Off on Staying Cyber-safe on a Summer Vacation

Typical travelers heading out on their summer vacation check that they have the right supplies and clothes for their trip before they hit the road. Expert travelers will be also checking to ensure they are educated and prepared to be cyber-safe with their devices and data while on the road! Thinking of your smartphones and devices as being just as important as your wallet is a proper step in the right direction. These devices contain everything from your banking and payment information to your treasured family photos, and ensuring they are secure and protected when away from home is paramount. In partnership with the National Cybersecurity Alliance (NCSA), we have put together some key tips, strategies, and resources to aid you in being secure during your travels.

To do before your trip:

Update your devices:

One of the most simple and effective ways to stay cyber-secure is to continuously update your devices. Those updates don’t just contain new features, but fix security flaws and keep you protected!

Password/Passcode

protect your devices: Always establish a strong passcode with at least 6 numbers or a swipe pattern with at least 1 turn of direction when protecting the lock screen of your smartphone. On laptops, a minimum of 8 character password or phrase is recommended including uppercase and lowercase letters, special characters, and numbers.

Set your device to lock after an amount of time:

Once you have the passcode, password, or swipe pattern established, you should set an automatic device lock prompting for the access code after a specified time of inactivity. This will prevent a criminal from getting onto your device if you accidentally leave it unlocked.

Book your trip with trusted sites:

When planning your trip and booking transportation, lodging, and experiences, it is important to complete those transactions with trusted, known businesses. If possible, double check the reviews and reputation of a site you are unfamiliar with, but are considering to use for your booking. By sticking to reputable sites, you guarantee a higher standard of security for your data and transaction.

Staying secure and connected during your trip

Keep track of your devices:

Not only are your devices themselves worth a great deal of money, but your sensitive information that is accessible by that device is also valuable. Ensure that you keep your devices close at hand or secured away safely when not in use. Theft of mobile devices, from smartphones to tablets and laptops, is all too common and can spoil a fun trip to a great extent.

Limit your activity on public Wi-Fi networks:

Public Wi-Fi that does not require credentials or logging in is not protected by encryption, so browsing and activity is not secure from prying eyes. To ensure your information is not put at risk, avoid logging into your personal accounts or making transactions while on public or hotel networks.

  • Use your phone carrier’s internet connection, or use your phone as a personal hotspot (if your cell carrier’s plan allows) when logging into personal accounts or conducting transactions.
  • Ensure your device is set to ask your permission before connecting to a wireless network while on your trip.
  • If you intend to use a hotel or establishment’s customer wireless network, verify what network is the correct one to use with a member of the staff.

Don’t overshare on social media:

Consider posting updates about your trip after you return. Criminals may see that you are away from home based on social media content and attempt to steal from your home! If you also share too many details about where you are on your trip, some scammers may attempt to contact your family and friends with a variety of scam tactics. Additionally, consider setting your social media accounts to only allow friends to view your posts and content.
By following these tips and being a cyber-safe traveler, you will have a smooth and enjoyable vacation! There are more resources available from NCSA and our partners on staying secure on trips and at home, check them out below to learn more:

https://staysafeonline.org/blog/top-tech-tips-for-cybersafe-summer-travel/

Securing Devices by Making Simple Changes

Update your software now

June 17, 2019 / / Comments Off on Update your software now

https://www.consumer.ftc.gov/blog/2019/06/update-your-software-now

We secure our valuables – our wallets, keys, and homes. We know that, if left unsecured, they can easily be a target for criminals. So it makes sense to think the same way about the information stored on all our devices.

Computers, tablets, phones and other personal devices hold your emails and your financial and tax documents (with your Social Security numbers). Criminals who get access to this valuable information can commit identity theft, put harmful software on your devices, or both.

What’s one easy way to help protect all of this sensitive information? Update your software regularly, and as soon as possible when a newer version comes out. What’s an even easier way? Set the updates to happen automatically. Don’t ignore reminders to update. Criminals look to exploit vulnerabilities before the software companies can fix it. Delaying gives hackers time to access your information – even when a patch is out there to lock them out.

So what software should you be updating?

  1. Security software. Whether you use antivirus or firewall programs that were pre-installed on your device or that you bought on your own, make sure they’re up to date.
  2. Operating system software. Your operating system could be Windows, Apple OS, etc. If you’re not sure how to update your operating system, go to the website of your device manufacturer for help.
  3. Internet browsers and apps. Both are access points for criminals to enter your devices, so it’s important to keep them secure.

Looking for more tips on how to stay safe online? Check out FTC.gov/OnGuardOnline.

IRS reminder: Tax scams continue year-round

June 11, 2019 / / Comments Off on IRS reminder: Tax scams continue year-round

https://www.irs.gov/newsroom/irs-reminder-tax-scams-continue-year-round

IR-2019-104, June 5, 2019

WASHINGTON – Although the April filing deadline has passed, scam artists remain hard at work, and the IRS today urged taxpayers to be on the lookout for a spring surge of evolving phishing emails and telephone scams.

The IRS is seeing signs of two new variations of tax-related scams. One involves Social Security numbers related to tax issues and another threatens people with a tax bill from a fictional government agency. Here are some details:

  • The SSN hustle. The latest twist includes scammers claiming to be able to suspend or cancel the victim’s Social Security number. In this variation, the Social Security cancellation threat scam is similar to and often associated with the IRS impersonation scam. It is yet another attempt by con artists to frighten people into returning ‘robocall’ voicemails. Scammers may mention overdue taxes in addition to threatening to cancel the person’s SSN.
     
  • Fake tax agency. This scheme involves the mailing of a letter threatening an IRS lien or levy. The lien or levy is based on bogus delinquent taxes owed to a non-existent agency, “Bureau of Tax Enforcement.” There is no such agency. The lien notification scam also likely references the IRS to confuse potential victims into thinking the letter is from a legitimate organization.

Both display classic signs of being scams. The IRS and its Security Summit partners – the state tax agencies and the tax industry – remind everyone to stay alert to scams that use the IRS or reference taxes, especially in late spring and early summer as tax bills and refunds arrive.

Phone scams

The IRS does not leave pre-recorded, urgent or threatening messages. In many variations of the phone scam, victims are told if they do not call back, a warrant will be issued for their arrest. Other verbal threats include law-enforcement agency intervention, deportation or revocation of licenses.

Criminals can fake or “spoof” caller ID numbers to appear to be anywhere in the country, including from an IRS office. This prevents taxpayers from being able to verify the true call number. Fraudsters also have spoofed local sheriff’s offices, state departments of motor vehicles, federal agencies and others to convince taxpayers the call is legitimate.

Email phishing scams

The IRS does not initiate contact with taxpayers by email to request personal or financial information. The IRS initiates most contacts through regular mail delivered by the United States Postal Service. However, there are special circumstances when the IRS will call or come to a home or business. These visits include times when a taxpayer has an overdue tax bill, a delinquent tax return or a delinquent employment tax payment, or the IRS needs to tour a business as part of a civil investigation (such as an audit or collection case) or during criminal investigation. 

If a taxpayer receives an unsolicited email that appears to be from either the IRS or a program closely linked to the IRS that is fraudulent, report it by sending it to phishing@irs.gov. The Report Phishing and Online Scams page on IRS.gov provides complete details.

Telltale signs of a scam

The IRS (and its authorized private collection agencies) will never:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. The IRS does not use these methods for tax payments. Generally, the IRS will first mail a bill to any taxpayer who owes taxes. All tax payments should only be made payable to the U.S. Treasury and checks should never be made payable to third parties.
  • Threaten to immediately bring in local police or other law-enforcement groups to have the taxpayer arrested for not paying.
  • Demand that taxes be paid without giving the taxpayer the opportunity to question or appeal the amount owed.
  • Ask for credit or debit card numbers over the phone.

For anyone who doesn’t owe taxes and has no reason to think they do:

  • Do not give out any information. Hang up immediately.
  • Contact the Treasury Inspector General for Tax Administration to report the call. Use their IRS Impersonation Scam Reporting web page.
  • Report the caller ID and/or callback number to the IRS by sending it to phishing@irs.gov (Subject: IRS Phone Scam).
  • Report it to the Federal Trade Commission. Use the FTC Complaint Assistant on FTC.gov. Add “IRS Telephone Scam” in the notes.

For anyone who owes tax or thinks they do:

  • View tax account information online at IRS.gov to see the actual amount owed. Taxpayers can then also review their payment options.
  • Call the number on the billing notice, or
  • Call the IRS at 800-829-1040. IRS workers can help.

The IRS does not use text messages or social media to discuss personal tax issues, such as those involving bills or refunds. For more information, visit the Tax Scams and Consumer Alerts page on IRS.gov. Additional information about tax scams is also available on IRS social media sites, including YouTube videos.

More information:

Cryptocurrencies—Look Before You Leap!

June 3, 2019 / / Comments Off on Cryptocurrencies—Look Before You Leap!

Cryptocurrency comes under many names. You have probably read about some of the most popular types of cryptocurrencies such as Bitcoin, Litecoin, and Ethereum. Cryptocurrencies are increasingly popular alternatives for online payments. Before converting real dollars, euros, pounds, or other traditional currencies into ₿ (the symbol for Bitcoin, the most popular cryptocurrency), you should understand what cryptocurrencies are, what the risks are in using cryptocurrencies, and how to protect your investment.

What is cryptocurrency? A cryptocurrency is a digital currency, which is an alternative form of payment created using encryption algorithms. The use of encryption technologies means that cryptocurrencies function both as a currency and as a virtual accounting system. To use cryptocurrencies, you need a cryptocurrency “wallet”. These wallets can be software that is a cloud-based service or is stored on your computer or on your mobile device. The wallets are the tool through which you store your encryption keys that confirm your identity and link to your cryptocurrency.

What are the risks to using cryptocurrency? Cryptocurrencies are still relatively new, and the market for these digital currencies is very volatile. Since cryptocurrencies don’t need banks or any other third party to regulate them; they tend to be uninsured and are hard to convert into a form of tangible currency (such as US dollars or euros.) In addition, since cryptocurrencies are technology-based intangible assets, they can be hacked like any other intangible technology asset. Finally, since you store your cryptocurrencies in a digital wallet, if you lose your wallet (or access to it or to wallet backups), you have lost your entire cryptocurrency investment.

Follow these tips to protect your cryptocurrencies:

  • Look before you leap! Before investing in a cryptocurrency, be sure you understand how it works, where it can be used, and how to exchange it. Read the webpages for the currency itself so that you fully understand how it works, and read independent articles on the cryptocurrencies you are considering as well.
  • Use a trustworthy wallet. It is going to take some research on your part to choose the right wallet for your needs. If you choose to manage your cryptocurrency wallet with a local application on your computer or mobile device, then you will need to protect this wallet at a level consistent with your investment. Just like you wouldn’t carry a million dollars around in a paper bag, don’t choose an unknown or lesser-known wallet to protect your cryptocurrency. You want to make sure that you use a trustworthy wallet.
  • Have a backup strategy. Think about what happens if your computer or mobile device (or wherever you store your wallet) is lost or stolen or if you don’t otherwise have access to it. Without a backup strategy, you will have no way of getting your cryptocurrency back, and you could lose your investment.

Multifactor Authentication

May 9, 2019 / / Comments Off on Multifactor Authentication

https://cybersecurity.osu.edu/cybersecurity-you/passwords-authentication/multifactor-authentication

Multifactor Authentication

Multifactor Authentication (MFA) is a security feature offered by many websites, applications and devices that dramatically improves account security. Sometimes MFA is also referred to as Two-Factor Authentication or 2FA. Technically, MFA could refer to a system where there are more than two forms of authentication.

Anyway, here’s how it works. If you have MFA setup for a given account (website, application or device), when you log in with your username and password, that account server is going to ask for a second, independent form of authentication before it will actually let you into the system. It’s kind of like when you open a bank account and they ask to see a picture ID and some other form of identification, like your social security card or a passport. It’s much harder to pretend you are someone you’re not when you have to prove who you are in two different ways!

Multifactor Authentication Methods

We recommend registering at least two devices for multifactor authentication, so if you lose one you can protect yourself by wiping the data remotely and then use the other to authenticate. With MFA, the second authentication can be done using one of several different methods so let’s take a moment to go over some of the most common ones.

Mobile device application “Push” method:

The most popular way to get that second form of authentication is through a “push” to an application on your mobile device. There are a variety of authenticator apps that are free and easy to set up and even easier to use for authentication!

With this method, the account server that you are trying to log into will send a “push” to you mobile device. This push is a notification that will pop up on your mobile device and say something along the lines of, “Hey, someone’s trying to log in to this website, is it you?  Should we let them in?”  Usually there is a big green button and a big red one so that you can easily answer “yes” or “no” with one touch. If you hit yes, you’re in. But if you didn’t make the original login request, you know that someone has your password and is trying to log in to your account. You can hit the “No” button and their access will be denied. You can then go log in yourself and change your password so that the attacker is back to square one. It’s simple, yet extremely effective security.

The primary advantage of this method is that an attacker not only has to compromise your password, but also has to have physical access to your mobile device and has to be able to log in to that device. The odds that all of that will happen are extremely low. As in, practically zero if you are using decent passwords and you keep track of your phone. Another advantage of this method is that you get a real time notification when someone is trying to log in to your account. As mentioned above, you can use this knowledge to quickly respond by changing your password.

Mobile device application code method: 

Sometimes the account server won’t send you a push but it may ask you to type in a unique code that is generated by the authenticator app on your mobile device. These codes are short (maybe 6 digits) so it may seem like they are not very secure. The cool thing is that the codes are re-generated every minute or so and they are based on an algorithm that is known only to your authenticator app and the account server you’re trying to connect to. It would be extremely difficult for a cybercriminal to guess the right 6 digit code under those circumstances since the timeframe is so short.

Again, the main advantage here is that the attacker has to have physical access to your mobile device and the ability to log in to it. One downside is that you don’t get any real-time notification if someone tries to log into your account. Usually this method is an option as a backup to the push method as well. Most authenticator apps will support both methods.

SMS Code Method: 

This method also uses your mobile device but it doesn’t use an application. Therefore, it works with non-smartphones. If you set up this method of MFA, when you log in with your username and password, the account server will send your mobile phone a text message with a one-time code. You will then type that code into the website or device portal where you entered your password.

This basically has all the advantages of the “push” method, it just isn’t quite as convenient because you have to type in the code. You will get that real-time notification of a login attempt because you will get a text message per attempt. One down side is that an attacker doesn’t necessarily have to be able to log in to your phone. They do have to physically have the phone but text messages often pop up on the screen of the phone even when the phone is locked.

Email Code Method: 

This method works very much like the SMS code method except that the code is sent to an e-mail account that you have pre-communicated with the account server you are trying to access. You will most often set this up when you register for the multifactor service you are using.

If you’re going to use this kind of MFA, you need to make sure that your email account itself is secure, which probably means that you should have MFA enabled for access to the e-mail account in question. The reason is that e-mail can be checked from anywhere, including the same computer terminal where the cybercriminal is trying to log in to your account. In other words, this method does not require physical access to any independent device. That’s why you should have a strong password for your e-mail that isn’t used anywhere else. If you do that, then this method would essentially require the attacker to know two of your passwords. However, forcing them to have access to another device is a stronger, more secure option. If a website allows only this type of MFA, that’s fine. Go ahead and set it up and then require authentication to your mobile device for access to your e-mail. Then you’re golden.

Physical Token: 

This method used to be more popular before the advent of smart phones. A physical “token” is a small device that continuously generates codes in the same way that an authentication app on your mobile device would. It works just as well but it has the added downside that you have to keep track of this other device. These days our lives are tied to our mobile phones. You can imagine the possibility of losing a token and not even realizing it’s gone for a while. If you have one of these, keep it in a safe location. If you have to carry it around, maybe attach it to your keychain.  

MFA at Ohio State

Ohio State offers an MFA option to protect your Ohio State account when you log in to certain webpages or services using Shibboleth, which is the login service you are using when you enter your name.# and password. The multifactor authentication program is called BuckeyePass and it uses the Duo authenticator app.  We highly encourage you to sign up for BuckeyePass if you haven’t already. A few Ohio State systems already require it, and as security threats grow, even more systems will be added to the growing list protected by multifactor authentication. Visit buckeyepass.osu.edu to get started.

We also encourage you to enable MFA for your personal accounts whenever it is available. We recommend that you browse the security settings in all of your accounts and devices to see if there is an option to enable MFA. We also recommend that you check out twofactorauth.org. It’s a great website that will provide a list of websites, applications, devices, etc. that offer some form of MFA. It will also tell you what kind of MFA is offered.

One final word of caution

MFA is considered the “gold standard” of account security, but it isn’t entirely perfect. For example, if you may fall victim to a phishing attack and you are directed to a fake webpage. If you believe you are on a legitimate site and enter your username and password, there is nothing to stop the phisher from immediately plugging that information into the real account (the one they are impersonating). This will cause the real account to request your second form of authentication. If you then respond and plug a code into that fake website, you will have just given the phisher access to your account and allowed them to side-step the security. That’s why it’s really important to be vigilant against phishing attacks and other forms of social engineering.

 

See https://cybersecurity.osu.edu/services/buckeyepass for additional information about the BuckeyePass Multifactor Authentication service.

Older posts

Recent Posts

Archives 

Categories  

The Ohio State University

© 2024 The Ohio State University - University Libraries

1858 Neil Avenue Mall, Columbus, OH 43210

Phone: (614) 292-OSUL (6785)

Request an alternate format of this page | Accessibility | Privacy Policy | Contact Us | Creative Commons

Copyright Information | Details and Exceptions

Up ↑