The Boston University Student Employment Office announced Tuesday that all student employees and faculty members are required to enroll in a login service called Duo Security. The measure is in response to past cases of hacking of BU employee accounts.
“Basically, it’s a more modern way of doing two-factor authentication,” said Tom Grundig, the information security operations manager at BU Information Services & Technology.
With two-factor authentication, every time an employee signs into their BUworks account, the virtual portal for campus workers’ financial records, a notification will be sent to an external device such as a phone or tablet, asking to verify that the login was not fraudulent.
Grundig said in addition to a username and password, access to the device enrolled on the account is needed.
“So say somebody’s account is compromised and somebody in some foreign country or wherever has their username and password. When they try to log in as that user, they’re also going to need that access to either their cellphone or to be in front of that landline, or else they’re not going to be able to log in,” Grundig said.
BU uses BUworks to monitor salary statements, direct deposit bank information and other account information. Duo Security was implemented to protect against hackers gaining access these personal documents, he said.
“The key things we’re looking at protecting here are sensitive personal data, such as banking information,” Grundig said.
He said BU IT decided to adopt Duo Security, an independent program that many companies use worldwide, specifically because of a security breach that occurred in January.
“We were victim to a pretty harsh phishing scheme,” Grundig said. “They were sending emails to BU members that looked like links that were going to legitimate BU pages with BU web login…since they looked so real, several BU members clicked on these links and thought they were logging into web login, but they weren’t, so essentially they were giving up their username and password.”
As a result, the hackers accessed the employees’ accounts, acquired their paychecks and transferred some of their funds around the world, The Daily Free Press reported Jan. 8.
Leonid Reyzin, a professor of computer science at BU who focuses on security and cryptology, said it is crucial for BU to adopt a service like Duo Security.
“We know that passwords alone are too weak for authentication, for many reasons,” Reyzin said in an email. “Users often do not choose strong passwords; they use the same password on multiple sites. So going beyond passwords is necessary, and I am glad BU is doing it.”
The new security could also prevent phishing incidents like the one that happened earlier this year, he said.
“It will certainly make the criminals’ job a lot harder,” Reyzin said. “Perhaps it will be too hard to be worth their while, because their costs will exceed the payoff.”
A number of BU students who have on-campus jobs said they have mixed feelings about the universal implementation of Duo Security.
Joe Karam, a freshman in the College of Engineering who works in the George Sherman Union, said he likes the idea of the protective system, but feels it might be a nuisance to have to always authenticate his login.
“If you have to open the app or whatever, that’s going to be annoying,” Karam said. “Many people would be in a hurry and stuff, so maybe they don’t have time to open the app. Maybe their phone’s dead.”
Victoria Olakojo, a freshman in College of Communication, works as an office assistant in Rich Hall and has already downloaded the Duo Security app required to authenticate login. She said it will be extremely beneficial for BU employees.
“It makes me feel like my information is secure,” she said. “Some people might think it’s a hassle, but that extra second it takes to verify your information can end up saving you from scam.”