CIT launches new security system combating phishing

Calvin Information Technology is implementing a new multi-factor authentication system called DUO this fall in response to last year’s phishing email attacks. Multi-factor authentication is a way of adding an additional layer of security to accounts by requiring confirmation of identity on another device. As CIT associate CIO Adam Vedra explained it, having two-factor authentication is like having a lock that requires two keys, which are your password and DUO. Even if the password is stolen by a hacker, they cannot access your account because they only have one key. DUO is a security company that specializes in multi-factor authentication (their program is just called DUO, after the company). Calvin will engage in what Vedra calls a “campaign of encouragement” this semester to try and persuade students to adopt the new system. 

CIT first decided to pursue multi-factor authentication in 2017. That was when they purchased DUO and “started rolling it out to select campus users,” says Vedra. The original timeline for the beginning of campus-wide implementation was the fall of 2020, but after the phishing email attacks of last year, CIT decided to move the rollout date up. 

Last year’s phishing scam involved an unknown source, most likely outside of Calvin, compromising one email account and sending out emails to all of that account’s contacts in order to gain access to other accounts. Although CIT received no reports of confidential information being lost, the attacks were still problematic as they left sensitive student information including emails and transcripts unprotected. Over 200 students had their accounts compromised. One of them was sophomore Anne Vanderwell, who spoke to Chimes about getting her account hacked. “The only way it affected my account was after clicking on the link (rookie mistake, I know) I got a TON of emails in my inbox constantly, just a crazy amount of spam. I ended up going to the help desk pretty quickly and they helped me reset my account and passwords and that fixed the problem for me.” 

Additionally, the phishing scam was, as Vedra put it, a “nuisance for everybody.” Speaking about how it affected CIT, he said the department was “very, very busy trying to contain the issue” and it took students a long time to reset their passwords. 

DUO has multiple methods of authentication. Students may download an app, where they will simply tap a notification to allow access. Other methods include what is called a “hardware token,” a clicker that resembles a car key fob and can be carried around with the user. These are available to students for a refundable deposit. DUO can also authenticate through phone calls (including to landlines) and text messages. 

CIT intern Kenneth Amoah Nyame, who is in charge of communications for the DUO rollout, demonstrated the ease of the push notification method for Chimes. Nyame emphasized over and over how easy DUO is, and how important it can be. “If they understand the impact, they’ll be more accepting of change,” he said, explaining why he believes that communication with the student body is crucial to this new program.