Microsoft’s Number Matching Authentication Process

by ·0 Comment

What is Multi-factor Authentication?

Multi-factor authentication (MFA) refers to a layered end-user verification strategy to secure data and applications by requiring a user to submit various combinations of two or more credentials to gain access to a system or service.

There are three components of MFA:

  • Something you know — Password, PIN, or passphrase
  • Something you have — OTP (one-time password), verification code, or hard or soft security token
  • Something you are — Biometrics (fingerprint, facial scan, or iris scan)

The Microsoft Authenticator App is traditionally used with a mobile device such as a cell phone for push notifications. This helps you sign into your accounts when you’re using a two-step verification process.

The standard two-step verification method involves two factors: One factor typically being your username and password and a second factor such as a PIN, code or personal biometric.

How Does MFA Work?

Mobile push-notification-based MFA uses “push” notifications to alert a user to review a new MFA
authentication request. The login flow is:

  • The user enters their username and password to authenticate (first factor)
  • The identity platform sends a signal to the app on the user’s phone/mobile device, which generates a notification
  • The user opens and accepts the prompt to approve the request (second factor)

Incorporating both factors makes the sign in process safe and secure, however, malicious cybercriminals continue to find ways to try to bypass MFA. With the adoption of two factor, MFA fatigue spamming attacks have gain popularity and become more prevalent by cybercriminals.

What is MFA Fatigue?

MFA fatigue is a technique where a cybercriminal attempts to gain access to sensitive information by bombarding their victims with repeated two-factor authentication push notifications in hopes of tricking them into authenticating their login attempts.

Cybercriminals will commonly use stolen login credentials obtained from various social engineering methods, including phishing attacks, malware or leaked credentials from data breaches. Cybercriminals who have obtained a user’s password will enter it into an identity platform that uses mobile push-notification-based MFA to generate hundreds of prompts on the user’s device over a short period of time.

The goal is to spam victims to the point where they are annoyed by the constant notifications and will approve one so it will stop. Although it may seem harmless, by doing so, the attacker has effectively bypassed MFA and now has access to their victim’s information and critical infrastructure.

This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them as legitimate authentication requests.

Recent studies show that about 1% of users will accept a simple approval request on the first try. That’s why it’s critical to ensure that users must enter information from the login screen and that they have more context and protection.

What is Changing with the Authenticator App?

Microsoft will enable number matching requirements within the Microsoft Authenticator App by default for all users starting on February 27, 2023.

Number matching is a security upgrade that will discourage MFA fatigue as each push notification generates a unique set of numbers for every login request. Number matching is a setting that forces the user to enter numbers from the identity platform into their app to approve the authentication request.

How Does Number Matching Work?

When a user responds to an MFA push notification using Microsoft Authenticator, they will be presented with a number that the user will be required to type into the App during the sign-in process to complete the approval.

Depending on how Microsoft Authenticator App is configured and the operating system of your mobile device may generate an experience similar to the examples below:

Basic Number Matching: When a user responds to an MFA push notification using Microsoft Authenticator, they will be presented with a number which they need to type into the Authenticator app to complete the approval process.

Geographic Location with Number Matching: When a user receives a Passwordless phone sign-in or MFA notification in the Authenticator app, they’ll see the sign-in location (based on their IP) and number matching information. Type the number that was pushed to your mobile device into the Microsoft Authenticator app to complete the sign in approval process.

Don’t have the Authenticator App?

Download and follow these instructions: Download Microsoft Authenticator App Here

Microsoft Authenticator Setup

by ·0 Comment

Microsoft Authenticator Setup

Download a PDF version of this setup by clicking HERE

Download a Word Document of this setup by clicking HERE

Prefer to watch a video? Get to step 7 first, then visit this link.

What is factor authentication?

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.

The first factor will primarily be a computer/laptop and the second factor can be your phone, a verbal call or a text message. Two-factor makes it harder for criminals to break into your account. If you only use a password to authenticate and the password is weak or has been exposed elsewhere, it leaves an insecure avenue for attacks or fraudulent entry.

When you require a second form of ID, security is increased because this additional factor isn’t something that’s easy for an attacker to obtain or duplicate.

How does authentication work?

When you sign into your O365 account, you will receive a prompt for ID verification using one of the following authentication methods:

Something you know, typically a password
Something you have, such as a trusted device like a phone
Something you are, such as biometrics like a fingerprint

You can authenticate your second factor several ways, however, we strongly encourage you to use the Microsoft Authenticator App if your phone is able to utilize it. It is the fastest verification option allowing you to just tap approve on your phone and adds an extra layer of security.

The Microsoft Authenticator app will function and generate new codes every 30 seconds even when you don’t have cellular coverage.

Can two factor be hacked?

Although it is possible for two-factor authentication to be hacked, the odds are very low and 2FA is certainly the best practice when it comes to keeping accounts and systems secure.

One way two-factor authentication could be hacked happens through the SMS method or, in other words, the method by which a one-time use code is sent to a user’s phone number via SMS or an automated phone call.

This is why we recommend using the Microsoft Authenticator app because it adds extra security and codes are contained within the app.

There have been stories of hackers tricking mobile phone carriers into transferring someone else’s phone number to their own phone. The hackers contact the carriers pretending to be their victims, requesting a new SIM with the victim’s number. They then have access to any authentication code sent to that phone number. Called SIM swapping, this is probably the most common way of getting around 2FA.

But carriers’ own security processes are improving and even acknowledging those risks, 2FA remains a strong and essential tool in the fight against cyber-attacks and identity fraud.

Pre-Requisite

In order to use multi-factor authentication with your Capital account, you will need to ensure the following pre-requisites are met:

  • You have a phone that can receive SMS texts and/or download the Microsoft Authenticator app
  • Have a computer with Office 2016 (or higher) installed
  • Internet access to complete the setup

What if I don’t own a phone or my phone doesn’t work with the app?

If you don’t have a phone or your phone can’t use the authenticator app, you can use a mobile device like your university iPad. Install the Microsoft Authenticator app on the iPad. You will need to keep the iPad with you at all times to authenticate.

You can also receive verification codes via text or receive a voice call to your cell, home or office line. Instructions on how to set this up can be found HERE.

What other factors can I use to authenticate?

Verification methodDescription
Phone callSign into your 0365 account from your computer. A call from Microsoft to your phone asking you to verify that it is you signing in. Press the # key on your phone to complete the verification process.
Text messageSign into your 0365 account from your computer. A text message from Microsoft is sent to a your mobile phone with a 6-digit code. Enter this code to complete the verification process.
Microsoft Authenticator App (Passwordless)Sign into your 0365 account from your computer. Microsoft sends a verification request to your mobile app on your phone asking you to Verify or Approve to complete verification process. This needs to be setup.
Code Generator with Microsoft Authenticator AppSign into your 0365 account from your computer. Microsoft sends a verification request to your mobile app asking for the generated verification code. Code changes every 30 seconds. Use this code to sign into your account.

Getting started

  1. If you will be using the Microsoft Authenticator app, you should download and install the app to your cell or mobile device (iPad) first. Visit the app store for your operating system and download for either Android and iOS devices. Setup instructions can be found HERE. You can also watch a video HERE.
  2. Go to your PC and open this link in your web browser – https://aka.ms/mfasetup. This will prompt you to pick a Microsoft account. Select your Capital email account.                                                         
  3. You will be re-direct to the “Capital Gate” sign in page. Enter your Capital email address or username along with your password and click Sign in.

Follow the instructions in the help document to complete registration of 2FA HERE.

What if I need help?

Contact the IT Help Desk, helpdesk@capital.edu or 614-236-6508. We are here to help if you have questions or a special situation that would require our assistance.

Two Factor Authentication

by ·0 Comment

What is Two Factor (2FA)?

Two-Factor Authentication (2FA) is used to strengthen ​the security of user accounts and University business systems that hold sensitive information. It adds another layer of online protection from damaging cyber criminal attacks that cost organizations millions.

As part of this initiative, effective July 12th, 2021, all Windows PC Users will be required to use 2FA when accessing University business systems and resources via VPN (virtual private network). Macintosh Users are currently using 2FA.

Why Two Factor?

We are all used to having one layer of security to protect our account which is our password, however, passwords aren’t enough to protect the University or you against cyber criminals who desire to gain access to resources using compromised credentials.

The goal of 2FA is to provide a higher degree of identity assurance of a user accessing University resources via VPN.  If cyber criminals obtain your username and password, they will still need access to your phone and/or a passcode to get into your account.

Having a second form of identification greatly decreases the chance of a criminal gaining access to devices, sensitive information, fraud and will build secure online relationships due to compromised credentials.

How Does 2FA Work?

You will need to download and install the Microsoft Authenticator App on your phone and configure it to work with your work PC. Detailed step by step instructions can be found below.

Once configured, you will need to use 2FA any time you log into the University’s VPN. You will need to enter your Capital username and password as well as authenticate through your phone. You will be required to use two different sources (factors) to verify your identity:

  • Something you know:  your Capital credentials (username and/or password), and
  • Something you have:  a phone and/or passcode

What If I Don’t Own a Cell Phone?

Please contact the IT Helpdesk, helpdesk@capital.edu or 614-236-6508 to have a ticket created and assigned to our network team. We will work with you directly for a resolution.

Can I Use VPN on my iPad or Other Mobile Device?

At this time, we are only recommending 2FA for your work PC. We will notify you once we are ready to roll out and support 2FA for mobile devices and the iPad.

Need Help? Have A Question or Concern?

If you have questions, concerns or need technical assistance, please contact the IT Helpdesk, helpdesk@capital.edu or 614-236-6508.

===========================================

If you would like to download a PDF copy of these instructions so that you can click on the embedded links in the documentation, please click here.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

EIIA – Warning – Phishing Emails – Coronavirus and COVID-19

by ·0 Comment

The following is a Phishing Alert from EIIA – Educational & Institutional Insurance Administrators concerning recent sharp increases in phishing attacks occurring over the past week related to Coronavirus and COVID-19.

All emails from the outside with the words COVID-19 or Coronavirus will be flagged with a header:

Good afternoon,

I am sending this email to alert everyone about the recent sharp increase in phishing attacks occurring over the past week. Hackers and cybercriminals are using public apprehension over the coronavirus outbreak to advance their agendas. IBM recently warned consumers that ransomware has entered the mix of coronavirus-themed payloads hackers are unleashing. Emails purporting to contain information about the spread of the coronavirus will secretly download the Emotet malware that allows hackers to steal information and deliver malware.

The types of emails you may receive to get your attention to click a malicious link or open an attachment include:

  1. Fake school or CDC emails could make you think you or your child has been exposed to COVID-19. They could say your family may face quarantine.
  2. False claims that there’s a vaccine for sale or some form of remedy available.
  3. Misleading ads about masks that may not be effective or other helpful hints to combat the virus.
  4. Emails with “latest” updates to keep you informed as criminals are aware that everyone wants to know everything first.

What can you do?

  1. Be careful opening any web links or attachments, even if you know the sender, it may be a compromised sender.
  2. Look for “Red Flags” in emails you receive. Red Flags include abnormalities in the sender, topic, links, content, etc. To help everyone on this topic, please refer to the following link on our website for a helpful one page document: https://members.eiia.org/wp-content/uploads/assets/SocialEngineeringRedFlags.pdf
  3. Contact your IT department whenever you have any doubts or concerns.

Please let me know if you have any questions. I hope this information is helpful and everyone be careful out there.

Thank you.

Gerry Hamill, MBA, CISSP
Executive Director
IT Risk Management
888.260.7416
ghamill@eiia.org
www.eiia.org

Resolved: Door Access Control Problems

by ·0 Comment

Update:

The Lenel door access control issues from this morning have been resolved. The department of Information Technology had to do a system restore and we will continue to monitor the access control system very closely over the next 24 hours to address any functionality complications. If you encounter any problems accessing any campus buildings, please reach out to the IT helpdesk, 614-236-6508 or helpdesk@capital.edu so that we can help.

Thank you again for your patience and understanding. Have a great day!

The department of Information Technology would like to report that the Lenel door access control system experienced an anomaly this morning that is currently hindering some card readers and ID card functionality on campus. The main symptom that some of you may experience is your ID card not being read correctly by some card readers on the buildings which will prevent you from accessing the building.

We are currently investigating and working closely with our third party support to resolve this issue as quickly as we can. We apologize for the inconvenience and appreciate your patience and understanding as we work through the problem. We will update the campus with more information soon. You can contact the IT Help Desk, helpdesk@capital.edu or 614-236-6508 for periodic updates or to put in a ticket.

Thank you.

Cyber Security Alert

by ·0 Comment

The following is a Cyber Security Alert from Ohio Homeland Security a division of The Ohio Department of Public Safety. The document contains information related to active Cyber Incidents that are taking place throughout Ohio.

The document states that:

“During a 2018 ransomware attack, on a city government entity in Ohio, a contact list was stolen. This information is currently being used to spoof email addresses that send out malicious Microsoft (USBUS) Word Documents and conduct social engineering attempts.

The delivery of these attacks are very similar to our previous post this past September.
https://inside.capital.edu/ITStatus/index.php/2019/09/11/warning-email-of-an-encrypted-document/

Please see the full PDF from Ohio Homeland Security below.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

WebAdvisor Authentication Change

by ·0 Comment
DATE: Monday, October 21, 2019
To: Faculty, Staff and Students
From: The Department of Information Technology
Subj: WebAdvisor Authentication Change

 

The Department of Information Technology will be updating WebAdvisor authentication on Thursday, October 24th, 2019 between 4pm and 5pm.  During this time frame, all users will experience a brief WebAdvisor outage as we upgrade the configuration. This is in preparation for replacing WebAdvisor with a new online service.

 

Please contact the IT Help Desk via email, helpdesk@capital.edu or telephone, 614-236-6508 if you experience any issues logging in to WebAdvisor after 5pm.  Thanking you in advance for your understanding and cooperation.

 

What to expect after October 24th

After selecting “Login” on WebAdvisor, you will be redirected to a Capital University gateway.

WebAdvisor login

On the gateway page, login using your Capital email address and password.

SAML gateway

Whaling Attacks (email spoofing for gift cards)

by ·0 Comment

A recent trend in email phishing attacks is something called whaling. Whaling is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, manager and supervisors. “In many whaling phishing attacks, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker” (More info)  In our case we are getting many email attacks where someone is trying trick people into buying gift cards and sending the card numbers to them.

The basic way it works is the attacker creates an email from a free email service such as Gmail, Yahoo, and a couple of others. They usually choose names of people that are department leaders and have staff. They then send emails to members of that department hoping to trick an employee in to thinking it is from their manager. The initial email is extremely brief such as “Are you available?” and may have a subject hinting at urgency. Some have also have created a signature text that is quite convincing. Their hope is to trick the potential victim into replying.

Once they hook someone then their 2nd message says they that they are in a meeting with no idea when it will end (they commonly say they do not know when the meeting will “round up”). They go on to say that they cannot use their phone and can only communicate through email and that they need something very important done right away. Their next email says what they want… lately they have been asking for some amount in Amazon Gift cards (I have seen amounts of $100 to $500) and they reiterate that they will reimburse and that they need it right away and are still in the meeting. They may say in this message or a following one that once the victim has the cards they are to scratch off and send the numbers on the back of the card.

This gift card spoofing is the latest twist in Whaling attacks that we have received, many of you may remember that we have been seeing similar spoofed emails for over a year ago with the attackers using a variation of Dr. Paul’s name as part of the sender’s name and email address from Gmail or Yahoo. These were mostly trying to pass off some document for all employees to read and then sign into a web page to indicate they have read and agree. These were a phishing attack that were designed to capture the victim’s login name, password and possibly other personal information from that non capital.edu website.

As a tool to help you better identify these we have added and External Sender Disclaimer to Email received externally.

external header notice

This new disclaimer message will be a constant reminder to use caution when opening, sharing your personal information or responding to emails from unknown or external senders. Exclusions for emails from official university systems are being identified and created so that the disclaimer will not appear in the body of the messages.

Past helpful posts

How to Spot a Phish
https://inside.capital.edu/ITStatus/index.php/2018/10/11/how-to-spot-a-phish-101118/

Top 10 List for Cyber Security Awareness Month (October 2018)
https://inside.capital.edu/itstatus/index.php/2018/10/10/top-10-list-for-cyber-security-awareness-month-october-2018/

 

Spam Definitions

SPAM Spam is unsolicited or junk email that clogs up your email inbox trying to get you to buy something. The best way to deal with spam is not to open it or reply to it.
Spoofing Spoofing is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. Email spoofing is the most popular tactic used by scammers because users are more likely to open an email when they think it has been sent by a legitimate or familiar source. The goal of spoofing is to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons.

If you suspect spoofing, check the email’s header to see if the email address generating the email is legitimate. Visit phishing.org for more information on phishing attacks.
Phishing Phishing is an unsolicited email message trying to get you to give up something. Typically they are trying to get your username and password. Sometimes they try and get you to click on a link or run an attachment that will infect your computer with a virus. To learn more about phishing attacks and tactics, visit phishing.org for more information.
Spear Phishing Spear phishing email customized for a particular organization or person. It will use the same graphics and language as an official email. The goal is the same as a phishing attack.

Many of you may remember the spoofed emails from scammers who were using their own Gmail and Yahoo accounts to send out email messages to the campus using a variation of Dr. Paul’s name as part of the sender’s name and email. The goal was to try to pass off a document to all employees asking them to read it by signing into a “non Capital.edu” website which would then capture the victim’s login name, password and possibly other personal information.

Always check the sender’s information closely for validation and legitimacy.
Whaling A recent escalating trend on campus is the whaling email phishing attack. Whaling is a specific type of phishing attack that targets high-profile employees, such as the CFO, managers and supervisors. The cybercriminal’s goal is to manipulate the victim into authorizing high-value wire transfers to them or trick the victim into buying gift cards and send them the card numbers.