The holiday season is here and we will be searching for the perfect gifts for many people in our lives. Shopping from the convenience of our own home is one of the greatest benefits of the internet. You don’t have to wait in line, stand in crowds, or even take off your pajamas. With this convenience, comes many cyber criminals creating fake shopping websites, sending phishing emails, and trying to steal from others.

Spot Fake Online Stores 

Criminals can create fake websites that replicate the look of real sites or using the names or well-known stores or brands. When you are searching online for the lowest prices, you may find yourself directed to one of these websites. Below are ways to help identify fake websites:

  • Shop with reputable merchants.
  • Research the website. There are many independent sources that will give grades to websites. Places like Reseller Rating or Better Business Bureau can be very informative. Even entering the the URL into a search engine and looking at results can be informative.
  • Check the merchant’s customer information and return policies. Do not provide a vendor with personal information or bank account numbers. Make sure that they will support you if you package is stolen or missing.

Your Computer and Mobile Device

Protecting your device is just as important as shopping at legitimate websites. Make sure to always install the latest updates and run up-to-date anti-virus software. This makes it much harder for a cyber criminal to infect your device. On top of that, if you have children, let them use a secure device. Not one where your credit card or bank information is stored.

Be Sure the Transaction is Secure

When you are in the checkout process, the web site should be using encryption called SSL (Secure Sockets Layer). SSL ensures secure transmission of your credit card information across the internet. You can tell if the web site is using SSL by look for https: (rather than http://) at the beginning of the web site’s address in the browser.

Your Credit Card Information

Never send your credit card numbers via e-mail. Although it is generally safe to enter your credit card number on a secure web site, it is not safe to send it through e-mail. E-mail is sent through the internet in clear text format, so it’s possible for someone other than the vendor to see it.

Keep a record of your transactions. Print or store the copy somewhere for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.

Consider using credit cards that generate a unique card number for every online purchase, such as PayPal, which do not require you to disclose your credit card number to the vendor.

Taking Action

If you do have a problem with an online vendor, first attempt to work it out with them directly. Don’t just rely on e-mail; call them as well. If you cannot resolve the problem to your satisfaction, contact your back and ask them to stop the payment. You can also use an online service such as SquareTrade to resolve your dispute.

Finally, you can file a complaint to the state Attorney General’s Office, post your experience on a site like Reseller Ratings, or contact the Better Business Bureau.

 

 

How To Identify Spam Email 

Identifying spam emails can be tricky as many come from someone you know or copy the look and feel of popular websites. They create emails and websites that have official looking logos and content. If you find that you are receiving unsolicited emails,  there are a few easy ways to identify them as spam.

  1. Sender’s email address – If it contains a long string of characters before the @ sign, it is very likely that the email is spam.
  2. Check the “To” field – If the message was sent to several unrelated names or distribution lists then it is most likely spam.
  3. Urgency – If the email is instructing you to do something right away or within X hours, it is a good indication of spam.
  4. Attachments – Look for attachments you weren’t expecting and NEVER open attachments from an unknown sender. Viruses are often sent through a zip file.
  5. Grammatical and spelling errors – Most spam message will contain at least a few spelling or grammatical errors.
  6. Generic Greetings – If it says something like “IT Customer” or “Dear Valued Customers”, it could be spam.
  7. Links – Hover over the link to see if the URL that appears in the message matches the status bar and the URL that you are expecting to see. If you want to go to the website, you should type the website yourself.
  8. Requests for Personal Information – Banks, eBay, PayPal and other online services will NEVER ask you for your personal information through email. Ignore any email that asks you for personal information in an email or through a link in an email.

If you ever think you have received a spam email, delete it. Do not reply to the email and don’t assume that emails from someone you know are safe. If you are every unsure, please feel free to reach out to FIS.

Multi-Factor Authentication

Over the past few weeks, many of us have begun to use Duo Mobile, the new Multi-Factor secure login solution now offered by Pitt through CSSD.  This new solution comes highly recommended by Pitt’s information security team.  FIS strongly encourages the implementation of this solution and some of our supported departments have mandated its use.  We would like to take a moment to answer some frequent questions and concerns that are brought up on Multi-Factor authentication.

What is Multi-Factor Authentication?

Simply put, Multi-Factor Authentication is a method for securing access to computer system which requires users to present different types of evidence to verify who they are before accessing the system.  There are three common methods, or factors, used to authenticate ones identity.  These are:

Something You Know

This factor includes usernames and password.  If you know the proper username and password combination you are granted access to the system.

Something You Have

This factor includes keys and tokens.  If you possess the right key you can unlock the door.  If you have the correct token you are allowed in the room.

Something You Are

This factor typically includes biometric data such as fingerprints, voice recognition, and retina scans.  Once very costly, this factor is now common.  Many models of smart phones, laptop, and tablets can now recognize faces and scan fingerprints.

In order to implement Multi-Factor authentication, a method from at least two of these categories must be used.  Allowing access after scanning a fingerprint and using voice recognition would not be multi-factor becomes both are from the “something you are” category.  Likewise, simply having two passwords would not be multi-factor as both passwords would fall under “something you know”.  However, if you first scanned in your fingerprint and then entered a password in order to gain access to a system, you would be using Multi-Factor authentication.

Why is Multi-Factor Authentication Being Implemented at Pitt?

Traditionally, your Pitt account has been protected by a single factor, Something You Know, which is your username and password.  While this does provide some level of protection which gets better the more complex your password is, it is susceptible to a social engineering attack which is growing in popularity – Phishing.  We have all received suspicious emails informing us that we must change our password immediately or verify some setting with a link that bring us to a fake page asking us to enter our credentials.  The hackers are hoping that a few people they attack will enter their credentials, which can then be used to access the Pitt system when the hackers decide to do so.

Duo-Mobile, the new Multi-Factor solution that Pitt has implemented, adds a second factor, Something You Have.  This is done by connecting a specific phone number to the account.  When the username and password is entered for that account a notification (either a call or an application notice) is sent to a specific phone number.  In order to log in, the user must possess the phone associated with that phone number.  Even if the hackers know the phone number it does them no good if they do not possess the physical phone.  The owner of the phone and account will be notified as soon as any unauthorized access is attempted as well.  Then the password can then be immediately changed, making the Something You Know factor secure once again.

Due to the increasing popularity of Phishing and other Social Engineering attacks targeting usernames and passwords, the University has concluded that implementing Multi-Factor Authentication is not only prudent, but necessary.  An account with Multi-Factor Authentication applied is exponentially more secure than one without.

How Do I Set Up Multi-Factor Authentication and How Does It Work?

Computing Services and Systems Development provides an excellent set of instructions on how to set up Multi-Factor Authentication for your account which can be found at by clicking this link. As always, FIS Customer Support would be happy to assist with setup and any issues that may arise while using the Duo Mobile Multi-Factor Authentication solution.  We can be contacted at 4-FIS1 or via ticket submission at the FIS Support Portal.

Once you have Duo Mobile Multi-Factor Authentication set up it will add an additional action to the login process each time you access a secure service with Pitt’s Single Sign On solution.  After putting in your username and password you will either receive a notification on your smartphone or tablet via the Duo Mobile application or an automated phone call from the Duo Mobile service.  The application will give you a button to press to approve the log on and the automated phone call will prompt you to press 1 on your phone to approve the log on.  Once Due Mobile receives approval via application or phone call your login will complete.  Using the mobile application adds 5 to 10 seconds to the login process while using the phone option typically adds about 15 to 20 seconds.

Duo Mobile supports the option to add a secondary authentication device and we strongly recommend that a secondary device be set up.  This means that if a smartphone is lost or left at home for the day a second option is available from the authentication screen, such as your desk phone number.  You can simple click a button and Duo Mobile with authenticate via your secondary device.

Do you do your holiday shopping online? There are a few easy ways to protect yourself online whether you are purchasing items for yourself or for the University with your P-Card. Follow the tips below for a safe experience:
1. Shop with reputable merchants. Only purchase from online vendors that you are familiar with, or do some research first. If you are not familiar with an online store, use caution. Just because the website looks professional, it doesn’t mean the vendor is trustworthy or has proper security controls in place. Check an independent source that allows customers to rate their shopping experience with a vendor such as Reseller Ratings. You can also refer to the Better Business Bureau to see if there are any complaints listed. You should also be aware that in some cases, you may be purchasing from an individual rather than business, and your legal recourse may be different in the event of a dispute.

2. Check the merchant’s customer information and return policies. Before ordering, be sure to read the terms of sale, return policies and fees, shipping methods and prices, and guarantees. Make note of vendor’s policies for storing and distributing your personal contact information. If you do not want to be included on mailing lists or have your contact information made available to third parties (spam lists), look for an option on the web site to indicate your preference. Do not provide vendors with sensitive personal information, such as your social security number or bank account numbers. Basic shipping and credit card information is all that should be required to make a purchase.

3. Be sure the transaction is secure. When you are in the checkout process, the web site should be using encryption called SSL (Secure Sockets Layer). SSL ensures secure transmission of your credit card information across the internet. You can tell if the web site is using SSL by looking for “https://” (rather than “http://”) at the beginning of the web site’s address in the browser. Another sign is the presence of a padlock symbol in the address bar of the browser. In Internet Explorer, the padlock symbol will appear on secure pages in the address bar, located to the right side of the web address. You can click on the lock symbol to verify the security of the site.

4. Never send credit card numbers via e-mail. Although it is generally safe to enter your credit card number on a secure web site, it is not safe to send it through e-mail. E-mail is sent through the internet in clear text (non-encrypted) format, so it’s possible for someone other than the vendor to see it. Sending a credit card number through e-mail is the equivalent of writing it on a postcard rather than mailing it in an envelope.

5. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.

6. Use Identity Finder to protect your data. All FIS-supported computers have a program called Identity Finder installed. It will search your files, e-mails, databases, websites, and web browser data for Social Security numbers, Credit Card numbers, Bank Accounts, Passwords, etc. so you can then take steps to remove the sensitive data from your files. This program is also available for home use by contacting FIS.

7. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.

8. Take action if there is a problem. If you do have a problem with an online vendor, first attempt to work it out with them directly. Don’t just rely on e-mail; call them as well. If you cannot resolve the problem to your satisfaction, you should contact your bank and ask them to stop the payment. If that’s not possible, you can use an online service such as SquareTrade to resolve your dispute. You can also file a complaint to the state Attorney General’s Office, who will investigate the case. You should also post your experience on a site like Reseller Ratings so other customers can be warned. While you may also wish to contact the Better Business Bureau, note that they have no authority over the vendor. They will simply accept your complaint and allow the vendor to respond.

 


Archives