Apple has allowed its customers to set up two-factor authentication for their Apple ID. Two-factor authentication is an extra layer of security for your accounts that is designed to ensure that someone else simply knowing your password is not enough to gain access to your account. Pitt employees should be very familiar with this as the login process for my.pitt.edu uses dual authentication. This article’s intention is to explain how Apple’s two-factor authentication works, how to set it up, and how to manage your account it’s set up.
How it works
Your Apple ID can only be accessed on devices you trust and trusted phone numbers. A trusted device is an iPhone, iPad, or iPod touch with iOS 9 and later, as well as a Mac with OS X El Capitan and later that you’ve already signed in to using two-factor authentication. This will make the device known and can be used to verify your identity by displaying a verification code from Apple when you sign in from a different device or browser. A trusted phone number is a number that can be used to receive verification codes by text message or automated phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.
When you sign into a new, trusted device for the first time, you will need to provide two pieces of information. The two pieces of information are your password and the six-digit verification code that’s automatically displayed on your trusted devices. The verification code is a temporary code sent to the trusted device when you sign in to a new device or browser with your Apple ID. Entering the code verifies that you trust the new device.
For example, if you already have an iPhone and are signing in to your Apple ID for the first time on a newly purchased Mac, you will be prompted to enter your password as well as the verification code that’s automatically displayed on your iPhone. This means that if someone was trying to access your Apple ID, they would need to know your password and physically obtain the device you registered as trusted.
A few things to note from the example provided above. Once you signed into your newly purchased Mac, you will not be asked for a verification code on the device again unless you sign out completely, erase the device, or need to change your password for security reasons. If you sign in on the web, you have the ability to choose to trust your browser, so you will not be asked for a verification code the next time you sign in from that computer.
How to set up two-factor authentication for your Apple ID
An important thing to note before we get into setting up two-factor authentication, once it is on, it can only be turned off within the first two weeks of enrollment. To turn on two-factor authentication on your iPhone, iPad, or iPod Touch, follow the steps below.
Turn on two-factor authentication
If you are using iOS 10.3 or later:
- Go to Settings.
- Tap <your name>.
- Tap Password & Security.
- Tap Turn On Two-Factor Authentication.
- Tap Continue.
If you are using iOS 10.2 or earlier:
- Go to Settings.
- Tap iCloud.
- Tap <your Apple ID>.
- Tap Password & Security.
- Tap Turn On Two-Factor Authentication.
- Tap Continue.
Enter and verify your trusted phone number
- Enter the phone number where you want to receive verification codes when you sign in.
- Choose to receive the codes via text message or automated phone call.
- Tap Next.
- A verification code will be sent to the phone number you provided.
- Enter the verification code to verify your phone number and turn on two-factor authentication.
How to manage your two-factor authentication account
You are able to manage your trusted phone numbers, trusted devices, and other related account information from your Apple ID account page. To view and manage your trusted devices follow the steps below.
- Go to your Apple ID account page.
- Sign in with your Apple ID.
- Go to the Devices section.
The device list that will appear shows the devices that you are currently signed in to with your Apple ID. On this screen, you can view the model, serial number, and other useful information such as whether or not the device is trusted. You are also able to remove a trusted device from this page.
For more information about Apple ID Two-Factor Authentication, please submit a ticket through the FIS portal.
13 Sep 2018
Scammers pretending to be the Chinese Consulate office have recently started contacting people in the hopes of obtaining your bank account or credit card information. This social engineering attack has been recognized by the Federal Trade Commision (FTC). An attack like this reminds us that scammers are always trying new tactics to rob people by simply tricking them into making a mistake. This article intends to help you learn how these attacks work and how to identify them.
What is Social Engineering
According to SANS.org, social engineering is a psychological attack where an attacker tricks you into doing something that you shouldn’t do. This concept is not new. Con artists have been attempting to steal money from unknowing people for thousands of years. Scammers are essentially con artists using today’s technology to aid them in stealing. What makes this tactic so effective is that today’s technology allows them to not be physically seen and contact millions of people around the world either by phone call or email.
Take for example the recent attack from scammers pretending to be the Chinese Consulate. According to the FTC’s website, people across the country have reported getting a call or message saying they have to pick up a package at the Chinese Consulate office, or they need you to give them information to avoid being in trouble with the Chinese Consulate. We actually had multiple people at FIS receive this phone this week! This type of phone call is a perfect example of what social engineering is and what it is trying to accomplish.
Another example is a CEO fraud, which is an email attack that most often occurs at work. The way this attack work is a scammer researches your company and identifies the name of your boss or coworker. This is especially easy to obtain here at the University of Pittsburgh as most information like this is public knowledge. The attacker then creates an email pretending to be that person which asks you to take some sort of action such as wiring them money or emailing sensitive company/employee information.
You should know that social engineering attacks are not limited to emails and phone calls. They can occur in any form. The best thing you can do is be as informed as possible on the subject and never, ever send money or sensitive data over the phone or via email if someone is asking for it.
How to Detect a Social Engineering Attack
While social engineering attacks are dangerous and tricky, stopping such an attack is simpler then it seems. Often times, common sense is your best defense. Listed below are some of the more common clues of a social engineering attack.
- Someone creating a sense of urgency that requires immediate action. For example, you may receive a phone call from someone claiming to be from a computer support company that tells you your computer is infected and you need to purchase their security software or risk losing all of your computer data.
- Someone asking for information they should not have access to such as bank account numbers or social security numbers.
- Someone asking for a password. Legitimate companies will not ask you for your password.
- Something that seems too good to be true. For example, being notified you won an iPad or the lottery.
- Receiving an email from a friend or coworker that contains verbiage that does not sound like it’s from them.
If any of those scenarios occur, you should take appropriate action such as hang up the phone or delete the email. In the instance of receiving an odd email from a friend or coworker, it is recommended to reach out to them through some other means of communication. For more information, please submit a ticket through the FIS portal or review your security awareness training.
We all know the role that social media now plays in the world. Between Facebook, Twitter, Instagram, SnapChat, and LinkedIn, social media has become nearly inescapable. While these sites are amazing resources for connecting people across the globe, they all come with risks. These risks not only could affect you but also your friends, family, and employer. This article is going to cover some key steps for securely using social media.
Perhaps the most important and obvious step towards securely using social media is to be careful of what you post. Even if you enable privacy features and think your posts are not viewable to everyone, you should still post with the mindset that it can be viewed by everyone. If it could negatively impact your reputation and future, it should not be posted on any social media platform.
Even though privacy features should not be viewed as a filter that blocks your posts from being viewed by anyone, they should still be enabled. Almost all social media sites have strong privacy features. However, with strong privacy features comes change and confusion. You should make it a habit to check for any changes and to confirm they are working the way they are intended.
Another seemingly obvious security step is to create a strong, unique password. This has been drilled into all computer users head’s but it is still avoided by many people. The reason for its avoidance is simple. People have a hard time remembering complex passwords and do not want to have to remember passwords for multiple systems. While we recognize the annoyance in having multiple complex passwords, it is still a key step in securely using not only social media sites but computers in general.
Unfortunately, creating a strong password for all of your accounts is no longer enough. You should still have a strong password but you should also enable two-factor authentication on all of your social media accounts. Pitt has already enabled two-factor authentication when logging into my.pitt.edu in order to protect you from people who could potentially obtain your password. While this may seem like more work, your personal information will be substantially more secure. To look at it another way, you would not want simply having your ATM card as a way to withdraw money. Banks knew this and decided a pin was also necessary to access the features of an ATM card.
You should also be careful of what you click on when using social media sites. There is a good chance you can be tricked into providing personal information by clicking on a fraudulent post or link. If a friend’s post seems suspicious you should avoid accessing it.
Being careful of what you post, creating a strong password, enabling two-factor authentication, and being careful of what you click on when using social media sites are all effective ways to securely use social media. If you have any questions or would like to learn more, please submit a ticket through the FIS portal.
FIS is currently in the process of upgrading all of our customer’s operating systems from Windows 7 to Windows 10. Many customers are already on Windows 10 and many others are being upgraded in the near future. There are some cosmetic and functional differences between the two operating systems. Just like any change, the differences can take some getting used too. This article hopes to make the adjustment between the two operating systems smoother and better your understanding of Windows 10.
Let’s begin with the start button. The biggest changes are the way you log off, lock, restart, and shut down the computer, and search for programs and commands. To log off and lock the computer, click the start button and select the profile icon which is located directly above the start button two icons up. To restart and shut down the computer, click the start button and select the power icon which is located directly above the start button. To search for programs and commands, click the start button and just start typing in the program you are trying to locate. Windows 10 does not have a search field like Windows 7 did. A few other minor changes are that “All Programs” is now “All Apps” and “Printers and Devices” is now “Printers and Scanners.”
Aside from all those changes, you will also most certainly notice that it looks significantly different. This cosmetic change is noticeable as soon as you log into the computer as the start button, taskbar, and notification pane all look different. It also varies in appearance upon clicking the start button.
Another big change is Microsoft’s newest browser, Edge. While Internet Explorer is still a part of Windows 10, Microsoft is trying to deliver a better web experience, hence the reason Edge was built. It’s fast, compatible, built for the modern web, and optimized to perform on Windows 10. For example, according to Microsoft, you can get up to 53% more battery life when you browse the web with Edge. The Edge icon looks slightly different than Internet Explorer. The Edge icon is a dark blue lowercase “e” whereas Internet Explorer’s icon is a light blue lowercase “e” with a ring around. Lastly, Edge is a more secure browser than IE.
Speaking of security, Windows 10 is also an enhancement in that area compared to Windows 7. It comes with a set of innovative and coordinated security capabilities designed for many of the sophisticated cyber threats that occur today. You have advanced protection from viruses, ransomware, and malware because of Windows Defender (Microsoft’s antivirus program). These settings are managed by FIS.
What is mentioned above is just a small sampling of Windows 10 and its differences between Windows 7. To learn more about Microsoft’s newest operating system, please submit a help ticket via the FIS portal.
24 May 2018
Home network security as defined by the United States Computer Emergency Readiness Team refers to the protection of a network that connects devices to each other and to the internet within a home. With technology becoming more and more prevalent in our daily lives, it becomes increasingly important to protect against security risks. This article hopes to better your understanding of the risks associated with being connected to the internet as well as the importance of properly securing your home networks and systems.
Most people are under the assumption that their home network will never be attacked. This is a very common misconception for a couple of reasons. Home users believe their network is not big enough to be at risk of a cyber attack, and they think the devices they are provided by companies such as Comcast and Verizon are plenty secure. This line of thought is wrong and can be costly because attacks can occur to any network connected to the internet no matter the size, and the devices you are provided by Internet Service Providers (ISPs) are preconfigured with factory issued settings such as default usernames and passwords that create opportunities for cyberattackers to gain unauthorized access to information, amongst other problems.
The good news is that there are ways to prevent these types of problems. By improving the security of your home network, you can significantly reduce the chances of being successfully attacked. The list below are ways to improve the security of your home network.
- Regularly update software as the updates often include critical patches and security fixes for the most recent threats and vulnerabilities
- Remove/uninstall unnecessary services and software to reduce security holes on a device’s system
NOTE: This is especially important on new computers as they are often pre-installed with many software and application trial versions
- Adjust factory default configurations on software and hardware because the configuration settings are created to be user-friendly and are not geared towards security
- Install up-to-date antivirus software and make sure to enable automatic virus definition updates
- Install a network firewall to block malicious traffic from entering your home network and alert you to any potential dangerous network activity
- Install firewalls on network devices to inspect and filter a computer’s inbound and outbound network traffic
- Back up your data on a regular basis to minimize the impact if your data is lost, corrupted, infected, or stolen
- Enable wireless security by:
- Using the strongest encryption protocol available
- Changing the router’s default administrator password
- Changing the default SSID (often referred to as the network name)
- Disabling WPS (WiFi Protected Setup)
- Reducing wireless signal strength
- Turning the network off when not being used
- Disabling UPnP (Universal Plug and Play) when not needed
- Upgrading firmware
- Disabling remote management
- Monitoring for unknown device connections
- Familiarize yourself with the most common elements of a phishing attack
- Create strong passwords by:
- Making the password long and complex
- Creating a unique password for each account
- Never use personal information within the password
For more information about home network security, please visit the United States Computer Emergency Readiness Team website.
27 Apr 2018
Microsoft has recently announced new advanced security features available to Office 365 subscribers. Since the University of Pittsburgh migrated to Office 365, these new protection capabilities are available to you.
The new security features offered are:
- File recovery for OneDrive
- Outlook prevent forwarding
- Email encryption
File Recovery for OneDrive
This feature allows you to restore your entire OneDrive to a previous version within the last 30 days. This can be very helpful when a file or multiple files are accidentally deleted, become corrupt, or some other disastrous issue. Keep in mind the file restore will only work for files that were stored on your OneDrive. If the file was stored somewhere else, this feature will not work.
To use file restore:
- Go to http://portal.office.com
- Login with your University email address and password (may not be required if you are already logged into Office 365).
- Click the OneDrive icon.
- Click the Settings icon in the top right-hand corner.
- Click OneDrive – Restore your OneDrive.
- Select a date from the dropdown menu and click Restore.
Outlook Prevent Forwarding
This feature allows you to restrict your email recipients from forwarding or copying your emails. Prevent forwarding should be used when an email you send contains sensitive information.
To send an email with the prevent forwarding feature:
- Open Outlook and compose a new email.
- Go to the Options tab and click the dropdown arrow under Permission.
- Select Do Not Forward.
- Send the email.
This feature offers an added layer of protection to sent emails. Some email providers don’t encrypt their connection, which means your communication could be susceptible to being intercepted and read. If you use the email encryption feature offered by Office 365, the email you send will remain encrypted over a secure connection. This should be used when sending an email to an external user.
To send an email with the email encryption feature:
- Open Outlook and compose a new email.
- Go to the Options tab and click the dropdown arrow under Permission.
- Select either University of Pittsburgh – Confidential or University of Pittsburgh – Confidential View Only.
NOTE: Selecting University of Pittsburgh – Confidential will allow recipients to modify the content but not copy or print it. Selecting University of Pittsburgh – Confidential View Only will not allow recipients to modify the content.
- Send the email.
For more information on all of these features and more, please visit Office 365 new capabilities.
When you are scrolling your Facebook feed or taking a Buzzfeed quiz online, do you answer historical questions? Questions about your childhood home, your family dog, or the first car you drove can expose you to cyber criminals. These seemingly harmless games can lead to Facebook or quizzes online can help the company store and potentially sell your data. That is not to mention the other people that are seeing your answers online.
You may think to yourself, who care if they knew my first dog was a Boxer named Luna. Well, if you ever used that as a security question to reset your password, you may be more concerned. These data-harvesting schemes have become more and more prevalent and give identity thieves and scammers easier ways to access your online accounts.
There are many examples of this but, lets take a look at a few from krebsonsecurity.com
San Benito Tire Pros created a post that says, “What car did you learn to drive stick shift on?” This seems like a harmless answer, but by answering this question you could be giving them the answer to “What was the make and model of your first car?” This questions is one of the most commonly used by banks and other companies to verify customers before they reset their password.
Another from Good Old Days asks “What was your first pet, and what was it’s name?” This one is a little more obvious as it directly asks the question that you will frequently see as your security questions from companies online.
This can also happen when Facebook pages post quizzes or articles but pose questions as their caption. Texas asked “What was your high school mascot?” with a link to the most unusual texas high school mascots.
Protect yourself online and don’t share your historical data or make sure you answers to security questions are fictional. However, then you have to remember what you wrote.
16 Nov 2017
The holiday season is here and we will be searching for the perfect gifts for many people in our lives. Shopping from the convenience of our own home is one of the greatest benefits of the internet. You don’t have to wait in line, stand in crowds, or even take off your pajamas. With this convenience, comes many cyber criminals creating fake shopping websites, sending phishing emails, and trying to steal from others.
Spot Fake Online Stores
Criminals can create fake websites that replicate the look of real sites or using the names or well-known stores or brands. When you are searching online for the lowest prices, you may find yourself directed to one of these websites. Below are ways to help identify fake websites:
- Shop with reputable merchants.
- Research the website. There are many independent sources that will give grades to websites. Places like Reseller Rating or Better Business Bureau can be very informative. Even entering the the URL into a search engine and looking at results can be informative.
- Check the merchant’s customer information and return policies. Do not provide a vendor with personal information or bank account numbers. Make sure that they will support you if you package is stolen or missing.
Your Computer and Mobile Device
Protecting your device is just as important as shopping at legitimate websites. Make sure to always install the latest updates and run up-to-date anti-virus software. This makes it much harder for a cyber criminal to infect your device. On top of that, if you have children, let them use a secure device. Not one where your credit card or bank information is stored.
Be Sure the Transaction is Secure
When you are in the checkout process, the web site should be using encryption called SSL (Secure Sockets Layer). SSL ensures secure transmission of your credit card information across the internet. You can tell if the web site is using SSL by look for https: (rather than http://) at the beginning of the web site’s address in the browser.
Your Credit Card Information
Never send your credit card numbers via e-mail. Although it is generally safe to enter your credit card number on a secure web site, it is not safe to send it through e-mail. E-mail is sent through the internet in clear text format, so it’s possible for someone other than the vendor to see it.
Keep a record of your transactions. Print or store the copy somewhere for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.
Consider using credit cards that generate a unique card number for every online purchase, such as PayPal, which do not require you to disclose your credit card number to the vendor.
If you do have a problem with an online vendor, first attempt to work it out with them directly. Don’t just rely on e-mail; call them as well. If you cannot resolve the problem to your satisfaction, contact your back and ask them to stop the payment. You can also use an online service such as SquareTrade to resolve your dispute.
Finally, you can file a complaint to the state Attorney General’s Office, post your experience on a site like Reseller Ratings, or contact the Better Business Bureau.
09 Jun 2017
How To Identify Spam Email
Identifying spam emails can be tricky as many come from someone you know or copy the look and feel of popular websites. They create emails and websites that have official looking logos and content. If you find that you are receiving unsolicited emails, there are a few easy ways to identify them as spam.
- Sender’s email address – If it contains a long string of characters before the @ sign, it is very likely that the email is spam.
- Check the “To” field – If the message was sent to several unrelated names or distribution lists then it is most likely spam.
- Urgency – If the email is instructing you to do something right away or within X hours, it is a good indication of spam.
- Attachments – Look for attachments you weren’t expecting and NEVER open attachments from an unknown sender. Viruses are often sent through a zip file.
- Grammatical and spelling errors – Most spam message will contain at least a few spelling or grammatical errors.
- Generic Greetings – If it says something like “IT Customer” or “Dear Valued Customers”, it could be spam.
- Links – Hover over the link to see if the URL that appears in the message matches the status bar and the URL that you are expecting to see. If you want to go to the website, you should type the website yourself.
- Requests for Personal Information – Banks, eBay, PayPal and other online services will NEVER ask you for your personal information through email. Ignore any email that asks you for personal information in an email or through a link in an email.
If you ever think you have received a spam email, delete it. Do not reply to the email and don’t assume that emails from someone you know are safe. If you are every unsure, please feel free to reach out to FIS.
02 Feb 2017
Over the past few weeks, many of us have begun to use Duo Mobile, the new Multi-Factor secure login solution now offered by Pitt through CSSD. This new solution comes highly recommended by Pitt’s information security team. FIS strongly encourages the implementation of this solution and some of our supported departments have mandated its use. We would like to take a moment to answer some frequent questions and concerns that are brought up on Multi-Factor authentication.
What is Multi-Factor Authentication?
Simply put, Multi-Factor Authentication is a method for securing access to computer system which requires users to present different types of evidence to verify who they are before accessing the system. There are three common methods, or factors, used to authenticate ones identity. These are:
Something You Know
This factor includes usernames and password. If you know the proper username and password combination you are granted access to the system.
Something You Have
This factor includes keys and tokens. If you possess the right key you can unlock the door. If you have the correct token you are allowed in the room.
Something You Are
This factor typically includes biometric data such as fingerprints, voice recognition, and retina scans. Once very costly, this factor is now common. Many models of smart phones, laptop, and tablets can now recognize faces and scan fingerprints.
In order to implement Multi-Factor authentication, a method from at least two of these categories must be used. Allowing access after scanning a fingerprint and using voice recognition would not be multi-factor becomes both are from the “something you are” category. Likewise, simply having two passwords would not be multi-factor as both passwords would fall under “something you know”. However, if you first scanned in your fingerprint and then entered a password in order to gain access to a system, you would be using Multi-Factor authentication.
Why is Multi-Factor Authentication Being Implemented at Pitt?
Traditionally, your Pitt account has been protected by a single factor, Something You Know, which is your username and password. While this does provide some level of protection which gets better the more complex your password is, it is susceptible to a social engineering attack which is growing in popularity – Phishing. We have all received suspicious emails informing us that we must change our password immediately or verify some setting with a link that bring us to a fake page asking us to enter our credentials. The hackers are hoping that a few people they attack will enter their credentials, which can then be used to access the Pitt system when the hackers decide to do so.
Duo-Mobile, the new Multi-Factor solution that Pitt has implemented, adds a second factor, Something You Have. This is done by connecting a specific phone number to the account. When the username and password is entered for that account a notification (either a call or an application notice) is sent to a specific phone number. In order to log in, the user must possess the phone associated with that phone number. Even if the hackers know the phone number it does them no good if they do not possess the physical phone. The owner of the phone and account will be notified as soon as any unauthorized access is attempted as well. Then the password can then be immediately changed, making the Something You Know factor secure once again.
Due to the increasing popularity of Phishing and other Social Engineering attacks targeting usernames and passwords, the University has concluded that implementing Multi-Factor Authentication is not only prudent, but necessary. An account with Multi-Factor Authentication applied is exponentially more secure than one without.
How Do I Set Up Multi-Factor Authentication and How Does It Work?
Computing Services and Systems Development provides an excellent set of instructions on how to set up Multi-Factor Authentication for your account which can be found at by clicking this link. As always, FIS Customer Support would be happy to assist with setup and any issues that may arise while using the Duo Mobile Multi-Factor Authentication solution. We can be contacted at 4-FIS1 or via ticket submission at the FIS Support Portal.
Once you have Duo Mobile Multi-Factor Authentication set up it will add an additional action to the login process each time you access a secure service with Pitt’s Single Sign On solution. After putting in your username and password you will either receive a notification on your smartphone or tablet via the Duo Mobile application or an automated phone call from the Duo Mobile service. The application will give you a button to press to approve the log on and the automated phone call will prompt you to press 1 on your phone to approve the log on. Once Due Mobile receives approval via application or phone call your login will complete. Using the mobile application adds 5 to 10 seconds to the login process while using the phone option typically adds about 15 to 20 seconds.
Duo Mobile supports the option to add a secondary authentication device and we strongly recommend that a secondary device be set up. This means that if a smartphone is lost or left at home for the day a second option is available from the authentication screen, such as your desk phone number. You can simple click a button and Duo Mobile with authenticate via your secondary device.