To protect against internet scammers, BU is mandating a two-step authentication process for employees seeking online access to their direct deposit bank information and other data in BUworks.
Faculty and student employees of the University must perform the two-step process beginning today. Other employees were enrolled in recent months.
The process, using the online security tool Duo Security, requires employees to log in to BUworks through its Central Portal with their usernames and Kerberos passwords as in the past. Then, they will be asked to confirm their identity, either via a smartphone app, an automated call to a mobile or landline phone, or a text message to a cell phone. Duo Security can remember a device for a month, so an employee can register whatever they typically use and then avoid the two-step authentication until the next month. The University recommends that employees who frequently use BUworks avail themselves of this option.
Employees will be guided by prompts to sign up for Duo Security when they try to log in to BUworks. They can sign up as many phones as they’d like—landline and/or mobile—and then choose which line Duo Security should contact when they log in.
BU has been working on the system in the months since phishers—internet scammers who con victims out of their passwords and private information—rerouted paychecks from several University employees’ bank accounts. BU, which reimbursed the workers for their stolen pay, was among several universities targeted in a wave of phish attacks last winter.
“People who want to look at their pay statement, make adjustments to their benefits, make changes to their annual benefit selections, record life events, and so on would do so through the Central Portal, and therefore those activities that deal with very sensitive information are protected” with Duo, says Quinn Shamblin, BU’s executive director of information security.
While employees view and manage direct deposit information through BUworks, it also serves other vital purposes, being used “by thousands of employees in their daily job function for personnel actions, reporting, managing their budgets, purchasing goods and services, et cetera,” BUworks executive director Kenneth Weeden says.
Last winter’s phishers sent phony emails that appeared to be from the University and asked employees for usernames and passwords. “Unfortunately, experience has shown that people are not as good at recognizing malicious email as you might think,” says a message on BU’s Information Services & Technology Duo Security information site, which includes frequently asked questions. “Every day, members of the BU community fall prey to these kinds of scams. We have to take steps to ensure that we are more than just a single click away from having our paycheck stolen or becoming a victim of identity theft.”
Employees who lose or leave at home their mobile phone can contact BU’s IT Help Center. In the former case, the center will secure their Duo account to prevent breaches; in the latter, the center will confirm their identity and give them a temporary passcode to log in to BUworks.
Phishing scams often are sent on weekends, when people view email on home computers or mobile phones that lack the security protections of BU’s network. Genuine emails from BU will never ask for confidential information such as passwords and usernames, and no employee should provide that information when an unsolicited email requests it.