Main navigation

Help Wanted: Attackers need you to defeat MFA

A growing trend in cybersecurity is to attack victims through texting and social channels, tricking them into giving access to their accounts, files, and data.

As a refresher, multifactor authentication is the highest standard for logging into accounts and services. Simply, it means it takes -- 1) something you know: username and password, and 2) something you have: your DUO push notification on your cell phone -- to access your Ohio State account.

Credentials (usernames and passwords) are notoriously vulnerable. After so many data breaches, those details can be readily available to attackers on the dark web. What they DON’T have, and don’t necessarily need, is the ability to perform a multifactor (DUO) confirmation.

Now, cybercriminals are coming after users to get it. The example provided by our Digital Security and Trust team shows a chat interaction between a student and an attacker who is mimicking the Help Desk threatening to shut down a victim's email and then directing them to push DUO notification to authenticate or provide a DUO code. In this case, the victim provided their code, and their account was compromised.

 

The Ohio State support team and help desk will never ask you to provide your password or your DUO code. If you are contacted by a strange sender asking for this information:

  1. Reach out directly to your support team to inform them of the potential attack
  2. Change your Ohio State username and password if there is any chance you shared your password by mistake

Crimes are never the fault of victims. But by remaining vigilant against attackers, you can protect yourself. Reporting suspicious activity can help us all.