Northern Michigan University is moving to a two-factor authentication (2FA) system that adds an extra layer of security to MyNMU and GSuite services in order to prevent hackers from obtaining users’ personal data. It will be required by May 1 and is a response to a series of recent phishing emails, which attempted to obtain sensitive information by disguising as trustworthy NMU entities. In one October incident, the bank account details of 53 NMU community members was compromised by emails that looked like they were coming from the Vielmetti Health Center.
Users who clicked on a link in the email were redirected to another page that looked like an NMU login. After they typed in their user IDs and passwords, an error message appeared and they would simply log off. Behind the scenes, hacker(s) were moving personal information into a database and later logged in to change the users’ bank account numbers to theirs. NMU Human Resources noticed the same number showing up repeatedly in direct deposit information and responded quickly enough to stop the breach before any money could be taken from the accounts.
“Anyone with an NMU account or user ID is potentially vulnerable if they have not set up two-factor authentication,” said Bill Richards, a project manager for Business Intelligence and Information Services at NMU. “The spirit of the 2FA requirement is to help keep NMU user accounts safe and secure.”
The 2FA requirement for accessing all NMU web-based services and GSuite applies to all students, faculty and staff. NMU’s Information Technology and Help Desk will monitor the system once all accounts have been switched over to ensure hackers aren’t accessing information stored within campus-managed services and systems.
“2FA is the cyber-security standard for both the private and public sector,” Richards said.” It is one of the best practices for all types of organizations to better secure sensitive data. Schools nationwide are impacted. The U.S. Department of Education recently reported that students’ financial aid refund checks at multiple institutions have been targeted. There have also been instances similar to Northern, where employees’ paychecks were routed to accounts that were not theirs.”
Richards said the most efficient way to set up 2FA is to download a mobile authenticator app and use the code that will be provided. There are two other alternatives: generating a list of 10 backup codes that can each be used only once before a new set is required through myuser.nmu.edu/user; or obtaining a USB security key from Micro Repair and inserting it into a computer.
Video or print instructions on how to set up 2FA are available at www.nmu.edu/2FA. The NMU G Suite account is a separate feature unique to Google. An overview with links to set up 2FA for NMU G Suite accounts is available at https://www.google.com/landing/2step.
Students, faculty and staff are strongly encouraged to set up the 2FA as soon as possible. Those who have not will see reminder messages and notifications when using services like MyNMU.
“Users still need to be vigilant and watch out for suspicious emails that ask for credentials,” Richards said. "Sign out of computers and mobile apps when not in use and pay attention to URLs when using online services.”