It seems like every other day you hear about a new data breach or some new scam designed to steal credentials of the unsuspecting end user. With the advent of social media, it’s now easier than ever to social engineer a person’s identity for nefarious intent. With these constant barrages of attacks, there is a heavy focus in the community on executing best practices for navigating the murky seas of online life.
It’s enough to make your head spin: practice good online habits (don’t click on links from unknown sources), don’t make your personal information publicly available on social media sites, create secure passwords for all your logins, but for the sake everything good in this world, make sure you’re not reusing them for multiple sites. Keeping up with these trends can be a bit overwhelming, but as good members of the online community, we trudge along all the same.
In my mind I picture the quintessential hacker posed menacingly over their laptop specifically targeting the weak with their malicious actions. The inherent anonymity of the internet creates a feeling of paranoia that one slip up and my identity is up for auction to the highest bidder. Little did I know that students from a school in Pennsylvania faced attacks of a different kind…. the parental kind.
The main issue this school needed to combat is how some parents take on the responsibility of setting up the school account for their first-year student ahead of time. This not only gives the parent access to the student’s username and password, but the responsibility of enrolling Challenge Questions and a mobile phone for a password reset. It essentially gives them the keys to the kingdom. This is all well and good for the student until they forget their password or get locked out of their account. They now need to rely on the parent to take the appropriate action.
Another issue that had arisen is when relatives or significant others attempted to impersonate the student when calling into the help desk. Given that they know a great deal about the student, the help desk employees are faced with an impossible task of discerning if the caller on the other end of the phone is the actual student.
As you can see, these issues are not optimal for the students or the IT Department as this undermines the security and control that needs to be maintained by the school. An IT Department can put all the safe guards in place. A student can even follow the all best online best practices, but if the parent, relative or significant other really wants to login to the students account, what’s really stopping them?
When it comes right down to it, mitigation is the best approach. While the school may not be able to stop a parent from completing the initial enrollment for the first-year student, the IT Department can certainly give control to the student to change this information to better suit their needs. By allowing the student to reenroll the Answers to Challenge Questions, change the mobile phone number to their personal phone, and/or change their current password, these permissions will allow the student to take ownership of their school account.
This can be accomplished one of two ways: providing a user-friendly way to manage their account from a central login portal or calling the help desk to clear their enrollment data after a successful verbal authentication takes place, which will allow them to re-enroll these items at the next login.
Which brings me to the next point, help desk impersonations. Using a tool that allows help desk employees to verbally authenticate a student by answering questions only they and school are likely to know, will significantly increase the odds that the person on the phone is in fact the student. In addition to this, sending an email notification to the student that a change was been made to their account can act as another layer of security. This will raise a flag to the student if an unauthorized change has been made to their account and will allow them to act accordingly.
While these approaches are not 100% infallible, as it’s up to the student not to share their personal information with loved ones, they are an effective way to combating an extremely difficult problem. Perhaps educating the student body to not share this information should be a part of an IT Departments Best Practices? Above all, finding a solution that gives back control to the IT Department and the student body will allow these types of impersonations to heavily negated.
Check out the Oaks Christian Case Study below!