Skip to main content

Sidestep 2FA traps

Imagine a robber gets their hands on a key to your house. While you’re out, they stop by to browse your belongings. The robber approaches the front door and unlocks the doorknob. Bingo. Then goes for the deadbolt. Rats. The deadbolt takes a different key.

Two-factor authentication (2FA) is the digital version of that second key. It’s an added layer of security for your accounts that requires you to verify your identity when logging in. UnitedHealth Group experienced a massive data breach this year due to stolen credentials and a lack of 2FA.

NC State uses Duo Security as its 2FA solution. This is an invaluable tool if your password, like your house key, is stolen. But even the best of tools isn’t 100 percent foolproof. Faced with a second security measure, cybercriminals must find new tactics to break through. Here are a few ways to thwart some common tactics and keep university data safe.

Download Duo Mobile

Using the Duo Mobile app to verify your identity is more secure than text messages, which are at risk of SIM swapping. This tactic involves a cybercriminal deceptively connecting their own SIM card to your phone number, taking control of your calls and texts. This means 2FA passcodes sent via text message can be intercepted.

With Duo Mobile, you can securely approve push notifications on your device. Download the app from the Apple App Store or Google Play Store. After downloading, you must activate your device. See How do I add a new device to Duo?

Only approve 2FA requests you initiated

If you receive an unexpected 2FA request, deny it and assume your credentials have been stolen. If you receive numerous, back-to-back push notifications, you are likely caught in a 2FA prompt bombing attack. The attacker sends frequent requests in the hopes you will approve one simply to make the notifications stop.

Before approving a Duo Mobile push notification, check that all elements of the request are accurate. This includes reviewing the app or website being logged in to, the physical location of the device, the time of access and the Unity ID. Change your password immediately if you believe it has been compromised.

Beware of look-alike websites

Fake websites are a popular method for credential theft. This type of phishing is often carried out through a malicious link sent via email or text. Clicking the link sends you to a fake login page where the cybercriminal can steal your credentials.

In some scenarios, the cybercriminal simultaneously enters your credentials into the legitimate website, triggering a real 2FA request as expected for you to accept. In other scenarios, you may be sent to a second website that resembles a 2FA request for a one-time passcode.

Double-check the URL of any website that asks for your personal information, and be on the lookout for anything else that seems abnormal. An NC State login page’s URL will always start with https://shib.ncsu.edu.

As always, remember these three steps to avoid phishing:

  1. Be suspicious.
  2. Take your time.
  3. Ask for help.

For assistance, contact the NC State Help Desk via the NC State IT Service Portal or call 919.515.HELP (4357).