Whether you like to grab the best online deal on Black Friday and Cyber Monday, or your tastes run to making an online donation on Giving Tuesday, shopping online during the holidays is fast and simple. But it can come with some dangers if you aren’t watching for red flags.
Online scammers use all sorts of methods to distract you from signs of their deception. Here are some tips and suggested actions from the Cybersecurity Training and Awareness team at Technology Services.
Check a seller’s reputation before sending them payment or personal information. For online stores, you can search for the website along with the terms “complaint” or “fraud” or check the Better Business Bureau. Also, check the seller’s return and refund policy for anything suspicious, like high restocking fees or shipping costs.
If buying on social media, verify whether a seller is reputable by checking their posts and activity history. If you discover an account that hasn’t posted anything in years and is suddenly selling electronics at incredibly low prices, scammers have likely taken over the account.
Think twice if a seller only accepts payment by gift card, wire transfer, or cryptocurrency. These payment methods are a prime scammer tactic, as it is usually impossible to recover your funds in cases of fraud. According to the Federal Trade Commission, credit cards offer the best consumer protection when shopping online.
To protect your online donation, be sure to visit a charity’s official website and also check them out before giving at Give.org. A legitimate charitable organization will have documented history of actual good done and will demonstrate what donations are used for.
Using high pressure tactics, whether you are buying or donating, can also be a warning sign. Scammers may create a sense of emergency and play on your emotions and may use time sensitive pricing to get you to buy now.
Last month, Technology Services was a presence all over campus at events that demonstrated how to avoid phishing and the real-world consequences of getting hooked.
October is Cybersecurity Awareness Month and Technology Services reaches out to the wider university annually with activities that grab your attention and impart a message. This year included games, rewards, and chances to exercise both creativity and teamwork.
“As tactics get more sophisticated and we are bombarded with more and more messages, it’s important to understand how cybercriminals use trusted technologies and our own emotions against us to gain access to data, passwords, and credentials,” explained Lead Cybersecurity Training Specialist Isaac Galvan.
Phish Market – keeping you off the hook
Aimed at students, the Phish Market featured games like you’d experience at a community fair. Participants answered questions about phishing and played for prizes.
Galvan estimated that more than 100 students came through the Digital Computer Lab on October 4 and tried their hand at Phish Phootball, spun the Wheel of Phish, took selfies with costumed staff, and played other carnival games.
Students nowadays are digital natives and might think they have the upper hand when it comes to technology, that they can’t get tricked. But phishing is more than the delivery method, according to Galvan. “Whether it’s sent in email or via text, a lot of what makes for successful phishing is the bad actor getting you to bypass red flags or succumb to emotional pressures. Reminding students to slow down and think before acting in our fast-paced environment is part of what we shared at this event,” he explained.
Haiku Contest – cybersecurity in just 17 syllables
Anyone at the university was encouraged to submit either original or AI-generated haiku poetry with a phishing or cybersecurity theme.
“The judging panel had a great time reading through more than 70 submissions and it was hard to select favorites to showcase to the campus community,” said Cybersecurity Training Specialist Sandy Bone.
“One of the best parts about the contest was that the haikus demonstrated creativity and quite a lot of cybersecurity knowledge in very few words. Haiku only allows for 17 syllables,” she added.
Technology Services provides cybersecurity for both the UIS and UIUC campuses, and there were facilitated in-person escape rooms at both locations. Teams of 4-5 worked their way through a packet of clues and used deductive skills to “save the barnyard.”
“This is another very engaging learning tool in our toolkit. We’ve adapted it from Indiana University’s original version, and it’s been well received each time. When a small group can successfully complete this challenge, it helps people to know they have the knowledge needed to spot and avoid phishing when it comes their way in real life,” Galvan explained.
Haunted Phish Market – a second chance at phishing fun
Taking advantage of the tradition of handing out candy on Halloween, staff set up at the Campus Instructional Facility on October 30 to reprise the Phish Market; this time adding candy giveaways to the prizes as a bonus for participation.
“We engaged with more than 300 people that day and it was a fantastic way to wrap up the month,” said Bone.
The learning continues year-round
Technology Services’ charge includes increasing the number of individuals at the University who regularly receive cybersecurity training. This type of outreach expands upon what the team does with scheduled in-person and online trainings.
Good cybersecurity practice is a two-sided coin, according to Galvan. “The University uses the best tools and has a team of professionals protecting our systems and data. And there are thousands of employees and students who can help increase that protection by putting what they learn in all our training venues into action,” he said.
When you don’t really notice notices, you risk letting scammers in.
Many of us enable notifications on our smartphones so we know when new information arrives. It can be great to stay on top of the latest news or your friends’ upcoming activities.
Enhanced security protocols such as multi-factor authentication (MFA) for your bank account or for university resources use the same push notification tools. Notifications can be set up on your device to quickly tap and be allowed in.
When you become overwhelmed by all the noise, you are at risk of missing out on clues that tell you a request is from a scammer hoping to steal your credentials.
As explained by Isaac Galvan, Lead Cybersecurity Training Specialist in Technology Services, MFA fatigue is when a cybercriminal floods you with approval prompts in the middle of the night or randomly throughout the day. “The cyber-criminal hopes to fatigue you with endless notifications so you get tired of them and, in frustration, approve one,” he said.
Keep the following in mind to help avoid these MFA scams.
Timing is everything.
When a notice appears, does it coincide with when you are visiting a website or using an application? Manager of Identity and Access Jeremy Watson explained that you should not click or swipe unless you are actively using an application. “If you are awoken at 3:30 a.m. because of repeated texts or notifications, be concerned. You are NOT trying to login to your account while fast asleep, so do not click,” he said.
Only approve Duo prompts you initiated by logging in with your password and keep generated passcodes secret from everyone.
We won’t call you to approve anything.
When a cybercriminal has an account’s password, they also need to get past the MFA protection. Cyber-criminals can try to catch you off guard by impersonating a university official or IT staff member. Galvan added that a help desk or IT staff member “will never ask you to approve an MFA prompt or generate a passcode,” Galvan explained.
He recommends you change your password if you get suspicious Duo prompts that you didn’t initiate or receive phone calls asking you about multifactor authentication. This is a sign that someone else may have your password.
You can get notified of unapproved access.
Watson suggested you check your MFA settings for old or unrecognized devices and phone numbers. While you’re there you can set up a default approval device, so you get prompted when your password has been used to log in. You can change your password and update your MFA settings in the NetID Center at https://identity.uillinois.edu.
When you think of an insider you might think of someone “in the know” or part of a select group. You also may think of the term in relationship to the world of finance. Insider trading is illegal, and it makes headlines when it happens on a large scale.
You likely don’t consider yourself an insider, yet you are. As a member of the University of Illinois community (or any organization), you have access to at least some networks, systems, or data. Whenever a person has the potential to cause a cybersecurity incident or a data breach-even unintentionally-it is known as an insider threat.
Often cybersecurity incidents due to insider activity happen by accident. What seemed an innocent action resulted in an unintended consequence.
Earlier in 2023 a disciplinary investigation was launched at an international company stemming from an employee allegedly sharing private information. The individual transcribed a recorded meeting with an audio-to-text application and then entered that transcription into an AI tool to create meeting notes. [SOURCE: Samsung employees allegedly leak data via ChatGPT (cshub.com)]
What’s the cure? Be cybersecure.
Taylor Judd, Manager of Cybersecurity Infrastructure and Engineering with Technology Services, offers some simple actions you can take to reduce the chance that YOU become an insider threat.
Out with the old.
Anytime you re-share or share something, review the existing permissions, and remove those that no longer apply. Get rid of old equipment, forms, and cloud storage. “You have your spring house cleaning; do a fall clean of your digital life both professionally and personally. Old data can still be exploited even if it’s not used actively,” he said.
When in doubt: report.
The cybersecurity team is here to help and appreciates any reports of suspicious digital activity to security@illinois.edu.
Judd also suggested carefull consideration for requests to share. Double check unusual requests or messages using a separate communication method, like a known email address or trusted phone number. “If something sounds off, take time to independently confirm that it’s legitimate,” he advised.
Keep sensitive information secure.
“One way is to avoid putting sensitive information into ChatGPT or another AI platform. Another way is to lock your computer or device whenever you’re not using it,” Judd said.
On a Windows computer, press the Windows key plus the L key (for Lock) on your keyboard at the same time. To find the Windows key, check near the space bar for a key that looks like the Windows logo.
Guard the physical security of your space.
When an unauthorized person closely follows someone else who is authorized into a restricted area it’s called tailgating, and it can pose a security risk.
• Ask coworkers to scan their own i-cards so there is a record of who enters secured areas. This helps with safety, such as in case of a building fire. • Be cautious about holding the door for visitors, including delivery people. • Close doors securely behind you.
Watch for more cybersecurity tips throughout the 2023-24 academic year.
Individuals with malicious intent are all over the internet looking for ways to reach you and get something they want: money, data, information. We can read daily about harmful scams, identity theft, phishing, and ransomware. What’s the cure? You!
When you actively work to secure your digital life, you become less of a target. You can close or lock doors once open to bad actors with simple actions.
Generative AI refers to artificial intelligence models that create content in various forms, including text, images, and audio across many formats and mediums.
Generative AI uses deep-learning algorithms and training data to produce new content that approximates the training data.
Given the incredible rise in popularity and the transformative nature of Generative AI, following is some general guidance to consider related to data privacy. Note: not legal advice, and not intended to be comprehensive.
If you use generative AI in regular work
Explore options to purchase or license a business or enterprise version of the software. Enterprise software usually brings contractual protection and additional resources such as real-time support.
Begin discussions with your colleagues about the privacy considerations listed in the next section.
Consider where and how existing policies and best practices can be updated to better protect user privacy.
Remember to validate the output of Generative AI, and if using Generative AI in a workflow, consider implementing formal fact-checking, editorial, and validation steps to your workflow.
If you create or develop generative AI
Provide transparency about how your Generative AI models are trained. Inform users what data might be collected about them when using generative AI and create accessible mechanisms for users to request data deletion or opt-out of certain data processing activities.
Explore incorporating privacy enhancing technologies in your initial design stages to mitigate privacy risks and protect user data. Consider technologies that support data deidentification and anonymization, PII identification and data loss prevention, and always incorporate principles of data minimization.
If you would like assistance as you consider data minimization, data anonymization, or data deidentification in your AI, the Privacy Team can help. Contact privacy@illinois.edu.
Additional guidance
Generative AI is not new, and concerns regarding its use and potential harms have been raised and discussed for years.
In light of the recent popularity and public access to generative ai capabilities, it’s important to remember there are existing policies and practices, as well as scholarly, historical, and theoretical applications that should be considered alongside the more recent conversations. Initiatives involving personally identifiable information (PII) at the university, including generative AI, are subject to all applicable laws, university policies, and university contractual obligations.
In the university setting, specific privacy laws that come into consideration include the federal U.S. Privacy Act as well as state privacy laws such as PIPA, industry specific regulations such as FERPA, HIPAA, COPPA, and geographic and extraterritorial international laws such as GDPR and PIPL, among others. For more information about these laws and others, see the Electronic Privacy Information Center’s guide. Given the unprecedented access to and increasing adoption of AI and generative AI capabilities, market forces are driving steep competition to add AI capabilities to existing offerings. This pressure may result in compromised ethics and integrity when rushing new features and new capabilities to market.
Training data may include data that was collected in violation of copyright and privacy laws, among other laws or ethical considerations, which may contaminate the model and any products that use it.
Training data refers to the initial structured and unstructured data (databases, text, video, books, websites, blogs, etc.) used to train machine learning algorithms. We will not know the societal and business impacts of these violations for many years.
Identifying and removing personally identifiable information (PII) from large language models is largely untested and therefore may complicate responding to data subject requests within regulated timeframes. Additionally, if PII is a part of the large language model it may be possible for generative AI to expose PII in the output.
It is likely that input data may be used as training data, and users are more likely to overshare when data collection is interactive and conversational.
Users may lack technical literacy to understand that Generative AI is mimicking human behavior.
Users can be intentionally misled to believe they are interacting with a human.
Given the prolonged and conversational method of interaction, users may lower their guard and share personal information.
It is unclear what personal information, user behavior, and analytics are being recorded and retained, or shared with third parties.
As generative AI is mainstreamed, it is likely to follow proven channels for monetization, such as using personal data for targeted advertising. Clear policies should be established regarding the retention and deletion of user data collected during interactions with generative AI systems. When considering uses, determine whether individuals may request deletion of their personal data, which is a requirement of GDPR and most other privacy laws.
Depending on how they’re used, generative AI models may qualify as automated decision-making, which creates heightened privacy and consent obligations.
Under the GDPR, individuals “have the right not to be subject to a decision based solely on automated processing, including profiling,” that has legal or similarly significant effects (GDPR Article 22(1), PIPL Article 73).
Privacy laws in Colorado, Virginia, and Connecticut give individuals the right to opt out of personal data processing for purposes of profiling.
Given the prolonged and conversational interaction of many chatbot-based Generative AI solutions, special care should be taken to minimize legal and privacy risks related to wiretapping.
Risks arise in many possible implementations, including under federal and state wiretap laws. The extent of the risk largely depends upon what information is collected and who has access to the information, so properly configuring the Generative AI solutions with these risks in mind, including incorporating appropriate notice and consent language, is essential. To mitigate these risks, any implementation of a Generative AI service should be reviewed by University Counsel and the University Ethics and Compliance Office.
Generative AI models can be susceptible to adversarial prompt engineering, where malicious actors manipulate input to generate harmful or misleading content.
Malicious prompt engineering may lead to the dissemination of false information, the exposure of sensitive data, or inappropriate collection of private information.
Implementation of Generative AI should be transparent for users and be accompanied by training and educational programming.
Educating users about how AI models work, the data they collect, and the potential risks involved can empower individuals to make informed decisions and take necessary privacy precautions when engaging with such technologies. Promoting AI literacy within the University community is crucial to assist in understanding the privacy implications of interacting with Generative AI systems.
Generative AI systems have the potential to generate content that may inadvertently or intentionally defame individuals or organizations.
Vigilantly implement measures to prevent the generation of defamatory content, such as robust content moderation, human review and editing, and filtering mechanisms.
Clear policies should be in place to address and rectify any instances of defamation that may arise from the use of Generative AI systems, ensuring accountability and protecting the reputation of the University and our communities.
Generative AI systems have the potential to generate false, misleading, or inaccurate content.
Users should be aware the output created by generative AI may not be accurate or true. These models do not evaluate or analyze outputs for accuracy in fact or substance. Instead, they s evaluate outputs on the similarities to the training data they are built upon.
Technology Services staff sat down with new Deputy CIO and Chief Information Security Officer Kim Milford to learn more about her background, strengths, goals, and a bit about her personality.
Whether you spend a little or a lot of time using social media, anyone who uses these platforms is potentially at risk from cyber criminals and their tactics.
Stalkers and cyberbullies can use social media to track your movements. Current and future employers can use social media to see messages from you that may have been intended only for friends or family. Here are five things you can do for a safer social experience.
Turn on privacy settings.
Don’t give away your location.
Don’t say how long you’ll be in a particular location.
Don’t share any photos of yourself that you wouldn’t want your boss to see.
Be comfortable with your message living on the internet forever. If you’re not comfortable, don’t publish it.
On June 12, you will no longer be able to receive a phone call to authenticate with Duo. The “Call me” feature will be disabled. You must make sure your Duo settings are correct before this change happens to guarantee uninterrupted access to University websites and resources.
Test your current set up
Depending on the options you selected when you initially set up your device in Duo, your steps to make a change to another authentication method will vary. The simplest way to ensure uninterrupted access is to begin with a test. Navigate to the NetID Center website at identity.uillinois.edu and click the blue “Log in” button. After entering your NetID and password, you will see a NetID Center 2FA screen like one of these below:
If you have a smartphone or basic mobile
If your device is capable of receiving SMS text messages, but you do not see the “Text me” button as above, you’ll need to set up your device again within the Duo registration system. You will set up the same phone number.
Once you’re signed in to the NetID Center, click the “Manage my 2FA” button under the 2-Factor Authentication heading. Then click the “+ Add a new device” button at the bottom of the ‘My Devices & Settings’ section.
Select “Smartphone (recommended)” – THIS MUST BE DONE FOR ANY SMS-CAPABLE PHONE NUMBER, EVEN BASIC MOBILE PHONES
Select “Yes” after entering your number and follow the prompts to scan the QR code using your phone’s camera.
Everyone, even basic mobile users, should select “Yes” at the phone number input screen. After entering your number, follow the prompts to scan the QR code using your phone’s camera. You may be asked about replacing the device – this is intentional and should be allowed.
If you have a basic mobile phone, you can select not to use the app once you reach this screen.
Landline only users
If the phone number you use for authentication is a landline that cannot receive an SMS text message, you will need to acquire a hardware token to replace it as your second device. These are available from the WebStore. Check with your unit HR or IT groups to determine their policy for providing them to employees. They may be purchased either by units or individuals.
If you’re having trouble replacing your 2-factor authentication device to enable text messages or the Duo Mobile app, or you have any other questions about this change, please contact the Technology Services Help Desk by email at consult@illinois.edu or by phone at 217-244-7000.
World Password Day is an annual event on the first Thursday in May meant to raise awareness about the importance of using strong passwords to protect oneself online.
In just the time it takes to read this sentence, that uncomplicated password can be hacked.
The chart below demonstrates how it becomes exponentially more difficult for a hacker to guess your password the longer and more complex you make it.
Password table courtesy of Hive Systems https://www.hivesystems.io/password
Unique Passwords = Better Defense
Our passwords and PINs protect all kinds of important and sensitive data. These best practices can help keep your passwords and PINs safer.
Create longer passwords and passphrases. University passwords must be at least 12 characters long, but you can use up to 127 characters! (It would take centuries to crack a password of that length.) The longer the password, the more secure it is. Try one of these strategies for creating longer passwords and passphrases:
Put together three or four random words, like “provoke-pedigree-ion-clutter,” then add capital letters, numbers, or special characters as required.
Make up a story. For example, imagine a famous person visiting the website that you’re using, and how they would use that site. Create a password based on your story.
Abbreviate a phrase unique to you. For example, from the phrase I kicked my computer 23 times today for not working right, you could create the password “Ikmc23tt4nwr” by using the first letter of each word.
Consider using a reputable password manager. The average American has somewhere between 70 and 150 online accounts that require a password. A password manager can remember all those unique passwords for you. Password managers safely store and manage usernames, passwords, PINs, and other data for your accounts and devices. They make it easy to log in to websites using just one master password.
More Tips
Keep your personal data protected with better password practices
Create a strong, unique password and PIN for every account and device. Having unique passwords everywhere means that if one password or PIN is stolen or exposed, an attacker can’t use it to get into other accounts or devices too. This helps keep your other accounts and devices safer.
Don’t write down your passwords or PINs, and make sure to shield your keyboard or keypad from others when you log in. Don’t share your passwords, the answers to password reset questions, or multi-factor authentication codes sent in text messages. University IT staff will never ask you for your passwords or multi-factor authentication codes.
Avoid including your birthday or date, address, or phone number in your password. And skip the song lyrics, famous phrases, and quotations. All that information is easy to find elsewhere and makes your password easier to guess.
Multi-factor authentication (MFA) requires a physical item [a mobile phone or a hardware authentication device that plugs into a USB port]. Cybercriminals can’t access an account if they have the password but not the associated MFA device. Gain an extra level of protection and begin using MFA (Duo app) if you haven’t already. Learn more about supplementing passwords from the Cybersecurity & Infrastructure Security Agency (CISA)
Always log out when using a shared or public computer. With the right browser settings in place, anyone may be able to discover your passwords.
Three privacy professionals conducting research in the library and information science space presented their current research related to privacy in the library.
by Ruth Kwak
Eager professionals and students gathered in person and online on January 27, 2023 for the 2023 Privacy Everywhere Conference: Building Digital Trust. Occurring annually, this conference covers a range of privacy topics, unpacking the university’s privacy goals and how they affect individuals. Attendees should leave the conference each year with a stronger understanding of privacy policies and how to build digital trust in all realms of life. The 2023 conference was no different.
This year’s conference covered a wide range of privacy topics, such as privacy generally in higher education, how the university protects against cybersecurity threats, China’s personal information protection law, and more. In addition to those talks, the conference included a panel that discussed privacy in specific sectors relevant to the university and beyond. Three privacy professionals conducting research in the library and information science space presented their current research and projects related to topics of privacy in the library.
Patron Privacy Protections in Public Libraries by Masooda Bashir
Dr. Masooda Bashir currently researches issues and topics related to Privacy, Security, and Trust in relation to digital information. One of her many research studies conducted in this space was focused specifically on privacy, security and trust in public libraries. She sought to understand what the current practices of patron privacy are in public libraries, and what challenges libraries currently face in protecting patron privacy. To do this, Masooda and her team conducted an online survey in 2020, pivoting quickly from in-person forums due to the pandemic. The survey respondents, made up of library admin, librarians, IT staff, supervisors, and other library staff identified that the most needed step to strengthen patron privacy in public libraries is more library employee training on patron privacy and increasing staff knowledge about privacy-enhancing technologies. Challenges to protecting patron privacy included lack of technical knowledge among library staff, lack of training, and inadequate funding or resources.
Prioritizing Privacy – Professional Development Project with Libraries by Kyle Jones
Dr. Kyle Jones partnered with our university’s Lisa Janicke Hinchliffe and a research team to work on a three-year continuing education program (ending August 2023) aimed at training academic library practitioners to address privacy and other ethical implications associated with learning analytics and academic libraries. With Lisa, Kyle created an online, canvas-based, e-learning, asynchronous, cohort-model course informed by Quality Matters (QM) standards. The course contains six modules and includes materials such as lectures from the research team, readings/media, collaborative learning activities, and recorded interviews with privacy and learning analytics experts. Running for 3 semesters so far, 99% of surveyed participants agreed that they learned important skills they didn’t know from before the course, and 100% agreed that they will use the information they learned. On a 5 point scale, there was also a point and a half jump in knowledge in a pre-course assessment compared to a post-course assessment.
Although the project ends in August 2023, the course materials are already made accessible—and will remain so indefinitely–for anyone to use for professional development via Canvas or other learning management systems. Kyle is also currently modifying the course to potentially be used for the LIS/iSchool curricula.
Professor Lisa Janicke Hinchliffe presented specifically on privacy in library licensing. Although libraries buy and license a lot of materials, often the contracts between the library and the vendor don’t cover how user data is handled. Additionally, when the contracts do include issues related to privacy, often they aren’t up to library values and expectations. To address this, Lisa began the Licensing Privacy Project. She wanted to figure out if the university can have more agency over what happens to their users’ data in the hands of vendors.
For The Licensing Privacy Project, Lisa worked with LDH Consulting Services to create a vendor contract and policy rubric to help libraries look for privacy concerns in vendor contracts and empower them to pursue better privacy practices. The rubric contains 8 privacy domains (data collection, user data rights, data disclosure, data processing, privacy policy, data ownership, user surveillance, data security and accountability), and 3 privacy levels (exceeds minimum viable privacy, meets minimum viable privacy, does not meet minimum viable privacy). The rubric is meant to be used as a guide for internal conversations and contract negotiations, to monitor whether vendors are changing practices, and can also be used as a training tool for library staff. Lisa is still in the process of learning how this rubric is currently being used to affect library contracting.