Safely Use Virtual Payment Apps

Scammers use peer-to-peer (P2P) payment apps like Cash App, Zelle, and Venmo to steal money. According to the Pew Research Center, 10% of P2P app users have been scammed. P2P apps allow users to easily send money with a phone tap. But if it’s convenient for you, it’s also convenient for scammers.

Vishing or smishing is often used to initiate P2P scams. For example, a scammer may impersonate a bank representative in a call or text to a victim about a “suspicious transaction” on their Zelle account. The scammer will request the victim’s bank login information to resolve the concern but will use the information to steal money. A bank representative will never ask for your username and password to access your account. Stay cyber-secure by only sending money to people you know, and double-checking you are sending money to the correct name, phone number, and username. Also, you should only use a credit card for transactions with strangers, because credit cards have fraud protection. And Gators, make sure to allow app updates (or install them when they become available on your device) for the latest security enhancements, like multi-factor authentication updates and app safety features.

Learn to protect yourself online by becoming more cyber-aware. Schedule a ½ hour to take the https://security.ufl.edu/resources/training/information-security-training/ today.

Work Safely with Restricted Data

Restricted data refers to data collected, maintained, or managed by the university or through any university activities that are restricted by special protections from federal or state laws, regulatory mandates, or contractual obligations. Improperly working with, storing of, or transmitting restricted data could result in the revocation of research certifications, university business partnerships, and federal and state grants. In addition to the legal liabilities and financial obligations placed on individual employees and the university, a breach or misuse of restricted data would negatively impact UF’s reputation.

Types of restricted data are listed here. They include, but are not limited to, student records (FERPA), protected health information (HIPAA), Social Security numbers and credit card information, and export controlled data (ITAR).

All faculty and staff are required to annually complete the Information Security Awareness training, which includes a section on working with restricted data. UF’s Mobile Computing and Storage Devices Policy explains security and encryption standards required for devices operating with restricted data. UFIT’s Integrated Risk Management team is available to help clarify data classifications and the technologies and tools cleared for use with restricted data. Anyone in the UF community with questions is welcome to email irm-uf@ufl.edu.

ChatGPT: Guidelines for Campus Usage

Responses provided by the ChatGPT application can save time, but beware: the data you input or ask the app to develop may be retained and provided as responses to other users. ChatGPT users have very limited control over its use of the data provided to the app, and its parent company–OpenAI–does not currently offer a process to amend or delete entries submitted. UF’s Privacy Office and the UF Information Security Office want everyone in the Gator community to understand that putting data into ChatGPT or a similar service is equivalent to disclosing the data to the public.

ChatGPT is currently being assessed for regulatory concerns related to privacy and confidentiality of data. University of Florida data classified as sensitive or restricted is not approved for use with ChatGPT. Sensitive and restricted data includes:

Social Security Numbers
Education Records
Employee Data
Credit Card Numbers
Protected Health Information
Human Subject Research Data
Unpublished Research Data
Personally Identifiable Information

An assessment of ChatGPT has been added to the university’s technology solutions website: https://irm.ufl.edu/fast-path-solutions/items/chatgpt.html. Remember that all faculty, staff, and students share the responsibility of keeping UF information secure. Visit the Office of Privacy website for additional information on using ChatGPT.

Prohibited Technologies Announced by Board of Governors

The University of Florida has complied with the State University System (SUS) Board of Governors Emergency Regulation 3.0075 – Security of Data and Related Information Technology Resources, adopted on March 29, 2023. Regulation 3.0075 requires SUS institutions to remove technologies listed on its Prohibited Technologies List from any university-owned device. Additionally, these technologies must be blocked from the university’s network.

Effective immediately, the installation or use of Tencent QQ, TikTok, WeChat, VKontakte, and Kaspersky on any university-owned device, network, or to conduct any university business including marketing and advertising, is prohibited. Faculty and staff that have any prohibited technologies installed on a university-owned mobile device or computer are required to remove them and cease their use. The prohibited technologies are also now blocked from use on any UF Wi-Fi network.

UF strongly recommends discontinuing use of the prohibited technologies and removing the apps from personal devices as well. Taking this action will help protect personal information as well as university data. University information security staff continuously evaluate technology vendors, software products, and services. UF maintains a list of approved technologies on its Fast Path Solutions website. High-risk software and services that present an unacceptable level of cybersecurity risk are listed as ‘not permitted for use’. More information on the university’s response to SUS Emergency Regulation 3.0075 can be found on UFIT’s https://security.ufl.edu/resources/prohibited-technologies/ webpage.

Avoid Public Wi-Fi

Traveling this summer? Avoid public
Wi-Fi networks as much as possible.

Using public Wi-Fi is easy because they don’t require a password. However, free unsecured access can allow hackers to watch every keystroke–as you log into bank accounts, GatorMail, make purchases, and access other files. In just seconds, all your personal and financial information can be stolen. According to Forbes, four in 10 people have had their information compromised while using public Wi-Fi.

Restaurants, hotels, and airports are among the most popular places people use unsecured Wi-Fi. Airports offer the perfect cybercrime environment. As people use public, unsecured Wi-Fi to read their emails or check the weather at their destination, someone might be tracking every click. How? One way is that hackers create free public Wi-Fi access networks with names that sound like the official airport Wi-Fi network. For instance, which would you log into: ‘CLT Free WiFi’ or ‘Charlotte Airport WiFi’? If you selected the wrong one from the list of available networks that pop up on your phone, then with just one click you are gifting all your personal information to a hacker. We are all addicted to connecting with friends, work, and family. But remember, you should only use encrypted or password-secured networks. Also, use UF’s VPN connection, so what you do send and receive is encrypted.

Visit https://news.it.ufl.edu/security/safe-travel-is-smart-travel-cyber-vigilance/ for more tips on information security and travelling safely.

Falling for a Phish Can Lead to an MFA Bombing Attack

Phishing attacks are frequently carried out through emails or texts that appear to come from a reputable source. Cybercriminals are skilled at using deceitful tactics to trick users into revealing personal information such as logins or credit card information. Common phishing tactics include:

Unsolicited work opportunities that lead to requests for bank routing information, or ask the new “employee” to purchase supplies, with the promise of reimbursement
Messages warning of an imminent deactivation of your accounts, such as bank accounts, social media accounts, or subscription services
Emails allegedly from the IRS, FBI, or other federal agency threatening legal action, and directing you to imposter websites requiring you to enter personally identifying information
Urgent requests from fake email accounts impersonating a high-level person in your organization, asking you to purchase gift cards or submit your credit card information.

Pay close attention to any email asking for GatorLink login credentials. Unauthorized access to your GatorLink account can expose your personal or academic information. Once a GatorLink login is compromised, the attacker may repeatedly spam Duo Push requests to your device — otherwise known as “MFA Bombing” — hoping you will accept just to make the requests stop. Approving an unexpected Duo request gives the criminal access to your account. Visit the MFA bombing webpage to learn more about this form of cyberattack.

Simplifying Access to HiPerGator

UF is simplifying research collaboration across the state and around the world. Research and teaching faculty from InCommon federated institutions can now utilize HiPerGator, the University of Florida supercomputer, without having to apply for GatorLink account credentials. UF is an InCommon Federation member, one of more than 500 universities and research institutions worldwide. InCommon is a multi-institutional exchange enabling members of higher education affiliates to use their digital credential for access to systems and services at member institutions.

Expanding access via the InCommon Federation saves time by reducing administrative overhead for non-UF faculty, students, and staff who would like to leverage HiPerGator. Federated access removes the manual steps since the validation has already occurred at the participant’s institution.

External researchers must still be sponsored by a UF principal investigator or UFIT staff member before HiPerGator can be accessed. Instructors with State University System of Florida or Southeastern Conference institutions who would like to incorporate HiPerGator into their teaching also still need their requests approved by Research Computing, so the proper training and consultation can be scheduled and compute resources can be allocated. Anyone with questions about requesting a federated HiPerGator account can learn more on https://www.rc.ufl.edu/get-started/hipergator/request-federated-hipergator-account/.

MFA Bombing On the Rise at UF

MFA bombing attacks are increasing at UF. MFA bombing is a tactic used to circumvent your UF account’s multi-factor authentication measures. During an MFA bombing, the attacker uses your stolen username and password to repeatedly send ‘Duo Push’ notifications and/or phone call requests, hoping after multiple notifications you will give up and approve the Duo request. Approval will give the attacker access to your GatorLink account. If an attacker can MFA bomb you with repeated Duo requests, it means your GatorLink password is compromised and the attacker is trying to sign in using the stolen password.

To stop the onslaught of Duo attempts, you’ll need to reset your GatorLink password. Visit the GatorLink Account Management portal, select “Forgot/Reset Your Password,” and follow the prompts after selecting “Self-Service Reset.” You will be asked to provide your UFID, Gatorlink username, and additional information used to verify your identify.

It is important to use “Forgot/Reset Your Password,” and not “Change Your Password,” because the latter requires you to sign in–and you may accidentally approve the attacker’s Duo Push instead of your own requested notification!

The Duo requests should stop soon after resetting your password. (It may take a few moments for the attacker to get kicked out.) For more information on MFA bombing, visit UF’s Information Security website’s MFA bombing page.

Avoiding Scammers This Holiday Season

We are ordering more online nowadays. Broader selection, convenience of shopping from the couch, and increasingly no-charge shipping and returns makes online shopping more attractive than going to an uninspiring mall. Know who else finds online shopping very attractive? Scammers.

Scammers can get a lot of information by following the breadcrumb trails we leave when searching online. (Another reason to clear cache and cookies.) This allows them to create very realistic ways to scam you, including:

Order Confirmation Scams. These are unexpected calls, texts, or emails that often refer to an unauthorized purchase and ask you to act urgently to confirm or cancel the purchase. Scammers try to convince you to confirm payment method (such as providing your credit card number) or your bank account number, or to install malicious software onto your computer/device.

Tech Support Scams. Scammers create fake websites and then text you the URL, claiming to provide tech support for your recently purchased devices. Customers who visit these pages can fall for schemes like paying for a support contract, getting a device repaired, or purchasing of accessories that will never arrive.

UFIT has additional information online to help you identify online scams. Keep your personally identifying information and your money safe, Gators!

Clear Your Search Histories

Did you know your online activity — including the sites you visit, places you view on Google Maps, videos you watch, and more — is tracked and stored? Companies, both legitimate and malicious, use cookies to learn what you do online. How?  Companies keep records of your online activity by using a Third-Party cookie, which links the activity from your browser back to the profile they have of you. From there, your information could become compromised and shared with groups interested in stealing your personal information or compromising your university.

Regularly clearing your cookies can help limit this surveillance because doing so breaks the link that companies rely on to identify you. Clearing cookies is easy! If you use Google Chrome, first open your browser, then → Open the “Options” menu located near the top right corner of the window → Select “More Tools” → Select “Clear Browsing Data” → To delete everything select “All Time” → and then “Clear Data.” That’s it!  The steps can vary slightly depending on the device and browser used, so visit this page for information on how to clear cookies in your preferred browser.

Learn more ways to keep your personal data private by visiting UF’s Information Security Office website.