By Emma WestRasmus
“What was the name of your first pet? What’s your favorite color? What’s your mother’s maiden name?” We all know the drill. Whenever we start a new account we are prompted for answers to challenge questions that will surely be easy to remember. But for more than two dozen students at the College of St. Scholastica in Duluth the answers to questions needed to reset their student account passwords might have been just a little too easy to figure out. Earlier this month 28 students’ email accounts at St. Scholastica were hacked when hackers were able to answer the student’s challenge questions on their Self-Service Password Reset service simply through information obtained through the students’ social media pages.
The hackers, who were eventually traced to a Beijing-based IP address, were able to use the information to correctly answer questions required to reset the students’ passwords and ultimately gain access to the email accounts of those students. While the hack was limited to St. Scholastica, Macalester and several other local colleges use the same company for their password reset services as St. Scholastica.
“It just as easily could have happened to us here at Macalester,” said Harry Pontiff, Information Security Officer at Macalester.
Upon discovering the hack, Macalester’s Information Technology Services (ITS) sprang into action to protect Macalester students from a similar hack. According to Pontiff, once it was established that the break-in was a case of “social engineering rather than a technological brute force attack,” several local colleges decided to turn off the self-service password reset component of the software services provided by Novell that uses the challenge question.
Michael Hansen, IT Security Officer at St. Scholastica, said several students noticed charges on online accounts such as Amazon.com that were made by the hackers once they reset the passwords and gained access to the students’ email accounts. Hansen noted that the students who were hacked simply did not have difficult enough challenge questions, and that the answers to the questions could be found on social media sites.
“One question was what a student’s favorite drink was,” Hansen said. “It wouldn’t be that hard to look through pictures on Facebook and figure that out.”
Pontiff echoed Hansen, noting that the breach was not the result of a complex hacking program, but rather a matter of doing a little digging on social media accounts to uncover basic information about the students.
“It wasn’t that there was a serious code,” Pontiff said. “No, they just looked some stuff up on Facebook and hacked the accounts.”
Macalester ITS is in the process of finding a more secure way to reset forgotten passwords. One such possible alternative would be a two-factor authentication system in which a code would be sent to the user’s cell phone. The user would then enter the code or select two pictures from a group of previously determined pictures selected by the student when the account was set up.
Though Macalester students cannot use the challenge question portion of the service, they can still change their own passwords through the self-service function if they know their password or can have it reset by contacting the ITS Help Desk located in Humanities. refresh –>
Megan Fisher • Sep 12, 2019 at 1:38 am
I have not checked in here for some time as I thought it was getting boring, but the last few posts are great quality so I guess I will add you back to my daily bloglist. You deserve it my friend 🙂
Jason Campbell • Sep 10, 2019 at 7:02 pm
some truly interesting information, well written and broadly user friendly.
Penelope Howard • Sep 5, 2019 at 4:10 am
naturally like your web-site but you need to check the spelling on quite a few of your posts. Several of them are rife with spelling issues and I find it very bothersome to tell the truth nevertheless I’ll definitely come back again.