The library faculty have created a set of guiding principles to consider when using generative AI tools in the research and scholarship process.  This was done in an effort to help educate the students, staff, and faculty of Drake University on the benefits and risks of generative AI, especially with regards to searching, finding, and evaluating information.

The library faculty have also created a concise version of those guiding principles.

Please contact Priya Shenoy at priya.shenoy@drake.edu or Dan Chibnall at dan.chibnall@drake.edu if you have any questions.

–Teri Koch, Cowles Library

Cody Dolinsek, adjunct professor of philosophy at Drake, will deliver a lecture titled “Disability and Religion: A Dialogue of Dissonance in Search of Harmony” on Sept. 12 at 6 p.m. in Sussman Theater, Olmsted Center. The event will be accessible via Zoom. The lecture is part of The Comparison Project’s Lecture and Dialogue Series.

— Catalina Samaniego, senior, College of Arts & Sciences

On Thursday, September 19 at 4:30pm, ITS staff will be updating an SSO security certificate related to Blackboard logins. The update will not make Blackboard unavailable, but it may cause your course materials to appear unavailable. If you experience issues accessing your course materials, fully quit your browser, restart it, and log back in to Blackboard. 

If you have any access issues with Blackboard after this update, contact us by submitting a ticket though the ITS service portal or by calling the Support Center at 515-271-3001.

–Becky Klein, ITS

Claire, an IT technician on a beautiful college campus, handles cybersecurity for faculty and staff. One fall afternoon, she receives a frantic call from a professor who suddenly can’t login to their email account. Claire quickly realizes something is wrong when the system logs show multiple unauthorized login attempts, including from overseas. She asks, and the professor recalls approving a strange MFA notification earlier that day, assuming it was a routine verification. Within minutes, the attacker hijacked the account, gaining access to sensitive student records and research files. The breach sends ripples through the campus, shaking the college’s reputation and causing panic among faculty and students alike. Claire knows that a single MFA hijack has put years of work and trust at risk, reminding her how crucial it is to stay vigilant. 

Understanding MFA 

Multi-factor authentication (MFA) provides an extra layer of protection beyond a password. By requiring a second form of verification, MFA aims to make it significantly harder for attackers to gain unauthorized access to accounts. However, as security measures evolve, so do cybercriminals’ tactics. One of the latest threats in this ongoing battle is MFA hijacking. Drake ITS staff have seen recent instances of MFA hijacking that’s allowed attackers to compromise accounts. 

What is MFA Hijacking? 

MFA hijacking refers to compromising the multi-factor authentication process to gain unauthorized access to accounts or systems. This includes stealing authentication tokens, intercepting one-time passwords (OTPs) such as those sent via text message (SMS), or exploiting vulnerabilities in the MFA implementation itself. 

How MFA Hijacking Works 

1. Phishing Attacks: One of the most common methods used in MFA hijacking is phishing. Attackers trick users into revealing their credentials and the second authentication factor, often by creating fake login pages that mimic legitimate websites. Once the user enters their username and password, the attacker can capture them in real-time and use them to gain access. 
2. Man-in-the-Middle (MitM) Attacks: In a MitM attack, cybercriminals intercept the communication between the user and the authentication service to capture the authentication token or OTP and use it to log in as the legitimate user. 
3. SIM Swapping: In this attack, the criminal convinces a mobile carrier to transfer the victim’s phone number to a SIM card controlled by the attacker. Once they have control of the victim’s phone number, they can receive the SMS-based OTPs and complete the MFA process. 
4. Session Hijacking: Attackers may hijack an active session if they gain access to the cookies or tokens stored in a browser. This method bypasses the need for MFA entirely because the attacker can impersonate the user without re-authentication. 

Protecting Yourself Against MFA Hijacking 

While MFA remains a crucial security measure, it’s essential to understand that it’s not foolproof. Here are some strategies to help protect yourself against MFA hijacking: 

1. Use Stronger MFA Methods: Use authentication methods less susceptible to hijacking, such as mobile applications using number matching. Avoid using SMS-based OTPs whenever possible, as they are particularly vulnerable to SIM swapping and interception. 
2. Monitor for Anomalies: Regularly check the MFA options configured in your accounts to remove old devices and ensure unrecognized MFA methods have not been added. Hijackers will often add MFA authentications methods to an account to maintain the ability to login in the future.  
3. Report Suspicious Account Activity: As soon as you notice, tell ITS about any suspicious activity on your accounts, such as unexpected login attempts, changes to account settings, or notifications about unauthorized access. Early detection and reporting help mitigate potential damage and prevent further unauthorized access. 

While MFA hijacking is a growing threat in the cybersecurity landscape, it doesn’t render MFA obsolete. It simply highlights the importance of staying informed about the latest threats. By understanding and remaining aware of the risks, you can reduce the likelihood of falling victim to MFA hijacking. 

–Chris Mielke, ITS