Rice IT is beefing up online security

New procedures are response to rise in attempts to steal university employees’ credentials

Rice University is enhancing online security by implementing changes to its My NetID portal.

The new procedures are a response to a rise in attempts to steal online usernames and passwords of employees at universities. In recent attacks at Oberlin College, Grinnell College and Hamilton College, attackers exploited flaws in the password-recovery process and downloaded private admissions data.

Rice University is enhancing online security by implementing changes to its My NetID portal.

Rice University is enhancing online security by implementing changes to its My NetID portal. Credit: 123RF.com/Rice University

While Rice’s password-recovery process does not have the same flaws and is not susceptible to the same type of attack, the incidents illustrate that attackers are targeting online credentials and the tools that manage them at higher education institutions.

“We actively look for compromised accounts in our network,” said Marc Scarborough, Rice’s chief information security officer. “When we find them, we take action. However, we also know that it’s likely there are compromised accounts we haven’t found yet.”

Rice’s My NetID portal has been enhanced to send email notifications when certain key changes are made to your user account. The notifications will be sent to your Rice email address along with the external contact email address listed in your My NetID profile. If you receive an email notification but did not make any changes, you should contact the Office of Information Technology (OIT) help desk at 713-348-HELP or helpdesk@rice.edu.

Additionally, starting April 22, Rice will require you to use Duo, a multi-factor authentication system, to access the My NetID portal. Employees who have not already set up Duo will be required to do so upon logging in to the portal. This will make it more difficult for attackers to use stolen usernames and passwords to access and make changes to accounts.

“If I’m an attacker, even if I know I’ve got someone’s username and password, it’s harder to get that Duo credential,” Scarborough said. “It’s much harder. It’s not impossible, but it’s a significant hurdle, and it will stop a lot of this from happening, and it will protect Rice.”

To enable this protection now, log in to https://mynetid.rice.edu, click on “Two-Factor Authentication” in the menu on the left side of the page and follow the on-screen instructions. You can also set up or change your external contact email address, which will receive account change notifications, while you’re logged into the portal by clicking on “Contact Information” in the menu.

Multi-factor authentication will soon be available on other Rice services, starting with those that store or process sensitive, confidential or other private information. This includes Slate, Rice’s admissions portal, and general access to employee payroll and direct deposit information.

“We have hackers successfully phishing our users and getting into Esther accounts to change their direct deposit information,” Scarborough said. “We catch it before any money is transferred, but we catch it after the password has been stolen. Putting Duo in front of it, we think, will stop that, too.”

More information

Setting up Duo: https://kb.rice.edu/duoguide.

Managing Duo devices: https://kb.rice.edu/manageduo.

Using Duo while traveling: https://kb.rice.edu/duotravel

OIT help desk: 713-348-HELP (4357) or helpdesk@rice.edu.


About Matt Wilson

Matt Wilson is a senior editor in Rice University's Office of Public Affairs.