UC San Diego has recently experienced an increase in phishing attacks that seek to exploit the phone callback option provided by Duo Security, which UC San Diego uses to power its two-step login process (also known as multi-factor authentication or MFA).
Steps to Protect Yourself
To keep your accounts secure:
- Only accept Duo phone call or push notification verification attempts if you’re actively logging in to a known and trusted UC San Diego application. Email security@ucsd.edu if you notice you’re receiving Duo verification prompts you didn’t initiate.
- Beware of phishing emails that ask you to log in to a website, then expect a phone call from Duo and press 1 to accept. UC San Diego will never send messages like this.
How Hackers Exploit Duo Phone Callback, and Why You Should Discontinue Using It
In general, hackers look to prey on “MFA fatigue,” in which they flood users with phone call authentication requests until the user accepts the request out of exhaustion or by accident.
In response to callback-generated attacks, UC San Diego Health has already discontinued the callback options for Health-specific systems. IT Services is also considering removing the callback option.
Alternatively, using push notifications on a personal or university-issued smartphone or tablet is the simplest and most secure way to use two-step login. When using push notifications, the Deny/Accept screen will show you the location of the attempted login, the time, and the user.
How to Respond If You’re Targeted
While IT Services explores technical means for reducing Duo-related attacks, please remain hyper-aware as you use two-step login and follow these guidelines:
- Do not respond to messages telling you to expect a Duo phone callback or push notification.
- If you receive multiple Duo phone calls or pushes you weren’t expecting, immediately change your password at password.ucsd.edu and notify the security office at security@ucsd.edu.
- If you receive multiple Duo push notifications you weren’t expecting,1) Deny the request then 2) Tap “Yes” when the screen reads “Was this a suspicious login?”
- Forward any suspected phishing emails to abuse@ucsd.edu.
As an additional best practice, create and store unique and strong passwords and passphrases using LastPass.
Questions and Help
If you need further help or have specific questions about two-step login, please reach out using one of the following methods:
