Chapman Issues Two-Step Verification for ePay to Protect Students from Phishing, yet few Students Bite

With the rise of sextortion for cryptocurrency and phishing, IS&T urge student to complete the two-step verification. Photo by Sydnee Valdez. 

Since the introduction of the two-step verification for student electronic billing accounts in early January, some 200 students have completed the verification, according to Chief Information Security Officer George Viegas.

The two-step verification process was offered by TouchNet, the system that handles Chapman’s ePay, and Viegas said that he would like to see all students embrace the new option to better insulate themselves against scammers and hackers.

“The guys who phish are becoming increasingly smart. They are spending time and money in creating these well-crafted phish, which means the chances of someone falling for it is higher,” Viegas said.

Viegas encourages all students to complete the verification.

“Get on board as soon as possible,” he said, adding that everyone should use the two-step process “whenever you are online banking.”

With the rise of scams and sextortion for cryptocurrency, Chapman launched the verification process for students and Panther Partner Authorized Users to better protect their financial transactions when changes are done to billing information in eRefund and personal profiles, Viegas said.

“The added layer of security will require a combination of factors, a user login and a verification code for ePay Refund and Personal Profile email address changes,” according to Student Business Services’ website.

Once logged into ePay, students select Security Settings and are redirected to the two-step verification. Photo by Sydnee Valdez. 

Phishing attacks and fraudulent emails asking for confidential information were addressed in an email sent by Chief Information Officer Helen Norris last July. Three months later, it was confirmed that over 20 faculty and staff accounts were compromised, Vice President of Strategic Marketing and Communications Jamie S. Ceman said.

The breaches were due to users clicking on an email link, logging into a site with their Chapman credentials, and allowing scammers access to their Chapman accounts all without their knowledge, Ceman said. After receiving the information, the scammers then re-routed three faculty members’ checks to their own accounts.

There have been no reports of successful scams to student accounts, according to Viegas.

While Ceman said that Information Systems and Technology (IS&T) believed the risk to students was low, two-step verification was offered to enhance security for student financial accounts.

The double verification option cannot be extended to staff and faculty because they currently do not have the option to change eRefund information, Viegas explained.

Once on the ePay site, students can click on Security Settings, select either the email or text option to send a verification code to, and then verify the code by inputting it into the labeled box.

The Panther Partner two-step verification is done the same way. Instead of using the student’s login information, proxies will input their own credentials to sign into Panther Partner Authorized User ePay Access and send a verification code to their phone or email.

Every time the student or proxy wants to make a change to the eRefund or personal profile, he or she will receive a code through text or in a backup email that is not assigned by Chapman.

“The process I’ve seen is fairly easy. We don’t make it too complicated,” Viegas said.

Freshman educational studies major Jamie Wendt said that she felt the process was simple and worthwhile.

“I think it’s a really good idea to provide us with more protection and make us feel safer about giving our financial information to the school,” Wendt said.

While the two-step verification is not required, Viegas said all students should sign up.

“With anything new, there’s a reluctance. We want you to do it, but we can’t force you,” Viegas said.

Requiring two-step verification could pose inconvenience for people who need to pay quickly, and Chapman doesn’t want to disrupt that process, Viegas explained. The two-step verification is only necessary when a student or proxy attempts to make changes to a bank account in eRefund.

Students who had not complied told Prowl they didn’t know about it or didn’t see doing so as necessary.

Though Dean of Students Jerry Price mentioned the verification program in his weekly email, freshman film production major Lauren Trujillo admitted to scrolling past Price’s announcements.

Junior business major Liz Akopian said she hadn’t heard much about the verification or its importance.

“I actually read Dean Price’s weekly announcements, so if I didn’t hear about it, then I’d say a lot of the Chapman population is definitely unaware,” Akopian said.

She suggested the importance of strengthening one’s cyber security could use more publicicity.

Freshman communication major Grace Tellers added her phone number to her ePay account, but said that she wasn’t sure how and where to access the site. To access the ePay account, students first need to login to their My Chapman, select Student Center, and then scroll down to locate the Access ePay link below their class schedules.

“The process was simple. Getting there was not,” Tellers said. “I feel like there should have been something more than just sending an email out.”

The prevalence of hacking convinced Tellers it was in her interest to make herself a hard target for hackers.

“Financial security on a college campus does make me worried because so many people have access to the same WiFi,” she said. “If I was more informed about how important it was, I probably would’ve done it sooner.”

Chapman is not the only university being targeted by phishing scammers. In August 2018 Secureworks Counter Threat Unit(CTU) found a URL that imitated a university’s login page. Upon further investigation, CTU discovered that there were over 300 fraudulent logins for 76 universities located in 14 countries, according to Education Technology.

MacEwan University in Alberta, Canada was a victim of phishing in 2017 and was defrauded of $11.8 million after staff members transferred money into an account they believed to be their new vendor, Caley Ramsay of Global News said.

Even if students choose not to complete the two-step verification, IS&T has a “state-of-the art system” that works 24/7 to filter and block 90 percent of phishing emails, according to Viegas. The department is also staying connected with other universities to keep track of suspicious emails. Examples of what those emails look like can be found here.

If students are still wary of their financial security, they can choose among five other payment methods: bank wire transfers, international bank wire payment through Flywire, mail, 529 plan, or in person at the Cashier’s Office.

In spring 2019, all emails sent to Chapman emails from non-Chapman addresses will be identified as an outside member. This will prevent users from falling for phish emails with addresses that closely resemble official Chapman accounts, according to IS&T’s Spring 2019 Newsletter.

A Multi Factor Authentication will also be made available for faculty and staff in late spring 2019, the newsletter stated. The optional authentication will require a second authentication, such as a phone number, when faculty access resources from a non-Chapman location. If scammers find a faculty member’s password, the authentication will not allow them access to emails or other services, according to the newsletter. IS&T promised to provide faulty with more information soon.

To find out how you can set up your two-step verification, Student Business Services has uploaded two videos on their website.  

Chief Information Security Officer George Viegas and his team keeps a look out for phish emails and actively works to secure student accounts. Photo by Sydnee Valdez. 

McKenna Sulick & Sydnee Valdez

Leave a Reply