Everyone’s interested in your identity—from Amazon to cybercriminals

As technology evolves, old paradigms around how we deliver IT security and services, such as location and IP address, are falling away, and identity is fast becoming the fundamental pillar for how we deliver everything—IT and otherwise.

Take, for example, Amazon, Google, Facebook and other online businesses. They know that you are the key to their success, so they focus their efforts on collecting information about you. They then use that data to market goods and services that appeal to you, hoping that you’ll become a customer.

Cybercriminals do the same. They know it is easier to trick a person than it is to fool or defeat a device. Rather than try to breach a device or network perimeter, many attackers now try to steal login credentials. They then can use that person’s identity to gain entry to other online accounts and networks, allowing the criminal to access not only that user’s information but the data and devices of any connected individual or organization.

That’s why we must start to focus more on zero trust—verifying and protecting the identity of every user, device and service. One way the University of Utah does this is through multifactor authentication (MFA), which requires two methods to confirm a user’s identity.

This Identity Management Day (April 12), the U’s Information Security Office (ISO) encourages you to take a zero-trust approach with your online accounts and devices. For example, enable MFA for all your online accounts if it’s available. For more information on how to protect your identity, please refer to the tips from the National Cybersecurity Alliance below.

Tips from the National Cybersecurity Alliance

Configure security settings

Every time you sign up for a new account, download a new app or get a new device, immediately configure the privacy and security settings to your comfort level. Also, check the settings on old accounts and delete any apps or accounts you no longer use.

  • Why? Attackers are likely to try the default login information for internet-connected devices—typically “admin”—to gain access. While the default settings for most online accounts provide a more personalized experience, loose privacy settings could mean your data is being shared without your knowledge.

Think before you click

If you receive an enticing offer via email or text, don’t be so quick to open the link. Instead, verify it’s legitimate through a different method, such as visiting the organization’s website or calling the person through a known or trusted number. If you’re unsure who an email is from—even if the details appear accurate—or if the email looks “phishy,” do not respond and do not open any links or attachments. Suspicious messages received through UMail should be reported to the ISO using the Phish Alert Button; messages in your personal accounts should be reported to your email provider.

  • Why? Attackers often send fraudulent emails and text messages, referred to as phishing, to trick people into providing personal information, such as usernames and passwords, or downloading malware.

Share with care

Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it might affect you or others. Consider creating an alternate persona that you use for online profiles to limit the amount of personal information you share.

  • Why? Personal information can be used by attackers to do a variety of things, including impersonation and guessing usernames and passwords.

Download a password manager

Use password managers to generate and remember different, complex passwords for each of your accounts. Fifty-seven percent of workers write down passwords on sticky notes, and 62% share passwords via SMS and email, according to Keeper Security. Password managers offer secure ways to send passwords and other login credentials to family members or coworkers.

  • Why? Duplicating passwords or using common passwords is a gift to online criminals. If one account is compromised, an attacker will typically try the same username and password combination against other websites through “password spraying.”

Update your software

Keep all software on your internet-connected devices current to reduce risk of infection from ransomware and malware. Configure your devices to automatically update or notify you when an update is available.

  • Why? Software updates often fix security flaws. Outdated software can be riddled with security holes easily exploited by attackers.

If you believe your university accounts have been compromised, please email the ISO's Security Operations Center at soc@utah.edu or call the UIT Help Desk at 801-581-4000, option 1. If you believe your identity has been compromised, contact the Identity Theft Resource Center.

What is Identity Management Day?

Identity Management Day, which takes place on the second Tuesday in April each year, is a global day of awareness to educate business leaders, IT decision-makers and the general public about the importance of managing and securing digital identities. This year’s event is on April 12.