Fraudulent Duo Pushes
Have you ever received a DUO Push and aren’t sure why?
DUO two-factor authentication is in place to help you protect your HBS account. Even if a bad actor obtains your password, they cannot use it to access your account without your permission. Therefore, you should be mindful when your phone asks you to allow a DUO push.
In most cases, you know (or can guess) what triggered the DUO push request. It may follow when you sign into Outlook on the web, or it may be when you sign into the HBS VPN.
If you receive a DUO push request and aren’t sure why, you should consider:
Did you leave a VPN session open?
After 12 hours, your HBS VPN connection will attempt to refresh its authentication. If you think this might be the case, and are no longer leveraging the VPN connection, you can safely ignore the request.Is someone trying to access your account?
If you cannot determine what caused the request, you should assume that someone has obtained your password. This could have been through a phishing attack or because you used that same password at another site that had a security breach.
What should you do?
Click the Reject button on the DUO app.
Change your password.
Notify HBS IT at ithelp@hbs.edu.
If Harvard Key was used notify HUIT at ithelp@harvard.edu.
MFA Bombing
If you are being bombarded with push notifications, it may be a case of “MFA bombing”.
Bad actors are starting to leverage a tactic called “MFA (Multi-factor Authentication) Bombing.” They will spam you with two-factor authentication requests in hopes that you will eventually get frustrated and just hit “accept.” They hope you will think that the tool is broken, especially if they perform this attack in the evening when Technology Support Services is not available.
Follow the same process that you would for any other fraudulent push.
Don’t be embarrassed!
Anyone can fall prey to a phishing attack, and many people have reused passwords in the past. Don’t let yourself feel as if you have done something foolish. We are all human, and bad actors leverage our willingness to trust against us.
Learn from the mistake and ensure that you’ve notified HBS IT of the issue. The HBS Information Security team is also available to help you if you have questions about protecting yourself and HBS.