Ultra Vires


Local Student’s U of T Account, Unprotected by Duo, Hacked

Absolutely nothing of value stolen

Members of the law school community were shocked to hear that a student’s U of T account was hacked earlier in the month. The student, who wishes to remain anonymous, had not yet participated in U of T’s push for students to register their accounts with Duo, the University’s multi-factor authentication (MFA) system.

The University’s MFA rollout started earlier this year, after months of sending spam emails to students, faculty, and staff about the initiative. Under the MFA requirement, users must download an app, Duo, onto their smartphones. Every time users log in to a University-affiliated account off-campus, users are required to open the Duo app and verify their identity before the login can proceed.

Unfortunately, the student victim here had not yet been forced to download the Duo app onto their phone. As such, their account was left vulnerable to hacking attempts from unsavoury characters on the internet.

In early January, a hacker entered the victim’s account from an IP address traced to a residence in suburban Markham. While the student’s parents reside in Markham, and the hacking took place during a weekend when the student had returned home and needed to download a reading from Quercus, the IT Department insists that this was purely coincidental and does not undermine the dangers of hackers looking to access U of T accounts.

“It is paramount that we protect U of T users. There are no limits to what malicious actors could access through unlimited access to a student’s ACORN and Quercus. For example, they could see that the student has yet to pay their Winter tuition. Or they could read syllabi and PowerPoints from the student’s classes. In the wrong hands, that information could present a real and significant danger,” an anonymous IT specialist explained.

In the case at hand, IT records show that the hacker accessed the victim’s Quercus account, browsed their constitutional law course page for three minutes, and downloaded a 23-page case from the page titled “Week 2 readings.”

“When we find out who is trying to steal valuable information from U of T community members, we will act swiftly to demand that they stop doing so. For now, we have required the student to register for MFA and download the Duo app to protect themselves immediately,” said the IT specialist.

“In fact, two factors are simply not enough,” she continued. “It’s called multi-factor authentication for a reason. Soon, we will also require that students scan their fingerprints, photograph their retinas, and do the macarena in front of their camera. Only then can we be sure that the user logging in really is who they say they are. Only then can we protect our users in the high-stakes world of university accounts.” 

Recent Stories