Educause Security Discussion mailing list archives
Direct Deposit Phishing and Ellucian's Self Service for Colleague (Unidata) based ERP - "HUB" votes needed.
From: "Eric J. Weakland" <eric () AMERICAN EDU>
Date: Wed, 7 Sep 2016 16:03:58 +0000
Greetings, Sorry if this is a bit long - I think some of the background is important. You can probably skip it if you're not an Ellucian ERP based shop. Recently, American University has embarked on the long road to prepare our Ellucian Colleague (Unidata based) ERP for the move to SQL. One of the activities is to eliminate custom code wherever possible in our environment and moving where ever possible to SQL compatible Ellucian products. This means replacing our home grown solution for Payroll, and some WebAdvisor (no longer supported under SQL) driven processes - with Ellucian's replacement, Self-Service. In response to some Direct Deposit (DD) Phishing attacks in 2013, which resulted in financial losses for the University, the Information Security Office worked with our ERP programmers and the Payroll department to add some security features to our custom/homegrown payroll software (which uses Colleague as a back end). The enhancements included the masking of bank account info, an additional verification step to any changes to Direct Deposit destinations (entering in previous Direct Deposit destination) and Direct Deposit history - an "under the hood" enhancement that allowed payroll to view previous Direct Deposit destinations. These changes were successful, and we've seen no further successful abuse of direct deposit. Fast forward to now, when looking at the features of Colleague Self Service, none of these features exist in Self Service. I have recommended that the University not implement Self Service until they are available, or until we can customize the solution to provide them. IMHO these are basic features for these functions, which most Universities I've talked to have also done (or something similar) to prevent online payroll redirection abuse. I also believe that these features should also be available to other processes provided by Self Service, like W2's, pay advice, student refunds etc. In order to request a product enhancement such as this from Ellucian, an "idea" must be created on the "Ellucian Hub" and get votes from customers. If your school is an Ellucian Colleague customer would you please consider voting for the following ideas: Masking Bank Account info: https://ellucian.force.com/clients/ideas/viewIdea.apexp?id=08716000000EidY Data Verification to change DD destination: https://ellucian.force.com/clients/ideas/viewIdea.apexp?id=08716000000EijqAAC Keep an audit trail of DD accounts: https://ellucian.force.com/clients/ideas/viewIdea.apexp?id=08716000000EijvAAC Thank you all for your time. Regards, Eric Weakland, CISSP, CISM, CRISC Director, Information Security Office of Information Technology American University eric at american.edu 202.885.2241 _____________________________________________ Emails from IT asking you to log in with a link are scams!
Current thread:
- Direct Deposit Phishing and Ellucian's Self Service for Colleague (Unidata) based ERP - "HUB" votes needed. Eric J. Weakland (Sep 07)