Direct Deposit Phishing and Ellucian's Self Service for Colleague (Unidata) based ERP - "HUB" votes needed.

["Eric J. Weakland" <eric () AMERICAN EDU>]

Greetings,

Sorry if this is a bit long - I think some of the background is important.  You can probably skip it if you're not an 
Ellucian ERP based shop.

Recently, American University has embarked on the long road to prepare our Ellucian Colleague (Unidata based) ERP for 
the move to SQL.  One of the activities is to eliminate custom code wherever possible in our environment and moving 
where ever possible to SQL compatible Ellucian products.  This means replacing our home grown solution for Payroll, and 
some WebAdvisor (no longer supported under SQL) driven processes - with Ellucian's replacement, Self-Service.

In response to some Direct Deposit (DD) Phishing attacks in 2013, which resulted in financial losses for the 
University, the Information Security Office worked with our ERP programmers and the Payroll department to add some 
security features to our custom/homegrown payroll software (which uses Colleague as a back end). The enhancements 
included the masking of bank account info, an additional verification step to any changes to Direct Deposit 
destinations (entering in previous Direct Deposit destination) and Direct Deposit history - an "under the hood" 
enhancement that allowed payroll to view previous Direct Deposit destinations.   These changes were successful, and 
we've seen no further successful abuse of direct deposit.

Fast forward to now, when looking at the features of Colleague Self Service, none of these features exist in Self 
Service.  I have recommended that the University not implement Self Service until they are available, or until we can 
customize the solution to provide them.  IMHO these are basic features for these functions, which most Universities 
I've talked to have also done (or something similar) to prevent online payroll redirection abuse.  I also believe that 
these features should also be available to other processes provided by Self Service, like W2's, pay advice, student 
refunds etc.

In order to request a product enhancement such as this from Ellucian, an "idea" must be created on the "Ellucian Hub" 
and get votes from customers.  If your school is an Ellucian Colleague customer would you please consider voting for 
the following ideas:

Masking Bank Account info:
https://ellucian.force.com/clients/ideas/viewIdea.apexp?id=08716000000EidY

Data Verification to change DD destination:
https://ellucian.force.com/clients/ideas/viewIdea.apexp?id=08716000000EijqAAC

Keep an audit trail of DD accounts:
https://ellucian.force.com/clients/ideas/viewIdea.apexp?id=08716000000EijvAAC

Thank you all for your time.

Regards,

Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu
202.885.2241

_____________________________________________
Emails from IT asking you to log in with a link are scams!