Registration from an unknown device - What to do?

Aus BIS Wiki

AUTOMATIC TRANSLATION OF THIS PAGE IN GERMAN

Since 21 August 2024 (text in german), the login system sends notifications when you register on a device for the first time. On this page you will find answers to the following questions:

  • Why am I receiving these emails?
  • When do I receive these emails?
  • How can I check whether these emails are genuine?
  • How can I judge whether a login by myself was the trigger?
  • I suspect that someone else has registered with my login details. What do I do first?
  • Why would someone want to register under my name?
  • Why do I get these emails even though I always use the same device?
  • Can I switch off these notifications?
  • Who can I contact if I have further questions?

Why am I receiving these emails? To be able to stop password theft!

The notifications are intended to enable you to recognise and stop a 'theft of your login data'. Before the introduction of these notifications, only a regular look at the 'My Account' page could tell you that someone was logging into your account. page could tell you that someone was accessing the university's IT systems in your name.

The active notification increases the chance of quickly recognising a successful attack on your login and countering it immediately if you act accordingly. In the best case scenario, you will see this email immediately after the unauthorised login, follow the instructions in it and block the attackers immediately before they can cause any damage or lock you out of your account.

When do I receive these emails? The first time you log in on each device

In principle, the notifications are only sent if a login has been carried out with your login data and the correct password has been used. Incorrect logins will only result in a notification if this has triggered a temporary lock of your login.

The notifications should be 'rare events' so that - when they occur - they become something special and attract attention. If the login system sent a notification every time someone logged in, these emails would probably be quickly ignored. A notification should therefore only be sent when you log in 'on a device for the first time'. Subsequent registrations will no longer trigger notifications.

What is meant by 'device'?

The term 'device' is not easy to define for technical reasons, but to put it simply, a 'device' is a specific web browser (e.g. Safari or Chrome) on a specific computer (i.e. your laptop or smartphone). If you register on the same computer with two different web browsers, these are two different devices from the perspective of the login system. Even if you log in to the Meine Uni App, this will be counted as registration on a 'new' device.

I have been using my computer for a long time! Why is it a new device then?

From the login system's point of view, every device that the login system has not yet been able to mark as a known device is new. This is why you will receive a security message even if you have been using a computer for a long time. The exact technical background - keyword 'cookies' - is described in a later section.

Other people are also registering on my computer. Does this cause problems?

If you share your computer and several staff, people register, this is not a problem. The labelling of a device as a known device refers to specific staff, people. So if you allow a fellow student to quickly view her electronic course catalogue (ekvv) timetable on your computer, she will receive a notification about a login on a new device, but nothing will change for you.

How can I check whether these emails are genuine?

Almost everyone receives fake emails more or less frequently that are designed to trick them into entering their login details on a third-party website, where they are then stolen. This is called 'phishing' and you will find more information on this in the following paragraphs. If you are wondering whether an email with a security warning was really sent by the university's IT systems, then this already shows that you are sensitised to this danger!

'Unfortunately, almost everything about an email can be faked', so it is not completely safe to check the following features:

  • Subject: emails sent by the system today (August 2024) have this subject:

Sicherheitshinweis: Ein neues Gerät hat sich auf Ihrem Universitätskonto angemeldet

We deliberately do not mention the further content of the email here so that staff, people who try to imitate our emails do not have a direct template.

  • Sending address: The sender address ends with '@ekvv.uni-bielefeld.de'
  • Links: Only links ending in 'uni-bielefeld.de' are sent in the email. But beware: It is easy to create links that look very similar, or to use formatting tricks to make it appear to be an 'uni-bielefeld.de' address when in fact it is a completely different address

If you want to be on the safe side, go directly to this page:

https://login.uni-bielefeld.de/idp/fremdlogin

This page will show you the steps you should take to switch off unauthorised access.

How can I judge whether a login by myself was the trigger?

This question is crucial for your further procedure and is usually 'easiest to judge by the time': The time at which the login took place is documented in the email sent. Do you remember making a registration at this time? If you don't remember exactly, you can see your login history for the last few days on the 'My Account' page.

There are further hints:

Operating system and web browser

Further features are the information sent in the email about the operating system and web browser used to log in. Although attackers can falsify this information and adapt it to the devices you normally use, it can still be an indication of unauthorised access.

However, there are also rare cases in which this information is misleading:

  • Since the so-called user‑agent reduction, the Chrome web browser is returning fixed descriptions for the operation system. For example under Android the Chrome web browser always indicates 10 as the Android version
  • Then there are known examples of certain apps not authorised by the university logging into the IT systems and using unusual web browser names.
  • Another reason for deviating information may be anonymising web browser extensions. See more on this below.

On the 'My Account' page, in the 'My current device' section, you can see what information the system displays for the device you are currently using. This allows you to easily compare whether the details in the email match one of your devices.

IP address

Another piece of information is the so-called IP address, which is given at the end of the email. The IP address is the web address of the computer from which the login was made. It cannot be falsified, but it is not easy to interpret. We have a separate section on this at the end of the page.

However, the IP address may be a good starting point for further research by us in the event of suspected unauthorised access and can be used to obtain a picture of the potential damage.

Name of the computer

The name of the computer associated with the IP address is displayed here. From a technical point of view, a request is made to the Domain Name System (DNS). This name can also be somewhat cryptic under certain circumstances, especially in the case of automatically assigned computer names. These are common, for example, when using a WLAN.

However, this information can help you in particular to decide whether the login came from a computer in the university network: In this case, the name will end with 'uni-bielefeld.de'. With other Internet providers, there is often a reference to the provider in the name, which can allow you to draw conclusions as to whether the access came from you.

There may be cases where the login system cannot determine the computer name because no corresponding DNS name was available. A corresponding message is then displayed.

In case of doubt: click on the link

As a general rule: If, after checking the email, you have 'even slight doubts' that the login was carried out by yourself, the safest thing to do is to click on the link in the email or go directly to https://login.uni-bielefeld.de/idp/fremdlogin and follow the instructions in the following section. In the worst case, you will then have a new password. But in any case, you have avoided the risk of someone accessing the university's IT systems in your name and with access to your data or the data entrusted to you.

I suspect someone else has registered with my login details. What do I do first?

The most important thing now is to 'act quickly'! A person with your login can lock you out of your account at any time and it is much more difficult to regain approval from someone else than to lock them out again straight away. The starting point is the page already mentioned several times

https://login.uni-bielefeld.de/idp/fremdlogin

or the first link in the email that starts with this address but has a long parameter appended to it. If you call up the link in the email, the marker that now identifies the device of the other person as a known device is invalidated.

However, the most important thing is to change your own web password on this page:

https://login.uni-bielefeld.de/kv/password

Once you have done this, a significant part of your IT accounts at the university will be 'safely under your control again'.

Change other passwords: Email, SAP and more

You should then also change the password for your e-mail account and for Windows, VPN and WLAN access. You can do this in the PRISMA portal:

https://prisma.uni-bielefeld.de/

As an employee, you should also change the password for your SAP account. If you have also used the stolen password in privately used IT systems, you should also change it there.

Activate 2-factor authentication

The two-factor authentication makes your login much more secure, as an attacker no longer only needs your password. If your approval has already been lost once, there is a high probability that attackers will try to gain access again. Two-factor authentication can protect you against a whole range of possible attacks on your account and works in a similar way to other Internet services.

Exclude external devices

By changing your password, all devices that had access to your account should be locked out again. However, it doesn't hurt to take a look at this page, which lists all devices that have access like the My Uni app:

https://login.uni-bielefeld.de/idp/devices

Assess possible damage

Now that you have secured your logins to the IT systems and are therefore now the only person who can log in under your name again, you should invest some time checking to see if any illegitimate activity has been carried out with your approval. It depends somewhat on what status you have where risks can be seen:

Login history

You should first take a look at the 'My Account' page:

https://login.uni-bielefeld.de/kv/

Check there which activities you do not recognise. This can give you an indication of how long and to what extent these accesses have taken place.

Your own email account

Has someone sent emails in your name? As emails can be deleted, this analysis may be incomplete.

A more perfidious and more difficult to clean up effect of an attack on your email account can be the setting up of automatic forwarding, which allows attackers to continue reading your emails even after you have changed your password. You should check the settings of your email account via the webmailer:

https://mail.uni-bielefeld.de/

Examinations for students: electronic course catalogue (ekvv)

For students, it is particularly important to ensure that exam and examination registrations are still correct. At least if you are studying a subject for which such registrations are made via the electronic course catalogue (eKVV). In general, you should check your electronic course catalogue (ekvv) timetable.

Examinations for employees

For employees, it is not so easy to compile a complete list of all the potential damage that attackers could have caused with your login. This depends very much on your tasks, so this list is only an example:

  • Teaching staff, instructors, lecturers: Check whether academic achievements in courses have been reported in the electronic course catalogue (ekvv) that you cannot explain, or grades in the e-examination system
  • SAP: If you have further authorisations in SAP, you should check the possible processes in more detail

Why would someone want to register under my name?

Theft of login data occurs time and again, especially through 'phishing'. In this page of the university's information security you will find further descriptions. The reasons for this are numerous and cannot be listed exhaustively here. However, the examples mentioned have all occurred at the university:

  • Sending spam: ownership of email accounts is very valuable to the senders of spam and phishing emails. The better the reputation of an e-mail domain such as '@uni-bielefeld.de', the more valuable it is. Such attackers are usually not very interested in personal data, their aim is to send as many unwanted emails as possible before they are stopped. This type of attacker often obtains your login details through phishing.
  • Stalking: Someone in your immediate environment is trying to monitor you or obtain information about you. In this scenario, it is possible that this person has been able to carry out extensive manipulation of your devices and may be able to access your accounts again in this way even after changing your password. Two-factor authentication can offer better protection here and you should keep an eye on your login history in the coming days.
  • Unauthorised changes in the IT systems: If you have critical authorisations in IT systems, for example as an examination office, you can become the target of attacks on your login for this reason. Attackers use your authorisations to make changes to the IT systems in their favour. In the past, there have been cases involving internal perpetrators who have shown a high level of criminal energy.
  • Blaming others for manipulation: Someone wants to carry out illegitimate manipulations in the IT systems, but does not want to be held accountable if discovered. In this scenario, you would initially be categorised as the person responsible because your login was used.
  • Industrial espionage: Research is carried out at the university, and some of these fields of research work in areas where industrial espionage is a lucrative business. Here you may be dealing with so-called APTs Advanced Persistent Threats, i.e. powerful actors who attack again and again and are not deterred by failure. If there is any suspicion of this, it is essential that further investigations are carried out.

Why do I get these emails even though I always use the same device?

How does the login system recognise whether you have already registered on your laptop? There is no 'identification number' etc. that we can use to uniquely identify devices such as laptops or smartphones. This is a good thing, otherwise companies that create profiles of website visitors on the Internet would immediately pounce on them.

The login system only has the option of placing a so-called 'cookie' in your web browser, thereby marking your device as a known device. The cookie relates to you or your login. If you share your device with other users, a separate cookie will be set for each person. In this message about the introduction of notifications (text in german) we have described in detail what these cookies look like and why only the login system is able to recognise to which person such a cookie belongs.

The login system will therefore always send you a notification about a login from a new device if it does not find a cookie. If you log out, this cookie will not be deleted. However, in these cases, among others, it can lead to more notifications than actually intended:

Use of incognito / private mode

Most web browsers today offer a usage mode in which no data is permanently saved. The names vary, for example Firefox is called private mode and Chrome incognito mode. When this mode is cancelled, cookies in particular are deleted.

If you use your web browser in this way to access the university's IT systems, you will receive a notification each time.

Web browser settings that delete all cookies

Some web browsers offer the option to delete all cookies on exit, regardless of the type of cookie. If you use such an option, this has the same effect as using a private mode: You will receive a notification the next time you log in due to the missing cookie.

At least with Firefox you can define exceptions, here you should set that cookies from the address of the login system - login.uni-bielefeld.de - are retained.

Software designed to ensure anonymity on the Internet

If you have installed software in your web browser or operating system that promises anonymity when using the Internet, this can also cause you to be notified too frequently when you log in again. For the following reasons:

  • Some of these products regularly delete all cookies, even harmless ones such as those set by our login system
  • In addition, some products try to manipulate the properties of the web browser, for example the version with which a web browser identifies itself. This can lead to our login system suspecting that the cookie has been stolen and has ended up on someone else's computer. In this case, very different and implausible information about the operating systems and web browsers used will also appear in the emails with security notices

External apps

There are various external providers who offer apps, especially for students, which are intended to make it easier to organise their studies. It should first be noted that these are not supported by the university. The only official apps are the 'Meine Uni' app and the 'UniMaps' app.

The external apps usually ask for your login so that you can log in to the university's IT systems in your name and retrieve your data. These apps also do this without your active intervention in order to always have up-to-date data. Depending on how these apps are programmed, this can trigger a notification every time.

Unfortunately, the details of the web browser and operating system that you find in the notification emails are often misleading and do not give a clear indication that the access was made by an app.

Devices that have not been used for a long time

The cookie that marks a device as a known device does not have an unlimited lifespan, but it is renewed each time you log in. If you have not used a device for a long period of time, the cookie will expire at some point.

What can I do to reduce the number of notifications

This depends very much on the reasons why the cookies set by the login system are always deleted. Depending on which of the aforementioned reasons applies, different actions must be taken. If it is possible to set exceptions for certain websites in the software you are using, you should set an exception here for the internet domain 'login.uni-bielefeld.de' so that the cookies set by the login system are spared.

Can I switch off these notifications?

For security reasons, these notifications cannot be switched off. They are always sent to the E-mail address for security-relevant information.

Who can I contact if I have further questions?

If you are unsure how to deal with such an incident, please contact Support. You should also provide us with one of the emails you received from the system. And give us permission to carry out further searches in your login data.

Further points

How can I check an IP address

On the 'My Account' page, in the 'My current device' section, you can see which IP address your currently used device is using to access the login system.

However, your IP address may change quickly, especially if you are on the move, both in a WLAN and in a mobile network, and it is then no longer possible to trace whether an IP address was previously assigned to your computer. Using a VPN also changes your IP address.

Nevertheless, a comparison of the IP address in a notification email with the address currently shown in "My Account" can provide clues, especially if you respond quickly to a notification.