Thursday, November 19, 2020

Two-factor authentication (2FA) is the extra layer of security our customers need in COVID times

Cybercriminals and hackers are eager to acquire online passwords, especially as COVID-19 runs rampant and many organizations are attempting to push the majority of their business operations online. An unprotected password can allow cybercriminals to fraudulently gain access to systems, and the important data stored in those systems. Personally identifiable information (PII) is one type of data cybercriminals are always trying to find. PII is any data that could potentially identify a specific individual, including one’s SSN, date of birth, driver license number and/or email address, to name a few. Protecting PII is essential for personal privacy, data privacy and protection, information privacy and information security. With just a few pieces of an individual's personal information, thieves can create false accounts in the person's name, incur debt, create a falsified passport or sell a person's identity to a criminal. 

What is 2FA?

Two-factor authentication (2FA) is another method of identity validation layered on a traditional identity and password (lock and key) access method, which offers several benefits:

  • Provides an extra layer of security for individuals and systems where it has been applied, reducing the risk of unauthorized access. 

  • Protects the people who have data in the system by allowing only those with legitimate business purposes to access that data, preventing criminals from using it for fraudulent purposes. 

  • Ensures that you are the only person who can access your account, even if someone knows your password.

How does it work?

Two-factor authentication requires the additional step of entering a passcode along with a username and password, making it much more difficult for someone with bad intent to obtain login information and access the data of the clients you serve. There are multiple ways a passcode can be provided to staff, including through the vendor app, a text message, a phone call or through the use of a hardware token. 

What is a hardware token?

Hardware tokens are physical devices, typically keychain-sized, that allow individuals to secure access systems remotely by generating an authentication key in the form of numbers or letters. Users input the key after an initial login to access the system.

Colorado, through the state’s Interoperability Program, is working on turning on 2FA for several state-run applications including The Child Care Automated Tracking System (CHATS), Colorado Child Welfare Training System (Trails), and the Colorado Benefits Management System (CBMS). Earlier this fall, 2FA was successfully turned on for Colorado’s Automated Child Support Enforcement System (ASCES).

Turning on two-factor authentication is just another step the state is taking to keep Coloradans’ data safe. It’s something that we encourage everyone to take advantage of to protect their own data with their personal email accounts, applications, online banking and everything in between.

Today’s blog comes from Megan Tobias, Communications Manager

Tuesday, October 27, 2020

It's a trap! Take these quick actions to avoid being an easy target for cyber criminals

A while back, I received a call from someone claiming to be from a company where a mail order of mine was delayed. They said they had a solution: If I gave them my full credit card number, instead of the final digits they had, they could send my order right away. I wasn’t believing it, so they reassured me that I could call customer service, but that they could save me time. I said “No, thanks” and hung up. When I called customer service, they had no record of anyone contacting me, but fixed the issue with my order and had it to me in no time. I later Googled the number of the person who called, and it had been associated with fraud.


Use my story as a reminder to remain suspicious of calls, emails or texts asking for personal or financial information. There’s no harm in hanging up to find the legitimate customer service number, verifying the organization contacted you and confirming there’s an issue (by the way, your social security number can’t be suspended!).


This same cautious approach will help you protect your information online. Here are some ways to protect your information and prevent cybercrime:


  1. Shield your credit/debit cards. After I experienced credit card fraud for the third time in a year, the customer service representative said I might want to use radio-frequency identification (RFID) wallets. The chip on credit/debit cards has a frequency used by some point-of-sale devices when making purchases, opening a window for thieves holding a radio frequency scanner within 10 feet of you to skim your account information. For the most part, RFID wallets can shield your cards and I haven’t had further instances of credit card fraud since I started using one. Read more on this and how to prevent other types of credit/debit card fraud

  2. Set alerts for your credit/debit cards and bank accounts. Get notified via email, phone or text when transactions exceed a specified amount. Then let your credit card company know when and where you travel so they don’t block your card (thinking it’s a fraudulent charge). This also helps them act faster on any suspicious charges while you’re away.

  3. Back up your data. Regularly back up data on your devices to a secure cloud service and/or external storage. Nowadays, portable drives are small, can hold lots of data and are reasonably priced. Most ransomware attacks occur when you click on a link in an email or text, which installs ransomware that encrypts your device or data. Having a backup of your data ensures you don’t have to pay the perpetrators to unencrypt your data.

  4. Protect your devices and internet connections. Install antivirus software on your devices (including your home Wi-Fi) for real-time protection against viruses and malware, and use two-factor authentication for your email and any important accounts that offer the option. Additionally, use a virtual private network (VPN) to encrypt your online connection and protect your private data from prying eyes, especially when using public Wi-Fi.

  5. Keep your devices updated. Maintain the current operating system on your devices to prevent cybercriminals from exploiting vulnerabilities, which they can use to gain access to your devices and data.

  6. Use complex passwords. Systems and their passwords can and do get compromised. Apply a strategy of increased password complexity based on the value of the account and data at stake. For those with a high value, make passwords more complex and change them more frequently. Best practice is to create a password of at least 10 characters with a combination of letters, symbols and numbers, while avoiding dictionary words, even if you replace certain letters with numbers or symbols—ideally not using the same password on multiple sites. You may want to try an application that generates random and complex passwords, or a password management application that can securely store your passwords.

  7. Don’t go phishing. Be careful not to click unsolicited emails. That alone may give a third party access to your contacts, which exposes them to spam and phishing. Clicking a link within the unsolicited email also may install a virus.

  8. Avoid advertising your information on social media. Cybercriminals may be able to access your accounts with just a few data points. If you share personal information on social media, such as the names of pets or family members, criminals might be able to guess the answers to security questions for your accounts. Also, if you share where you’re vacationing, perpetrators will know your current location and that you’re not home, which makes both locations vulnerable. Use caution and consider announcing where you traveled and posting your photos after you return home.

  9. Stay alert for security breaches. About 3.5 billion people had their personal data stolen in the two biggest breaches of this century. If you have an account with an organization that experiences a breach, find out what data was stolen and immediately change your password. Take advantage of any free subscriptions to identity protection services offered by the organization and if you can afford it, consider paying for your own subscription—most services will reimburse you for financial loss due to identity theft and provide legal protection.

  10. Protect your children. Instead of blocking channels, talk to your kids about how to safely use the internet and let them know they can talk to you if they experience online bullying or harassment. Protect their devices as you would your own, and look into applications that protect them from accessing malicious and inappropriate sites.

  11. Report it. If you think you’ve been a victim of cybercrime, fraud or identity theft, alert the local police, FBI (in some cases) or the Federal Trade Commission. This helps authorities stop criminals from victimizing others in the future. Then notify the organizations where your accounts may have been compromised or stolen. Also, request a copy of your credit report.

Today’s blog comes from Scott Davis, Security Risk & Compliance Senior Analyst

Monday, October 26, 2020

Keep your cool as election interference heats up

I voted stickers
Election season is here, which means temperatures are cooling down, political ads are heating up and cybercriminals are ready to take advantage of the chaotic atmosphere.

The 2016 presidential election saw unprecedented misinformation and disinformation campaigns. We expect more of the same as we enter the home stretch before Election Day on November 3, along with email scams meant to steal personal or business information. 

Colorado Secretary of State Jena Griswold has launched an initiative to fight foreign interference, but it’s up to each of us to stay alert and protect ourselves. You may receive emails about the election, candidates, results, or other enticing information tailor-made to share. Remain skeptical and always check with legitimate sources, such as, before sharing with your family and friends. 

With just over a week to go, we all play a role in upholding the integrity of our democratic right to vote. Here’s what to look out for as we near the finish line:

  • Ransomware is back with a vengeance, affecting state and local governments as well as businesses of all sizes. It is typically contracted through email (phishing), often as a malicious attachment or link. Be extra vigilant and never enable macros on an attachment sent to you unsolicited.
  • An email requesting you to log in to a site (providing your username and password) to view an attached document is the most common way credentials may be stolen. Either contact the sender to verify its legitimacy or simply delete! Protect yourself with two-factor authentication any place it’s offered—your personal email is likely the key to unlocking the rest of your accounts.
  • Misinformation and disinformation come in many forms, so think before you link. Check several sources before sharing content on social media or through email and be wary of content that is meant to manipulate your emotions or sow distrust and division.
Today's blog comes from Deborah Blyth, OIT's Chief Information Security Officer

Monday, August 17, 2020

Getting Answers for Critical Assistance, Fast

The more than 1.3 million Coloradans who depend on food, cash, and medical assistance to maintain a safe and healthy livelihood for themselves and their families rightfully expect the state to timely deliver benefits, communications, and documentation to avoid adding stress to an already trying situation.

When they have questions regarding their assistance, Coloradans similarly expect the state to do everything possible to respond quickly. Before August 2019, they could contact call center agents about Colorado PEAK®—the online portal where customers apply for, change, and renew benefits—during business hours through phone calls, emails, and live online chats. However, for many in the workforce, attempting to contact support services between 7:30 a.m. and 5:15 p.m. simply isn’t an option. For others, pressing issues don’t allow for lengthy waiting periods. With 192,000 customers accessing their PEAK accounts in any given month, the need for an equitable solution was clear.

Getting customers answers, fast  

In partnership with our vendor, we explored cost-effective, agile, and innovative solutions that would improve the customer experience within PEAK and get Coloradans the answers they need, when they need them. The result was a chatbot, implemented in August 2019, with a conversational user interface that can process natural language to answer customer inquiries, direct them to other resources, or connect them to a live agent if they need a higher level of support. Here are just a few examples of what customers can find by either selecting a category or typing their own question:

  • Case ID
  • State/Member ID
  • Program status
  • PEAK application status
  • Answers to frequently asked technical support questions
  • Documentation for common use cases like signing into PEAK, accessing account details and documents, and making payments

Help, learn, repeat

Over time, the PEAK Chatbot learns from each conversation so that it can continue to improve its fluency and understand intent, including a growing recognition of common spelling errors. In the first few months, 77% of customers said the Chatbot understood their question and that number is expected to grow. Additionally, its adaptability allows the state to quickly implement new functionality in the face of ever-changing global or national economic and health care headwinds.

Getting results, with more to come

Comparing customer interactions today from a year ago, the PEAK Chatbot has helped a new population of Coloradans receive help on critical questions regarding their benefits. As the other PEAK support options—calls, live chats, and emails—remained flat, the Chatbot increased the number of customers served monthly by 335%. For agents, who handle about 125 live chats per day, Chatbot has been an incredible asset during challenging times and will only become more instrumental as customers discover its potential.

ong term, the Chatbot will continue to provide customers with high-quality, around-the-clock assistance. As it continues to learn and enhancements are implemented, customers will receive more and more personalized experiences. In the ever-changing economic and health care landscape, the ability of the PEAK Chatbot to quickly respond to disruptions and then adapt will allow all Coloradans to feel a sense of stability and assurance that their benefits are secure and their concerns addressed, even in challenging times.

Today's blog comes from Fred Bauters, OIT's Health IT Communications Manager