Preventing Fraud at the Front Door | Information Technology | University of Pittsburgh

You are here

Preventing Fraud at the Front Door

Signing up hundreds of participants for a new research study in just a few days is something that most researchers only dream of. One group at Pitt did just that after offering up a $10 Amazon gift card for those willing to complete their online survey. However, even with the incentive, that response seemed too good to be true. Turns out, it was, and the researchers were the victims of a bot attack.

Under Attack

A bot attack isn’t just a sci-fi plot, and it happens more often than we’d like to think. It’s when a hacker writes a program that automates the process of accessing websites and accounts. You might not think a mere $10 would be enough to attract the attention of a sophisticated hacker, but it’s the perfect scenario for a bot attack since a person doesn’t need to come on site or complete a complicated research protocol. A few lines of code to automate the registration process and filling out the survey, and a hacker can sit back and rake in the gift cards.

The research team immediately contacted Regina Stroud, executive director for information technologies in the Clinical and Translational Science Institute (CTSI). CTSI manages “The Pitt+Me Registry”, an online application that recruits research subjects and matches them with studies they may qualify for. Pitt+Me is a great way for the community to get involved in clinical research, and for research teams to recruit a diverse pool of subjects. (A little monetary incentive never hurt anyone, either.)

In this case, Stroud and her team quickly realized that the hundreds of signups coming through weren’t real. At first glance, the IP addresses looked legitimate, but with some digging, they saw that many of them were from as far away as China, raising red flags.

This kind of thing happens from time-to-time with survey-based sites, according to Brian Petersen, assistant director for IT application development at CTSI. “Bot attacks were on our radar, particularly for studies with higher levels of compensation. But we hadn’t seen an attack of this magnitude before,” Petersen notes. “We suspect that someone had posted about the study on a Facebook page or Reddit thread and piqued the interest of hackers.”

The consequences of fraud in research studies are enormous. Fraud is expensive, not only through improper incentive payments, but also because it could cause the loss of funding/grants. Fraud also draws suspicion on all research, causing the community to lose confidence and refuse to participate in studies that have the potential to change people’s lives. Not to mention it can skew real data outcomes. If fraud isn’t detected before publication, it can cause significant reputational harm to the investigators and the University. “There are already so many stigmas associated with research, and fraud has a domino effect that impacts everyone,” Stroud explains.

Mounting a Response

So where do you even start to respond to that magnitude of fraud? When the preliminary investigation began, the impacted study was quickly shut down. They isolated the suspect batch of responses and figured out which responses were real and which weren’t. For a while, Petersen had to review every day’s registrations to flag suspicious activity and disable fake accounts. It was a hefty job and, frankly, not a viable long-term solution. As bot attacks started targeting several other studies, the team came close to shutting down the entire Pitt+Me website, Regina says. Instead of taking that drastic step, they reached out to Pitt IT’s information security team.

“Pitt IT Security and CTSI have had a great working relationship for years. Consulting them was an instinctual choice, but it was also the right thing to do,” Stroud says.

Pitt IT’s Scott Weinman, senior IT security analyst, agrees. “We collaborate with CTSI regularly during quarterly data governance meetings, where we talk about CTSI and Pitt IT projects, and how we can work together. This has ensured a consistent relationship, even as personnel have changed over time in both departments.”

“It was a learning experience for both sides,” Stroud says. “With a custom-built application like the Pitt+Me registry, CTSI had the specific knowledge about the service, as well as extensive experience working with HIPAA-protected personal data, while Pitt IT Security was an expert in best practices from an enterprise network perspective.”

Pitt IT Security recommended a bot detection software that functioned at the gateway of the Pitt+Me server before a user ever gets to the site. A first test run of the software flagged broad swaths of IP addresses, which ended up blocking a majority of legitimate traffic too. So, it was turned on in “alert mode”, which simply reported on traffic to the site to determine what criteria accurately distinguished between fraudulent and legitimate activity. It took about six weeks to gather and analyze the necessary data. Pitt IT Security was able to fine-tune the fraud detection rules used by the software to detect truly fraudulent traffic and implemented Captcha technology to weed out questionable logins.

The software has caused a significant reduction in fraud activity, and increased trust from research partners. “Luckily, we have not seen anything like the magnitude of the issue we saw last year,” Stroud says. “The manual checks are still in place if  something appears to have slipped through. But the number of cases reported every day has dropped drastically to only a few per month.”

Lesson for Moving Forward

Stroud, Petersen, and Weinman all recommend that departments build security into their project from the beginning. Taking fraud seriously at the start can be the difference between a major clean-up process and a slightly longer startup. Working with Pitt IT Security during the planning phase of any major public-facing IT project is step one.

“At Pitt IT, we are passionate about providing outstanding collaborative services to our research colleagues across the University. By engaging early and often, we can help accelerate innovative solutions that enable our faculty and students to succeed in both their research and impact, not only for their departments and schools, but also for the greater good of the University, our communities, and globally,” Sandra Brandon, Pitt IT strategic research liaison says.

Petersen recommends making it standard practice to consider: what a server or service will be used for, whether it is public facing, and if bot detection is appropriate. Weinman agrees. “We know that many security measures, like Duo prompts and Captcha tests, can be a little annoying, but they really are the added layers of protection that keep our digital assets safe. We are keenly aware of finding the balance between usability and risk, and that balance might look different depending on what the service does or the data that is stored.” He encourages people to make Pitt IT a partner at all phases of a project.

Hacking scares, fraudulent activity, and bot attacks can happen to anyone, but the most important step is making sure you contact Pitt IT right away. Preventive measures that make sure your site doesn’t have to respond to an incident is the ultimate win. Contact Pitt IT today for a security review of your planned project.  We are better, and safer, together!

-- By Claudia Huggins, Pitt IT Student Blogger

Pitt students at Pitt Hackathon


Keep Your Accounts, Yours

The Account Administration service enables the University to manage its account services in an effort to securely verify and protect its identity with tools, such as Multifactor Authentication and Federated Authorization Process (Student Mart Access).

Those who utilize our Pitt Email (Outlook) service are also provided with access to select services to securely manage email communications with Advanced Threat Protection and Enterprise Spam and Virus Filter Service with Exchange Online Protection (EOP).


Practice Good Governance with Our Guidance

Pitt IT regularly updates its security knowledge base with the latest governance standards, while also ensuring the University’s safety against external attacks and internal accidents with industry-leading security methods and best-practices. Request guidance or support from Pitt IT or learn more with the resources below.

IT Governance and Regulatory Compliance

Maintain compliance with applicable laws and regulations for restricted data (e.g., DFARS/CMMC, FERPA, GDPR/PIPL, GLBA, HIPAA, NIST 800-171, PCI)

Data Classification & Compliance

Protect the privacy of students, alumni, faculty, and staff through precautions and data classifications measures that guard against unauthorized access.

Governance & Policy Security Guides

Maintain safety practices around policies and standards with our easy-to-follow guides — developed and maintained for accuracy by Pitt IT Security and organized below.

pitt individuals working on computers


Master University Guidelines

Pitt IT has partnered with University communities to establish security policies that help protect computers and information from security threats — such as viruses, Trojan horses, hackers, and other forms of cybercrime.

Review these policies to help your department protect its data, while also adhering to state and federal regulations regarding technology.

View IT Policies & Information


Manage Security Audits with Our Help

Pitt IT Security is available to assist departments and schools in all IT security audit needs — including regulatory requests. Contact us for expert guidance in managing and executing audit processes through risk identification, evaluation, and mitigation.

IT Audit Guidance

Request risk-based security audits from Pitt IT Security to determine if your University data is adequately protected. Assistance is also offered in cases where departments are requested to perform and report internal IT audits.

IT Risk Management

Improve your departmental risk identification, evaluation, and mitigation capabilities by working with Pitt IT Security to identify risks, assess any potential impacts, and lessen risks by implimenting mitigation controls.

IT Contract & Agreement Review Service

Review contracts and agreements with our guidance to determine if your department and the University can meet contractually obligated data-security requirements.


Identify Risks Before They Become Threats

Pitt IT Security can help you identify potential threats before they become issues for your department. Are you concerned that your data has already been compromised? Pitt IT Security will help you assess the situation, manage the incident, and respond to University stakeholders and legal partners.


Build a Security Strategy that Fits Your Needs

Security architecture can help you design and document key elements of your overall security program, which ensures that your department and users can understand and utilize methods for creating safe, collaborative digital environments. Pitt IT Security will work closely with you to create a well-defined strategy that fits your needs and uses industry-leading best practices to enable your department’s security and success.

Strategy and Design

Plan and create your IT environment with security as a top priority.

Security Tooling

Implement the proper tools and security measures for your needs.

Solution Engineering

Design and develop secure solutions that fit your unique work processes and data needs.