You are here
Preventing Fraud at the Front Door
Wednesday, March 15, 2023 - 12:54
Signing up hundreds of participants for a new research study in just a few days is something that most researchers only dream of. One group at Pitt did just that after offering up a $10 Amazon gift card for those willing to complete their online survey. However, even with the incentive, that response seemed too good to be true. Turns out, it was, and the researchers were the victims of a bot attack.
A bot attack isn’t just a sci-fi plot, and it happens more often than we’d like to think. It’s when a hacker writes a program that automates the process of accessing websites and accounts. You might not think a mere $10 would be enough to attract the attention of a sophisticated hacker, but it’s the perfect scenario for a bot attack since a person doesn’t need to come on site or complete a complicated research protocol. A few lines of code to automate the registration process and filling out the survey, and a hacker can sit back and rake in the gift cards.
The research team immediately contacted Regina Stroud, executive director for information technologies in the Clinical and Translational Science Institute (CTSI). CTSI manages “The Pitt+Me Registry”, an online application that recruits research subjects and matches them with studies they may qualify for. Pitt+Me is a great way for the community to get involved in clinical research, and for research teams to recruit a diverse pool of subjects. (A little monetary incentive never hurt anyone, either.)
In this case, Stroud and her team quickly realized that the hundreds of signups coming through weren’t real. At first glance, the IP addresses looked legitimate, but with some digging, they saw that many of them were from as far away as China, raising red flags.
This kind of thing happens from time-to-time with survey-based sites, according to Brian Petersen, assistant director for IT application development at CTSI. “Bot attacks were on our radar, particularly for studies with higher levels of compensation. But we hadn’t seen an attack of this magnitude before,” Petersen notes. “We suspect that someone had posted about the study on a Facebook page or Reddit thread and piqued the interest of hackers.”
The consequences of fraud in research studies are enormous. Fraud is expensive, not only through improper incentive payments, but also because it could cause the loss of funding/grants. Fraud also draws suspicion on all research, causing the community to lose confidence and refuse to participate in studies that have the potential to change people’s lives. Not to mention it can skew real data outcomes. If fraud isn’t detected before publication, it can cause significant reputational harm to the investigators and the University. “There are already so many stigmas associated with research, and fraud has a domino effect that impacts everyone,” Stroud explains.
Mounting a Response
So where do you even start to respond to that magnitude of fraud? When the preliminary investigation began, the impacted study was quickly shut down. They isolated the suspect batch of responses and figured out which responses were real and which weren’t. For a while, Petersen had to review every day’s registrations to flag suspicious activity and disable fake accounts. It was a hefty job and, frankly, not a viable long-term solution. As bot attacks started targeting several other studies, the team came close to shutting down the entire Pitt+Me website, Regina says. Instead of taking that drastic step, they reached out to Pitt IT’s information security team.
“Pitt IT Security and CTSI have had a great working relationship for years. Consulting them was an instinctual choice, but it was also the right thing to do,” Stroud says.
Pitt IT’s Scott Weinman, senior IT security analyst, agrees. “We collaborate with CTSI regularly during quarterly data governance meetings, where we talk about CTSI and Pitt IT projects, and how we can work together. This has ensured a consistent relationship, even as personnel have changed over time in both departments.”
“It was a learning experience for both sides,” Stroud says. “With a custom-built application like the Pitt+Me registry, CTSI had the specific knowledge about the service, as well as extensive experience working with HIPAA-protected personal data, while Pitt IT Security was an expert in best practices from an enterprise network perspective.”
Pitt IT Security recommended a bot detection software that functioned at the gateway of the Pitt+Me server before a user ever gets to the site. A first test run of the software flagged broad swaths of IP addresses, which ended up blocking a majority of legitimate traffic too. So, it was turned on in “alert mode”, which simply reported on traffic to the site to determine what criteria accurately distinguished between fraudulent and legitimate activity. It took about six weeks to gather and analyze the necessary data. Pitt IT Security was able to fine-tune the fraud detection rules used by the software to detect truly fraudulent traffic and implemented Captcha technology to weed out questionable logins.
The software has caused a significant reduction in fraud activity, and increased trust from research partners. “Luckily, we have not seen anything like the magnitude of the issue we saw last year,” Stroud says. “The manual checks are still in place if something appears to have slipped through. But the number of cases reported every day has dropped drastically to only a few per month.”
Lesson for Moving Forward
Stroud, Petersen, and Weinman all recommend that departments build security into their project from the beginning. Taking fraud seriously at the start can be the difference between a major clean-up process and a slightly longer startup. Working with Pitt IT Security during the planning phase of any major public-facing IT project is step one.
“At Pitt IT, we are passionate about providing outstanding collaborative services to our research colleagues across the University. By engaging early and often, we can help accelerate innovative solutions that enable our faculty and students to succeed in both their research and impact, not only for their departments and schools, but also for the greater good of the University, our communities, and globally,” Sandra Brandon, Pitt IT strategic research liaison says.
Petersen recommends making it standard practice to consider: what a server or service will be used for, whether it is public facing, and if bot detection is appropriate. Weinman agrees. “We know that many security measures, like Duo prompts and Captcha tests, can be a little annoying, but they really are the added layers of protection that keep our digital assets safe. We are keenly aware of finding the balance between usability and risk, and that balance might look different depending on what the service does or the data that is stored.” He encourages people to make Pitt IT a partner at all phases of a project.
Hacking scares, fraudulent activity, and bot attacks can happen to anyone, but the most important step is making sure you contact Pitt IT right away. Preventive measures that make sure your site doesn’t have to respond to an incident is the ultimate win. Contact Pitt IT today for a security review of your planned project. We are better, and safer, together!
-- By Claudia Huggins, Pitt IT Student Blogger