Cyber Security Focus - 2. A Guide to Protecting Your Online Identity

OnlineIdentityYour online identity is at risk. In a world where we’re all spending more time online, we’re building increasingly comprehensive profiles of information on the web.

These days, you can Google almost anyone and find out what they look like, where they’re from, what they do for a living and more.

Unfortunately, just like your “offline” identity, your online presence is subject to threats.

The more fraudsters and scammers can find out about you online, the more exposed you are to problems like identity theft, theft, and more. In fact, around half of all fraud incidents in 2019 throughout the UK were cyber-related.

What is an Online Identity, and Why is it Important?

Simply put, your online identity is a series of data points related to who you are and what you do online. The information available about you in the digital world can range all the way from photos posted on social media, to email addresses, telephone numbers, and even bank details.

Every time you log onto a website with your email address, share something on Facebook, or fill out a form online, you’re submitting information about yourself to the web. This “digital identity” is quickly becoming a key target for criminals.

Learning how to protect your digital identity is important because we’re all spending more time online and sharing more information on the web. Younger people (the generations most active online) are seeing a rapid increase in the number of attacks they face on the web. In fact, people in their 20s and 30s are twice as likely than people 40 and over to report losing money online.

Younger adults who are more likely than other age groups to use mobile apps for payments, transfer money online, and manage their finances online are also 77% more likely than older people to lose money through email scams.

General Rules for Online Privacy and Safety

Protecting yourself from fraud, hackers, and cybercriminals means making your digital identity more difficult to access. This can seem like a huge task when you consider how much information most people share online every day, but the process can be simpler than it seems. All you need to do is start with some basic steps, such as:

  • Limiting the information, you share: Avoid sharing more information about yourself online than you absolutely need to. You don’t necessarily need to give your real name and address to sign up for an email newsletter, for instance.

  • Use stronger passwords: Choose strong, unique passwords to protect yourself against hackers. Your passwords should be unique, long, and not something someone can easily guess. Diceware is a great tool for generating random passwords if you’re struggling.

  • Never use the same password more than once: If a hacker guesses one of your passwords, and you’re using the same details on other applications, they can easily gain access to a wider number of accounts. Switch up your passwords, and use password managers if you have a hard time remembering everything.

  • Use multi-factor authentication: Multi-factor authentication requires you to enter a code sent to your email or phone number, or another form of authentication outside of a password to access vulnerable accounts. This reduces your risk of security breaches.

Protecting Your Identity on Social Media

Social media is one of the biggest sources of information hackers can access when collecting data on a potential target. These days, virtually anyone can find out a lot about who you are just by checking your Facebook or Instagram page. Think carefully about how you share content online.

Most social media channels will allow you to adjust your privacy settings, so your information is only available to people within your social circle. Make the most of this feature to lock strangers out of your digital identity. You could also consider using an alias or nickname instead of your real name.

When you’re finished using social media websites, log out of them or use private/incognito browsing to prevent hackers from tracking you around the web.

When you’re on social media, make sure you never share information like:

  • The name of your first school

  • Your mother’s maiden name

  • Information about when you’ll be in or out of town

  • Location data, like your address

  • Details of expensive new purchases

Staying Secure When Surfing the Web

When you’re surfing the web, you’re not just browsing online, you’re also leaving a trail of information wherever you go. Your browser automatically collects historical information and cookies as you surf. A good way to reduce the amount of data collected is to use an incognito or private browsing mode. Just remember, incognito mode will only stop browsers from saving information – it does not make your browsing anonymous.

If you want to browse more anonymously, a VPN can hide your location and stop your internet service provider (ISP) from seeing your web activity. However, many VPNs will still store your information, so you’ll need to ensure you trust the service.

When browsing the web, be cautious about the sites you visit. All of the websites you use should be protected with HTTPS.
This means the web pages are encrypted. When using this, ISPs and other third parties can see the web addresses you visit but they can’t see what you’re doing, or intercept data.

Make sure your website addresses begin with ‘HTTPS’. The browser extension: “HTTPS Everywhere” can ensure you always use HTTPS when possible.

Remember, fake websites are common too. While they might look like they belong to a legit company, they can steal data like login and payment details. Always double-check you’re using the correct web address for any company. Most browsers can tell you if there’s a problem with a site’s security or encryption, which is often a clue that the site is not genuine.

Protecting Your Emails

Finally, email is another area where your digital identity is at risk. Studies suggest 1 in every 99 emails is a phishing attack.

A good way to protect yourself is to silo your emails. Have one primary account you use for the most important things, like connecting with friends and banking. For other services, you can use disposable email addresses and secondary emails.

Not only will a secondary email add an extra layer of protection, but it can help to reduce the amount of spam in your inbox too.

It’s crucial to protect your email address because it’s usually the tool you’ll use to recover access to other accounts. Watch out for:

  • Scam emails: Scammers will often send emails that appear as though they’re from legitimate companies, like banks, payment services, and delivery companies. These can often contain files with viruses, or links to fake websites.

  • Requests for sensitive data: Legitimate companies will never ask for bank details, passwords, or other sensitive information over email.

  • Blackmail: Blackmail scams, where people claim to have information about you in order to convince you to send them money, are common.

While the online world can be a dangerous place, it’s important to remember there are plenty of ways to protect yourself with the right strategy. Use the steps above to keep your online identity secure.

Written in collaboration with Rebekah Carter, Contributor at

Photo by Cottonbro

Written by Broadband Genie on June 16, 2022 14:16

Cyber Security Focus - 1. Passwords and Beyond

security Awareness of the topic of cyber security is becoming more prevalent in the mainstream. Where it was once the fixation of computer scientists and engineers, lay people are increasingly beginning to understand the importance.

Most people will understand the potential problems of cyber criminals gaining access to things like their bank account and take appropriate precautions but many are still lax when it comes to cyber security in general.

There are some very clever pieces of software out there that ‘crack’ passwords or exploit weaknesses in the security of a Web service in order to access private data. But so much criminal activity is predicated ‘hacking the human’ - i.e. good old fashioned opportunism, and confidence tricks.

As an individual there is little you can do to influence the security systems of the services you use - other than to vote with your ‘cyber’ feet and refuse to use online services which don’t take security seriously. However, there is much an individual can do to minimise risk.

In this upcoming series of articles we will look at some of these related topics.

In the first article we’ll look at passwords and the move towards two or three factor authentication.

The use of passwords to access online services is nearly as old as the Web itself. Most services will ask for a username (often an email address) and password in order to grant access to the system. This is an example of ‘One-factor Authentication’ - it relies on asking something of the user that it is assumed the user (and only that user) and the system knows.
The system is based on the assumption that the user is keeping this bit of information safe. Therefore if the system asks the user for that bit of information and they offer that piece of information and it matches the information the system knows, then the user is assumed to be identified. In an ideal world there is nothing wrong with this system.

The inherent weakness occurs when that piece of information i.e. a password, is discovered by a malicious 3rd party.

There are three sources from which his information could be ‘stolen’
i) The system itself:
Despite what Hollywood movies may portray, this is actually harder than it seems (for a well maintained system)
ii) A second system:
This is where you use the same username/password combination on more than one service. Should one of those services be compromised, a simple hacker script will try those credentials on a list of other services to see if they can gain access. For instance, let's imagine you have an account on a simple local news sharing site. You access this using your email address and a password. Now let's say, the security is lacking somewhat and a criminal manages to get a list of emails and passwords for all the accounts on that system. There are 2.9 billion Facebook accounts, so it is a reasonable assumption that some of those people with accounts on the news Website also have a facebook account. It's a task of seconds to try the stolen list of email addresses and passwords against the Facebook login process. Anyone with an account of the news site who uses the same email address and password combination on Facebook, has now had their Facebook account hacked. What's worse is that Facebook can act as an authentication agent for other services - have you ever been to a Web service which offers the ability to 'Register or Log in with Facebook'? Thus we see that the simple mistake of duplicating a email and password combination on a venerable site has unlocked a whole raft of other accounts!
iii) The User themselves:
This is by far the most common way in which passwords are stolen. This could include leaving the password on a post-it note, maintaining a document or notebook with a list of passwords, sharing it with someone with compromised security, sending it or storing it in a non-secure place such as emailing or texting. You could also fall prey to some kind of deceit where you believe you are entering your details into a valid service, but it is actually a fake site which will collect your data. This is a form of ‘phishing’ which we will look at in a future blog in this series.

As mentioned above, there is little you can do personally about the first case, but the second two are well within the individual's control to guard against.

In the second case ‘compromising a second system’, the advice is simple.

This is even more important if you use that same password for your email.
Many systems will assume an email inbox to be secure. So for instance, if you forget your password and request a reset, most secure systems will email a link to the email address associated with your account to that email. You therefore need access to your email to confirm the reset request.

If you have used the same password for your email, not only can a criminal access your account for the compromised service, they can access your email and change passwords, thus locking you out. They can then request password resets of other services and confirm those, thus gaining access to countless other accounts.

To guard against the most common vulnerability - the user's own actions, you should take precautions to never share or document your password.

Sharing passwords to other staff members in a school is an all-too-common occurrence. We find that even though all our subscriptions allow the addition of extra staff accounts at no extra cost, many schools still circulate their account details to colleagues in order to access resources.

Of course, the real world issue is that people have countless accounts on a variety of Web based services and expecting people to have the ability to remember them all is a tall order.

One solution is to use a password manager. These are a secure method of storing your passwords against a specific username and web address which can be accessed through a single password. You may already have one of these if you, for instance, use Chrome as a browser and have a Google account or maybe you have activated the Keychain system built into Apple devices.

There are a number of third party password manager options - some of which are reviewed here.

A second approach may simply be to actively forget most passwords. Concentrate on remembering the passwords for the services you use often and forget the rest. Make sure you remember your email account password - and make sure it’s a good secure one.

Then for any service you log into infrequently, set up a complex password - the secure passwords suggested by your browser are a good bet. Then each time you want to access those sites, simply go through the password reset process - this will normally take you less than a minute.

For more tips on passwords see our article: How do you manage passwords with primary school children?

As we discussed earlier - a username/password combination is an example of One-factor or Single-Factor authentication. Given the inherent problems with this, many services are looking more to Two-factor or even Three-factor authentication.

Two-factor authentication - often written as 2FA:
If we think of Single-factor authentication as “Something the user knows” we can think of Two-factor authentication as Single-factor authentication with the addition of “something the user has”. This may be something like a fob that can generate a code based on a specific context. Think about the card reader you may use to confirm a transfer with your online banking. It could also be an app running on your phone or the phone itself - have you ever had a service send a text message with a confirmation code that you need to enter into a Web site before you may gain access? Paypal, for instance, uses this method.

Three-factor authentication (3FA):
This method builds on the previous two. Not only does it want evidence of ‘Knowledge’ (something the user knows) and ‘Possession’ (something the user has), it further requires ‘Inheritance’ - “Something the user is”. This is not just accessing authorisation based on access to specific credentials but also, who is actually trying to use the credential.

Third factor authentication credentials are all biometric, such as the user’s voice, hand configuration, a fingerprint, or a retina scan etc. We may be aware of smart phones or laptops which use fingerprint or facial recognition to unlock the device. This is the kind of tech that may be used in three-factor-authentication.

Strictly speaking it is only 3FA if these biometric methods are used in conjunction with the previous two factors. So although the unlocking of your phone with your fingerprint uses a biometric method, it is not necessarily in itself an example of 3FA.

We will see the higher factors of authentication used more and more often as the arms race between security systems and cyber criminals continues ever onward.

As ever, the advice remains the same. Be sensible, don’t fall into predictable patterns of password usage and don’t share your security credentials to other people or duplicate them across other services.

Written by Safeguarding Essentials on April 01, 2022 15:41

Two Weeks to Take Global Action Against Malware

The National Crime Agency is urging members of the public to take action which will help fight the effects of two specific cyber threats.

In a globally co-ordinated awareness campaign, crime fighting forces in the UK, along with the FBI and collaborators in a number of other countries are encouraging members of the public to take steps which will not only help protect themselves from risk, but also cause significant disruption to the effectiveness of the network which supports the malware around the World.

According to the National Crime Agency, GOZeuS and CryptoLocker are two systems estimated to be responsible for the loss of hundreds of millions of pounds globally. While the two systems are distinct in the way they operate, they both take advantage of security holes on a user's computer.

Put as simply as possible, GOZeuS operates by sending emails to ‘victims’, seemingly from a familiar contact (so they look genuine), but which contain links to the malware. Once the link has been clicked, the malware is downloaded and then operates in the background, waiting for the opportunity to collect banking or personal information. This information is fed back to the criminals using a network of infected machines.

If GOZeuS considers the information it finds not to be financially rewarding, CryptoLocker in activated. This system encrypts the files on the machine and then offers to unlock them in return for payment – in essence a ransom for the release of the files.

The more members of the public that are able to take steps to protect their computers, the more chance there is of the network of infected computers (or BotNet) being disrupted and this in turn will help to reduce the effectiveness of both malware systems.

There are some simple steps that can be taken to help protect your computer – which also apply to general e-safety. These include:

  • Making sure your anti-virus/anti-malware is up to date

  • Changing your passwords

  • Keeping your operating system current with updates and security patches
  • Further information is available from CERT-UK. There are also helpful tips on the Get Safe Online website

    If you would like to discuss Malware with your students, it is covered in the lesson plans and assembly plans available to E-safety Support Premium and Premium Plus members.

    Written by Safeguarding Essentials on June 03, 2014 13:49

    Join Safeguarding Essentials

    • Protect your pupils
    • Support your teachers
    • Deliver outstanding practice

    Recent Stories
    Story Tags
    2fa addiction anti_bullying_alliance #antibullyingweek anti-radicalisation apps assembly avatars awards awareness bett Breck_Foundation bug bullying BYOD calendar cber_bullying #CEADay20 censorship ceop chatfoss checklist child child_exploitation childline childnet child_protection childwise christmas ClassDojo classroom competition cookies Covid, CPD creepshot CSE curriculum cyberbullying cyber_bullying cyber_crime cybersmile_foundation cybersurvey data_protection DCMS Demos development devices DfE digital_citizenship digital_footprint digital_forensics digital_leaders digital_literacy digital_native digital_reputation digital_wellbeing ecadets eCadets education e-learning emoticon e-safe esafety e-safety e-safety, e-safety_support esports #esscomp #esstips ethics events exa exploitation extreemism extremism extremism, facebook fake_news fantastict fapchat FAPZ film filtering freemium #Freetobe friendly_wifi gaming GDPR #GetSafeOnline glossary GoBubble gogadgetfree google governor grooming #GSODay2016 guidance hacker hacking health, holiday icon information innovation inspection instagram instragram internet internet_matters internet_of_things internet_safety into_film ipad iphone ipod irights IWF KCSIE #KeepMeSafe knife_crime language leetspeak lesson like linkedin live_streaming lscb malware media mental_health mobile momo monitor monitoring naace national_safeguarding_month navigation neknominate netiquette network news NHCAW nomophobia nspcc NWG ofcom offline ofsted omegle online online_identity online_safety oracle parents password phishing phone Point2Protect policy pornography power_for_good pressure PREVENT primary privacy professional_development protection PSHE PSHE, #pupilvoiceweek radicalisation ratting rdi relationships reporting research risk robots rocketlearn RSE RSPH safeguarding safeguarding, safer_internet_day safety SCD2015 #SCD2016 school screen_time sdfsdf security self-harm selfie sexting sextortion ShareAware sid SID SID2016 SID2017 SID2018 SID2019 SID2020 smartphone snapchat snappening social_media social_media, social_networking staff staff_training #standuptobullying statutory_guidance Stop_CSE stop_cyberbullying_day stress students survey swgfl SWGfL tablet teach teachers technology terrorism texting TikTok tootoot training TrainingSchoolz TrainingToolz trends troll trolling twitter UKCCIS uk_safer_internet_centre UK_youth unplug2015 video virus VPN webinar website wellbeing we_protect what_is_e-safety wifi wi-fi windows wizard working_together yik_yak young_people youthworks youtube YPSI yubo