This guide is all about the things that students can do to stay safe and secure on the internet. It is intended as a basic backgrounder for college-age students, but the suggestions and best practices on how to increase personal security will work for everyone.
News about yet another data breach is a nearly never-ending stream of bad tidings. Each week brings headlines decrying the breach de jour. Billions of records containing personally identifiable information (PII), including user names and passwords, are exposed each year. Students tend to be hyperconnected and must take steps to protect themselves from online predators.
Online threats to which students have a particular vulnerability include social engineering, spam, adware, trojans, worms, and phishing.
No discussion of internet safety is complete without a thorough examination of password security. Good password practices are the best way to protect devices and online accounts.
The security industry is feverishly trying to find a better solution for online safety than is provided by user name and password combinations. As of yet, no reasonable alternatives have surfaced, at least not for general use by the public.
Several enhancements to passwords, such as biometrics and multi-factor authentication (MFA), have provided significant improvements, but they are essentially still password-based solutions. In the current state of security evolution, password protection is critical.
Biometric authentication, as commonly used for mobile device access, is primarily for convenience. It is much easier to use a fingerprint to access a smartphone than it is to enter a password. This solution is still password-based, just faster and easier. In effect, the biometric reader authenticates the user’s fingerprint and then provides the password to the device or app. However, the password still exists and could be used manually even if the biometric input is missing.
Device and app biometric authentication provide a marginal level of additional security in that the use of a fingerprint reader lowers the possibility of a password being observed and therefore stolen by an onlooker. Biometric readers gained popularity as a result of their use as fingerprint, hand geometry, and facial recognition readers in physical access controls. The use of biometrics in these physical security systems provides a higher level of security since the only method for accessing a secure area is by use of the biometric, or the biometric input in combination with an access card. Device and app logical access controls do not enjoy this same increase in security since the alphanumeric password can be entered in place of the biometric input, in most cases.
Multi-factor authentication, on the other hand, provides substantial security benefits. Sometimes called Two Factor Authentication (2FA) or 2-Step Verification, MFA requires at least one additional piece of evidence for account or device login. This second piece of evidence is most commonly a one-time code sent to the user on their cell phone. This method provides higher security since it is highly unlikely that a hacker would have access to the user’s device to receive this code.
An SMS text message to a cell phone is currently the most common means for delivering the 2FA one-time code. This process works well because there is no new app to install or additional setup required. In the event of an unauthorized access attempt, the SMS text alerts the user to the activity. The user can then change their password.
SIM swap scam
In some documented cases, crooks have subverted the 2FA SMS one-time code safeguard by employing a SIM swap scam. With this ploy, a hacker uses social engineering to get a replacement SIM card for the victim’s phone or convinces the carrier to switch the number to a SIM already owned by the fraudster. By diverting incoming messages, scammers can easily intercept a two-factor authentication text message and use it to assist with an account takeover attack.
Protecting against a SIM swap scam is difficult. The person being swindled is not the owner of the cell number, rather it is an employee of the cell carrier. A hacker with honed social engineering skills can be difficult to stop. There are however some protections that can be implemented.
Having a PIN or passcode for your cell phone account will make it more difficult for a hacker to social engineer a SIM swap. Virtually all carriers either require a PIN or offer the use of a PIN as an option. Authentication apps are another, and likely a better long-term protection method.
The National Institute of Standards and Technology (NIST) no longer recommends SMS-based 2FA. They now lean toward the use of authenticator apps. These mobile apps are not susceptible to SIM swapping. The app provides authentication and can work even without mobile coverage.
Authenticator Apps for students looking to upgrade their internet safety include:
Some password managers, discussed below, can also provide this functionality.
Long vs. complex
Historically, conventional wisdom for passwords was focused more on complexity than length. The thinking was that long passwords are too difficult to remember, and short passwords are too easy to compromise using brute force attack software. Therefore, security researchers thought that shorter but complex passwords were the best solution.
Many organizations prescribed that subscriber chosen passwords were limited in length and included at least one of the following:
- Lowercase letter
- Uppercase letter
- A special character, such as a punctuation mark
This thinking has changed.
The previous thinking about password length vs. complexity failed to take into consideration the human factor. Humans are inclined to find the path of least resistance so they can get their work done and get on with life. It became apparent that people usually can not remember complex passwords. People found methods for simplifying the password protection process, such as writing them down and reusing them for multiple accounts. Both of which are awful ideas.
NIST recently changed their recommendations for passwords. The main change among them pertains to complexity.
NIST states, “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets.”
Current thinking favors the idea that longer is better, providing the user can remember the password — this thinking has given birth to the idea of a passphrase. A passphrase is a small set of words and numbers that are long but easily remembered by the user. NIST encourages the use of passphrases.
The table below shows a comparison of password and passphrase. It indicates the advantages of using a passphrase.
|Length||Complexity||Time to crack
guesses per second
|Password||rQlg+87d||8 characters||Upper case, lower case, number, punctuation mark – very difficult to remember||3 hours||4 months|
|Passphrase||bleeker adams run guitar||24 characters||Lower case, space – easy to remember||centuries||centuries|
Checking password strength
Many online subscription forms include a password strength checker. As the user inputs a password, the form gives feedback as an indication of the strength of the password. This feedback is sometimes expressed as weak, medium, or strong. While useful for determining if the minimum number and type of characters have been met, feedback from a simple password input form can be deceiving. In addition to checking for conformance with the prescribed number and type of characters, a password checker should also compare the password against various dictionaries and test it for specific password creation strategies. These additional tests should include the following:
- Test against a blacklist of compromised values
- Test against common password dictionaries
- Test against name dictionaries
- Perform a substitution attack, replacing letters and numbers with symbols
- Check for character sequences, such as 12345 or efghi
Online password testing sites that students can consider using include the following:
Be sure to consider the trustworthiness of any site before submitting actual password information. Password strength checker sites should not transmit your password to their server. The website should test only in your browser.
One of the most common warnings from security researchers is never to reuse a password.
This is sound advice. Credential stuffing is a type of cyberattack where stolen account credentials allow a hacker to gain unauthorized access and take over a user account. It is common practice for hackers to compare user name and password combinations purchased on the dark web against a myriad of popular sites and applications. Hackers do this with the express hope that the user has reused a password on multiple sites.
The website CSO reported that “Over a 17-month period, from November 2017 through the end of March 2019, security and content delivery company Akamai detected 55 billion credential stuffing attacks across dozens of verticals.” CSO noted that while hackers target some industries more than others, none are immune to this threat.
Students today can easily have dozens, if not hundreds, of password-protected accounts. Trying to remember a unique password for each account is virtually impossible. The inability to remember hundreds of passwords is what forces people to reuse the same password over and over. There is a better solution.
A better solution for keeping track of all the passwords needed to interact in contemporary society is a password manager. A password manager is a software program that keeps many passwords in a secure digital location. By encrypting the password storage, the password manager offers users the ability to memorize only a single master password for accessing all of their different passwords used for various websites or services.
Often called a password vault, password managers can usually generate secure passwords, as well. Many have a free version for users with limited needs. Some password managers to consider using include the following:
Student cybersecurity essentials
There are online safety precautions that students should adhere to in addition to using a password manager to store strong passphrases and using multi-factor authentication. Cyberthreats engineered to defraud students are becoming ever more sophisticated. Knowledge of these threats, how to detect them, and how to avoid them are essential components of any back-to-school plan.
Social engineering scams directed against students frequently use social media platforms as the delivery method. These scams use the social nature of students against them and are likely to include ruse romance ploys. Online dating sites are especially vulnerable to this type of scam.
The rules to stay protected from social engineering are simple. Never trust that someone is who they say they are online. Never agree to meet in real life unless accompanied by a trusted person and in a safe public environment. Never reveal personally identifiable information such as full name, address, phone number, or class schedule to someone who is not known in person.
Students be warned. Spam will come, and it will come in torrents. Offers for credit cards, loans, cell phones, and every other conceivable convenience will fill a student’s inbox.
Students must learn to be quick to use email blocking strategies. Most email providers offer this functionality. Students must learn how to use it for their particular service provider and use it often. The offers inevitably appear enticing. Believe the old adage, “If it sounds too good to be true, it probably is.” Never make a significant decision without sleeping on it first and don’t purchase anything that you weren’t searching for when the opportunity presents itself.
Adware is malicious software that automatically displays or downloads advertising material. Adware is often inadvertently downloaded when installing freeware or shareware programs. This advertising material often presents as pop-ups or a window that the user can not close.
While most adware is more of a nuisance than a harmful menace, it can also be a precursor to more ominous threats to come. Purveyors of adware rarely have any qualms about gathering and then selling information gleaned from the victim’s computer.
A Trojan Horse, or just a Trojan, is a type of malware that is often disguised as legitimate software. The term Trojan is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Cybercriminals employ Trojans to gain access to a user’s system, often to take control of the victim’s computer.
Particularly malicious, Trojans are typically downloaded as the result of social engineering of some type. Clicking on an unknown link in an email or downloading a document or image from an unknown source are common ploys used to distribute Trojans.
Some Trojans are designed to steal and then upload passwords found on the victim’s machine. Alternately, some are designed to enlist the victim’s machine as a bot.
Unlike adware and Trojan viruses, worms are distinct in that they do not require an active host program or an already-infected and active operating system to run. Worms are stand-alone programs that can self-replicate. Worms are specifically designed to spread throughout a network, infecting machines along the way.
Students should exercise care when connecting to unknown networks and using file-sharing services. College and university networks typically run advanced security software capable of finding and eliminating worms and other malicious software. Should a student detect the presence of this type of software on their system, they should alert systems administrators for all networks they use.
There are many brands of computer security products that are suitable for students. Popular brands include:
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers. Suspecting that students may not have the life experience necessary to differentiate a phishing email from a legitimate one, hackers have been known to target young people.
Some tips for recognizing phishing scams are as follows:
- Emails that were written as if the sender is familiar with the receiver but included a generic greeting should be considered suspicious.
- Phishing emails are typically sent in large batches. Look for signs that the email was sent to a large number of recipients.
- Links in the email may not direct the user to the purported destination. Hovering the computer’s cursor over the link can sometimes reveal the actual internet destination of the link.
- The sender’s email address may look legitimate, but on closer examination is found to be fraudulent. Watch for purposefully disguised sender email addresses. The fraudster may use names that should be in the domain portion of the address in the username portion of the address in an attempt to make it appear legitimate.
- Phishing emails often request personal information from the receiver.
- Phishing emails frequently convey a sense of urgency for the receiver to act immediately.
In Q4 2019, KnowBe4 examined tens of thousands of email subject lines from simulated phishing tests. The organization also reviewed ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT departments as suspicious. The results are below.
Top 10 General Email Subjects
- Change of password required immediately (26%)
- Microsoft/Office 365: De-activation of email in process (14%)
- Password check required immediately (13%)
- HR: Employees raises (8%)
- Dropbox: Document shared with you (8%)
- IT: Scheduled server maintenance – no internet access (7%)
- Office 365: Change your password immediately (6%)
- Avertissement des RH au sujet de l’usage des ordinateurs personnels (6%)
- Airbnb: New device login (6%)
- Slack: Password reset for account (6%)
If a student suspects they have received a phishing email, they should delete it without clicking on any links contained in the email and without responding.
In all cases, whether a phishing scam is suspected or not, URLs found in an email should be manually typed into the browser rather than clicking on a link. As an example, if a student receives what appears to be a legitimate email from their bank requesting that the student visits the bank’s website, the student should manually type the bank’s actual and known website address into their browser without clicking the link in the email.
Protect your device
No matter if a student favors a smartphone, tablet, laptop, or desktop, they should adhere to certain precautions to protect their devices. Few situations are as apt to derail a student’s ability to focus on their academic pursuits, as is a significant security event. A breach of personally identifiable information can cause crippling financial loss. Lost, damaged, or copied research can thwart academic goals.
Device protection precautions to be rigorously embraced include:
- Password protect all devices. Each device should have a unique password. Just as with account passwords, reusing device passwords increases the risk that if the password is revealed or discovered, all devices sharing that password are rendered vulnerable.
- Never share device passwords. Students are inclined to share devices with friends and fellow students. They should avoid device sharing, if possible. If sharing, take the time to log into the device, keeping the password secret, rather than just sharing the password.
- Investigate apps before downloading. A few minutes investigating an app to see if others have had success with it can help avoid downloading a malicious bit of code. Check reviews and look for apps from reputable developers.
- Avoid clicking on suspicious links. While it is more convenient to click a link rather than type in a URL, never click a link unless it is known to be accurate and legitimate. The extra time and effort will be well worth it in the long run if a virus or other malware is avoided.
- Keep software updated. Software updates often include new security features. As vulnerabilities are detected, software developers make patches available in the form of software updates. Outdated software is a hacker’s fantasy.
- Avoid open WiFi networks. While free and open WiFi networks offer convenience, they also provide bad actors a pathway into your device. Hackers are known to set up rogue open networks luring unsuspecting users to connect to what they thought was an open public network. Man-in-the-middle attacks, malware distribution, and snooping are just a few of the dangers associated with using open WiFi networks.
- Regularly back up important data. Mistakes are made, and bad things can happen. Backing up data can significantly reduce the adverse effects of a data breach.
Being a student brings its own set of stresses and challenges. Taking the time to learn and apply basic rules of cybersecurity helps to avoid a device breach and data loss. There are always risks associated with living in a connected world. Still, common sense and attention to details can reduce the chance of becoming a victim.
Important rules to remember include, use long passphrases, activate two-factor authentication, do not share passwords, keep software updated, always run antivirus and firewall applications, and learn to identify phishing scams.