Cyber Security Focus - 2. A Guide to Protecting Your Online Identity

OnlineIdentityYour online identity is at risk. In a world where we’re all spending more time online, we’re building increasingly comprehensive profiles of information on the web.

These days, you can Google almost anyone and find out what they look like, where they’re from, what they do for a living and more.

Unfortunately, just like your “offline” identity, your online presence is subject to threats.

The more fraudsters and scammers can find out about you online, the more exposed you are to problems like identity theft, theft, and more. In fact, around half of all fraud incidents in 2019 throughout the UK were cyber-related.

What is an Online Identity, and Why is it Important?

Simply put, your online identity is a series of data points related to who you are and what you do online. The information available about you in the digital world can range all the way from photos posted on social media, to email addresses, telephone numbers, and even bank details.

Every time you log onto a website with your email address, share something on Facebook, or fill out a form online, you’re submitting information about yourself to the web. This “digital identity” is quickly becoming a key target for criminals.

Learning how to protect your digital identity is important because we’re all spending more time online and sharing more information on the web. Younger people (the generations most active online) are seeing a rapid increase in the number of attacks they face on the web. In fact, people in their 20s and 30s are twice as likely than people 40 and over to report losing money online.

Younger adults who are more likely than other age groups to use mobile apps for payments, transfer money online, and manage their finances online are also 77% more likely than older people to lose money through email scams.

General Rules for Online Privacy and Safety

Protecting yourself from fraud, hackers, and cybercriminals means making your digital identity more difficult to access. This can seem like a huge task when you consider how much information most people share online every day, but the process can be simpler than it seems. All you need to do is start with some basic steps, such as:


  • Limiting the information, you share: Avoid sharing more information about yourself online than you absolutely need to. You don’t necessarily need to give your real name and address to sign up for an email newsletter, for instance.

  • Use stronger passwords: Choose strong, unique passwords to protect yourself against hackers. Your passwords should be unique, long, and not something someone can easily guess. Diceware is a great tool for generating random passwords if you’re struggling.

  • Never use the same password more than once: If a hacker guesses one of your passwords, and you’re using the same details on other applications, they can easily gain access to a wider number of accounts. Switch up your passwords, and use password managers if you have a hard time remembering everything.

  • Use multi-factor authentication: Multi-factor authentication requires you to enter a code sent to your email or phone number, or another form of authentication outside of a password to access vulnerable accounts. This reduces your risk of security breaches.

Protecting Your Identity on Social Media

Social media is one of the biggest sources of information hackers can access when collecting data on a potential target. These days, virtually anyone can find out a lot about who you are just by checking your Facebook or Instagram page. Think carefully about how you share content online.

Most social media channels will allow you to adjust your privacy settings, so your information is only available to people within your social circle. Make the most of this feature to lock strangers out of your digital identity. You could also consider using an alias or nickname instead of your real name.

When you’re finished using social media websites, log out of them or use private/incognito browsing to prevent hackers from tracking you around the web.

When you’re on social media, make sure you never share information like:


  • The name of your first school

  • Your mother’s maiden name

  • Information about when you’ll be in or out of town

  • Location data, like your address

  • Details of expensive new purchases

Staying Secure When Surfing the Web

When you’re surfing the web, you’re not just browsing online, you’re also leaving a trail of information wherever you go. Your browser automatically collects historical information and cookies as you surf. A good way to reduce the amount of data collected is to use an incognito or private browsing mode. Just remember, incognito mode will only stop browsers from saving information – it does not make your browsing anonymous.

If you want to browse more anonymously, a VPN can hide your location and stop your internet service provider (ISP) from seeing your web activity. However, many VPNs will still store your information, so you’ll need to ensure you trust the service.

When browsing the web, be cautious about the sites you visit. All of the websites you use should be protected with HTTPS.
This means the web pages are encrypted. When using this, ISPs and other third parties can see the web addresses you visit but they can’t see what you’re doing, or intercept data.

Make sure your website addresses begin with ‘HTTPS’. The browser extension: “HTTPS Everywhere” can ensure you always use HTTPS when possible.

Remember, fake websites are common too. While they might look like they belong to a legit company, they can steal data like login and payment details. Always double-check you’re using the correct web address for any company. Most browsers can tell you if there’s a problem with a site’s security or encryption, which is often a clue that the site is not genuine.

Protecting Your Emails

Finally, email is another area where your digital identity is at risk. Studies suggest 1 in every 99 emails is a phishing attack.

A good way to protect yourself is to silo your emails. Have one primary account you use for the most important things, like connecting with friends and banking. For other services, you can use disposable email addresses and secondary emails.

Not only will a secondary email add an extra layer of protection, but it can help to reduce the amount of spam in your inbox too.

It’s crucial to protect your email address because it’s usually the tool you’ll use to recover access to other accounts. Watch out for:


  • Scam emails: Scammers will often send emails that appear as though they’re from legitimate companies, like banks, payment services, and delivery companies. These can often contain files with viruses, or links to fake websites.

  • Requests for sensitive data: Legitimate companies will never ask for bank details, passwords, or other sensitive information over email.

  • Blackmail: Blackmail scams, where people claim to have information about you in order to convince you to send them money, are common.

While the online world can be a dangerous place, it’s important to remember there are plenty of ways to protect yourself with the right strategy. Use the steps above to keep your online identity secure.

Written in collaboration with Rebekah Carter, Contributor at Broadband.co.uk.

Photo by Cottonbro

Written by Broadband Genie on June 16, 2022 14:16

Cyber Security Focus - 1. Passwords and Beyond

security Awareness of the topic of cyber security is becoming more prevalent in the mainstream. Where it was once the fixation of computer scientists and engineers, lay people are increasingly beginning to understand the importance.

Most people will understand the potential problems of cyber criminals gaining access to things like their bank account and take appropriate precautions but many are still lax when it comes to cyber security in general.

There are some very clever pieces of software out there that ‘crack’ passwords or exploit weaknesses in the security of a Web service in order to access private data. But so much criminal activity is predicated ‘hacking the human’ - i.e. good old fashioned opportunism, and confidence tricks.

As an individual there is little you can do to influence the security systems of the services you use - other than to vote with your ‘cyber’ feet and refuse to use online services which don’t take security seriously. However, there is much an individual can do to minimise risk.

In this upcoming series of articles we will look at some of these related topics.

In the first article we’ll look at passwords and the move towards two or three factor authentication.

The use of passwords to access online services is nearly as old as the Web itself. Most services will ask for a username (often an email address) and password in order to grant access to the system. This is an example of ‘One-factor Authentication’ - it relies on asking something of the user that it is assumed the user (and only that user) and the system knows.
The system is based on the assumption that the user is keeping this bit of information safe. Therefore if the system asks the user for that bit of information and they offer that piece of information and it matches the information the system knows, then the user is assumed to be identified. In an ideal world there is nothing wrong with this system.

The inherent weakness occurs when that piece of information i.e. a password, is discovered by a malicious 3rd party.

There are three sources from which his information could be ‘stolen’
i) The system itself:
Despite what Hollywood movies may portray, this is actually harder than it seems (for a well maintained system)
ii) A second system:
This is where you use the same username/password combination on more than one service. Should one of those services be compromised, a simple hacker script will try those credentials on a list of other services to see if they can gain access. For instance, let's imagine you have an account on a simple local news sharing site. You access this using your email address and a password. Now let's say, the security is lacking somewhat and a criminal manages to get a list of emails and passwords for all the accounts on that system. There are 2.9 billion Facebook accounts, so it is a reasonable assumption that some of those people with accounts on the news Website also have a facebook account. It's a task of seconds to try the stolen list of email addresses and passwords against the Facebook login process. Anyone with an account of the news site who uses the same email address and password combination on Facebook, has now had their Facebook account hacked. What's worse is that Facebook can act as an authentication agent for other services - have you ever been to a Web service which offers the ability to 'Register or Log in with Facebook'? Thus we see that the simple mistake of duplicating a email and password combination on a venerable site has unlocked a whole raft of other accounts!
iii) The User themselves:
This is by far the most common way in which passwords are stolen. This could include leaving the password on a post-it note, maintaining a document or notebook with a list of passwords, sharing it with someone with compromised security, sending it or storing it in a non-secure place such as emailing or texting. You could also fall prey to some kind of deceit where you believe you are entering your details into a valid service, but it is actually a fake site which will collect your data. This is a form of ‘phishing’ which we will look at in a future blog in this series.

As mentioned above, there is little you can do personally about the first case, but the second two are well within the individual's control to guard against.

In the second case ‘compromising a second system’, the advice is simple.
NEVER USE THE SAME USERNAME AND PASSWORD FOR MORE THAN ONE SYSTEM.

This is even more important if you use that same password for your email.
Many systems will assume an email inbox to be secure. So for instance, if you forget your password and request a reset, most secure systems will email a link to the email address associated with your account to that email. You therefore need access to your email to confirm the reset request.

If you have used the same password for your email, not only can a criminal access your account for the compromised service, they can access your email and change passwords, thus locking you out. They can then request password resets of other services and confirm those, thus gaining access to countless other accounts.

To guard against the most common vulnerability - the user's own actions, you should take precautions to never share or document your password.

Sharing passwords to other staff members in a school is an all-too-common occurrence. We find that even though all our subscriptions allow the addition of extra staff accounts at no extra cost, many schools still circulate their account details to colleagues in order to access resources.

Of course, the real world issue is that people have countless accounts on a variety of Web based services and expecting people to have the ability to remember them all is a tall order.

One solution is to use a password manager. These are a secure method of storing your passwords against a specific username and web address which can be accessed through a single password. You may already have one of these if you, for instance, use Chrome as a browser and have a Google account or maybe you have activated the Keychain system built into Apple devices.

There are a number of third party password manager options - some of which are reviewed here.

A second approach may simply be to actively forget most passwords. Concentrate on remembering the passwords for the services you use often and forget the rest. Make sure you remember your email account password - and make sure it’s a good secure one.

Then for any service you log into infrequently, set up a complex password - the secure passwords suggested by your browser are a good bet. Then each time you want to access those sites, simply go through the password reset process - this will normally take you less than a minute.

For more tips on passwords see our article: How do you manage passwords with primary school children?

As we discussed earlier - a username/password combination is an example of One-factor or Single-Factor authentication. Given the inherent problems with this, many services are looking more to Two-factor or even Three-factor authentication.

Two-factor authentication - often written as 2FA:
If we think of Single-factor authentication as “Something the user knows” we can think of Two-factor authentication as Single-factor authentication with the addition of “something the user has”. This may be something like a fob that can generate a code based on a specific context. Think about the card reader you may use to confirm a transfer with your online banking. It could also be an app running on your phone or the phone itself - have you ever had a service send a text message with a confirmation code that you need to enter into a Web site before you may gain access? Paypal, for instance, uses this method.

Three-factor authentication (3FA):
This method builds on the previous two. Not only does it want evidence of ‘Knowledge’ (something the user knows) and ‘Possession’ (something the user has), it further requires ‘Inheritance’ - “Something the user is”. This is not just accessing authorisation based on access to specific credentials but also, who is actually trying to use the credential.

Third factor authentication credentials are all biometric, such as the user’s voice, hand configuration, a fingerprint, or a retina scan etc. We may be aware of smart phones or laptops which use fingerprint or facial recognition to unlock the device. This is the kind of tech that may be used in three-factor-authentication.

Strictly speaking it is only 3FA if these biometric methods are used in conjunction with the previous two factors. So although the unlocking of your phone with your fingerprint uses a biometric method, it is not necessarily in itself an example of 3FA.

We will see the higher factors of authentication used more and more often as the arms race between security systems and cyber criminals continues ever onward.

As ever, the advice remains the same. Be sensible, don’t fall into predictable patterns of password usage and don’t share your security credentials to other people or duplicate them across other services.

Written by Safeguarding Essentials on April 01, 2022 15:41

What’s going on with Facebook?

Facebook has been in the news quite a lot recently, there have been allegations, investigations and corporate reshuffles. In case you have missed things, or have lost track of the story, here are the main points:

Facebook started life in 2004 as a social network app aiming to connect students at Harvard College. The name Facebook referred to the student directories often given to American university students containing student details and a portrait photo - a literal book or faces.

From there it expanded first to use across other US universities and eventually to the general public.

Facebook was the name of the application itself but also of the company that owned and operated it.
Like many tech corporations, Facebook the company grew not just through gaining more users but also through the buying of other tech companies and acquiring their expertise, software, applications and services.
In fact Facebook has acquired in the region of 90 companies since its inception, the most recognisable perhaps being Instagram, WhatsApp and virtual reality company Oculus.
You can find a complete list here, if you are interested in digging further.

Often the technology acquired has been rolled into the main Facebook application, though some of the more stand-alone applications such as Instagram retained their own branding with a small addition that refereed to them being owned by Facebook.

While Facebook is a strong brand this all makes sense, but things are changing.

The corporation ‘Facebook’ recently announced it was renaming and rebranding to ‘Meta’.
There are many reasons for a corporation to rebrand, here are perhaps some of the things which have led to this particular decision

1. Falling adoption

The Facebook application has for some time had a problem attracting younger users, in fact the ‘ageing population’ of the Facebook user base is well documented. I’ll bet if you ask your pupils they’ll tell you Facebook is what their parents or even grandparents use, but it’s not really for them.
Younger people have traditionally been an important driver in the rate of adoption and use of new technologies and so maintaining the ‘Facebook’ branding may well put off younger users from new services if they associate the branding with the activities of their elders.
For this reason, it’s easy to omit Facebook from discussions on online safety within schools, but as we’ve stated, Facebook has its fingers in lots of pies, many of which are very popular with young people. Maybe the rebranding to ‘Meta’ opens up the possibility for discussion, especially when understanding the various applications and how they can share data between them.

Further reading

2. Controversy

Almost since the very start, Facebook has courted controversy. Early on these were often about business practices, intellectual property wrangles or the personal and business relationships of the most well-known founder and figurehead Mark Zuckerberg. However, there have also been a fair amount of accusations and legal actions around things which should concern us more from a safeguarding and online safety stand point.

There have been numerous privacy issues, including the leaking of data and the corporate use of personal data by third parties. The case of Cambridge Analytica and it’s use of the personal data of 87 million Facebook users in its political marketing activities is one of the more well-known incidents. You can read more about that here

In addition, accusations of corporate practices leading to psychological harm, societal instability, tax avoidance, advertising fraud and dissemination of harmful fake news among others have tarnished the Facebook brand.

Recently an internal report showed that the company itself was aware of the potential harm its Instagram service was doing to teenage girls in particular. One slide in the report received a great deal of attention as it appeared to confirm the company knew that one in three teenage girls who had already experienced body-image issues stated that using Instagram made them feel worse. Specifically, the use of filtered images, posting selfies and viewing content with hashtags affected their well-being.

With reference to this and other corporate practices, Facebook whistleblower Frances Haugen recently alleged the social media giant put profit before user safety while answering questions from a UK parliament Joint Committee.

In time it’s likely that the wealth generation aspects of the company will move further away from the Facebook application itself and more towards its other brands and applications and so it makes sense to disassociate these from the Facebook name.

Further reading

3. The Metaverse

In the glitzy event to announce the rebranding of the Facebook corporation to ‘Meta’, Mark Zuckerberg introduced his vision on the ‘Metaverse’ - a social network expanded with virtual reality, augmented reality and 3D spaces which “will let you socialize [sic], learn, collaborate and play in ways that go beyond what we can imagine”.

This ‘vision’ instantly had commentators likening the idea to the concept of the ‘OASIS’ from the novel and movie ‘Ready Player One’ and has led to some speculation, some wild and some more reasoned, as to the potential future of social networking. The premium fear being that Zuckerberg and his colleagues failed to comprehend the dystopian theme of the story which has highlighted the dangers of giving up real life, for an existence in a corporate controlled virtual existence.

The ‘metaverse’ concept is not new and like many of the ideas which have propelled Facebook to its position of one of the richest tech companies in the world, was not originated by Mark Zuckerberg or his colleagues. Indeed, platforms such as Secondlife, have been around since the beginning of the century, but there is something about the current level of reach and adoption of Facebook (now Meta), that suggests we might be in for a major leap in adoption.
Additionally, by naming the company ‘Meta’ the association or even allusion that it somehow ‘owns’ the metaverse is somewhat of a shrewd business move.

Further reading

As ever, it’s not really possible to discuss Facebook/Meta or indeed social networks in general and conclude with any certainty as to whether they are a net good or evil. One thing is for certain, there are definitely dangers and problems which we need to ensure people are aware of and we need to equip ourselves with the abilities to detect, understand and neutralise; be that privacy concerns, scams or psychological harms.

This article has sought merely to contextualise the current state of Facebook/Meta and we intend to do some deeper dives into some of the areas raised in subsequent articles.

Written by Safeguarding Essentials on December 01, 2021 17:57


Join Safeguarding Essentials

  • Protect your pupils
  • Support your teachers
  • Deliver outstanding practice

Recent Stories
Story Tags
2fa addiction anti_bullying_alliance #antibullyingweek anti-radicalisation apps ask.fm assembly avatars awards awareness bett Breck_Foundation bug bullying BYOD calendar cber_bullying #CEADay20 censorship ceop chatfoss checklist child child_exploitation childline childnet child_protection childwise christmas ClassDojo classroom competition cookies Covid, CPD creepshot CSE curriculum cyberbullying cyber_bullying cyber_crime cybersmile_foundation cybersurvey data_protection DCMS Demos development devices DfE digital_citizenship digital_footprint digital_forensics digital_leaders digital_literacy digital_native digital_reputation digital_wellbeing ecadets eCadets education e-learning emoticon e-safe esafety e-safety e-safety, e-safety_support esports #esscomp #esstips ethics events exa exploitation extreemism extremism extremism, facebook fake_news fantastict fapchat FAPZ film filtering freemium #Freetobe friendly_wifi gaming GDPR #GetSafeOnline glossary GoBubble gogadgetfree google governor grooming #GSODay2016 guidance hacker hacking health, holiday icon information innovation inspection instagram instragram internet internet_matters internet_of_things internet_safety into_film ipad iphone ipod irights IWF KCSIE #KeepMeSafe knife_crime language leetspeak lesson like linkedin live_streaming lscb malware media mental_health mobile momo monitor monitoring naace national_safeguarding_month navigation neknominate netiquette network news NHCAW nomophobia nspcc NWG ofcom offline ofsted omegle online online_identity online_safety oracle parents password phishing phone Point2Protect policy pornography power_for_good pressure PREVENT primary privacy professional_development protection PSHE PSHE, #pupilvoiceweek radicalisation ratting rdi relationships reporting research risk robots rocketlearn RSE RSPH safeguarding safeguarding, safer_internet_day safety SCD2015 #SCD2016 school screen_time sdfsdf security self-harm selfie sexting sextortion ShareAware sid SID SID2016 SID2017 SID2018 SID2019 SID2020 smartphone snapchat snappening social_media social_media, social_networking staff staff_training #standuptobullying statutory_guidance Stop_CSE stop_cyberbullying_day stress students survey swgfl SWGfL tablet teach teachers technology terrorism texting TikTok tootoot training TrainingSchoolz TrainingToolz trends troll trolling twitter UKCCIS uk_safer_internet_centre UK_youth unplug2015 video virus VPN webinar website wellbeing we_protect what_is_e-safety wifi wi-fi windows wizard working_together yik_yak young_people youthworks youtube YPSI yubo
Archive