Learning good cybersecurity habits is as important to your college experience as the groups you join or the classes your take. Computer viruses can delete your term paper, hackers can hijack your Facebook account, cyberthieves can steal your identity, and vengeful exes can ruin your reputation. These are real consequences of cybercrime—they can happen to anyone from 8 to 80.
Cybersecurity Myths 101
Lies, half-truths, and distortions around cybersecurity are as plentiful as cat videos on YouTube. Let’s debunk them first before drilling down to the truth.
“The IT department takes care of cybersecurity.” — mostly false
Yes, the IT guy keeps the network from crashing, thwarts hack attacks, and counters data breaches. But cybersecurity is everyone’s responsibility—simply because it’s also everyone’s problem. Computer viruses work like real biological diseases. If your device gets sick, chances are it’ll infect others.
“I can just unplug from the internet.” — mostly false
Let’s be honest, it’s impossible to disconnect from the internet and still graduate. You might try the “air gap” approach by disconnecting from Wi-Fi when you’re not online. But this actually makes you less safe over time. You’re devices need updates to their operating systems, apps, and antivirus software to keep them secure. They can’t update if they’re not connected to the internet. By unplugging, you create update lag times when your devices are more vulnerable to cyberattacks.
“I don’t have anything worth stealing.” — uber false
You’re social security number alone is worth loads of cash to a hacker who can sell it on the dark web to identity thieves. These nefarious digital ninjas can use your stolen personal credentials to apply for a new credit card or banking account in your name.
Hackers can also use your personal data to extort money from you. Consider that online video game character that’s taken you four years to perfect. How much would you pay to not to have them turn to digital vapor? The more emotionally connected you are to your data, the more valuable it is to a cyberthief.
“Cybercrime is all about making money.” — super duper false
Yes, making money motivates many hackers, but many do it for other reasons. Hackers with an anarchist bent just want to watch the chaos erupt when the electrical grid goes down. Those with political agendas hack elections or campaign emails. Still others, like “ethical hackers” fight against government overreach, corporate greed, or attempts to stifle freedom of speech.
There are probably as many motivations for hacking as there are hackers. Getting rich is only one part of the equation.
Protecting your devices
You’re at the campus library alone. It’s late, and two double Americanos haven’t kept your eyes from glazing over. You’re exhausted from trying to BS your way through the last three hundred words of your English 1113 essay.
Now, all that java is making its way through you. The “Call of Nature” screams out. You look at your laptop. It looks back at you. “You’re not thinking about leaving me alone are you? [blink, blink]” it seems to ask.
You spy a sketchy-looking lurker in the corner of the room. Your legs involuntarily cross as the pressure builds. It’s decision time…
Every year an average of 11,000 robberies and burglaries occur on college campuses. And that’s just the ones that are reported reported.
However, brazen thievery is only one physical cybersecurity threat. Students also lose their devices. A sizeable number of student phones never make it home from the house party or sporting event. All it takes is the wrong person finding your device to make identity theft part of your college experience. And don’t count on your iPhone’s passcode saving your data. It’s much easier to guess than you think.
But enough with the scare tactics. Here are some things to do before and after you lose your devices. (And if you’re reading this in the bathroom, don’t leave your phone sitting on the TP dispenser.)
Back it up
First things first. Back up the data you can’t live without on a external hard drive. Backups protect you against file corruption, ransomware, and beer spills.
Lock it up
Physical protection takes physical solutions. Laptop locks are inexpensive and work well. Just like bicycle locks, laptop locks let your attach your precious hardware to something sturdy while it’s out of sight. You can also use a locked security box in your dorm room, especially if you’re not 100% about your roommate.
Track it down
If physical restraints aren’t your thing, try a digital tether like laptop or phone tracking software. These apps will let you track your device if it’s stolen. Some even allow you to remotely lock down your device or erase sensitive data before thieves can get to it.
Register your electronic devices with your campus police. If a security officer finds your lost or stolen tablet, it’s more likely to find its way back to you if the police already have your name, address, phone number and the tablet’s serial number. Registration also makes filing a police report easier. Find directions for registering your devices on your school’s website.
Protecting Your Data
Now that you’ve secured your physical devices, let’s talk about protecting your data. We’ll replace your dark web surfing and bad device disposal habits with data-saving, cybersecurity best practices.
Think about your password right now. Got it? Now, check to see if it appears on last year’s Top 25 most common passwords…
Welcome back. Well, was it on there? If it was, hopefully you realize how simple it would be for a hacker to access your data or social media accounts. Passwords like “123456” and “passw0rd” are so easy to guess, you might as well tattoo them on your forehead.
What’s even more sobering is that those 25 “passwords” make up more than 10% of all of the passwords created! Let that sink in for a moment: one in every ten people use words like “princess” and “football” to block access to their most private information. If you’re a cyberthief, that’s a awesome stat. If you’re a victim of data theft, not so cool.
Hopefully, when asked to remember your password, you thought, “Which one?”. If so, good for you. Many people use only one password for all of their accounts, which, if guessed, opens the door to their social media accounts, bank accounts, email accounts. Create different passwords for every important account, and make them strong. Here’s how:
There’s a simple reason why people use only one bad password. It’s because remembering is hard. Password managers can be your virtual memory. With one master password, you can access, create, and store strong passwords for an infinite number of accounts.
Most password managers let you automatically log into a website, so you don’t even need to type out your username and password. This protects you from “keyloggers”, a form of malware records your keystrokes for hackers to see. Download a free version of a password manager and kick “qwerty” to the curb.
If password managers aren’t your jam, at least make sure the passwords you have are hard for hackers to heist. Here are some tips for creating strong passwords.
- Uniqueness. Good passwords have the same traits you want in a significant other: strength, uniqueness, and unpredictability—a good sense of humor doesn’t hurt either.
- 8’s Enough. The powers that be suggest passwords be at least eight characters long, but longer is better.
- $p3c!^L Characters. Capital letters and special character substitutions are required parts of a strong password. But don’t use common substitutions like $ for S or ! for 1. We all do that. It’s too predictable. Be un~que.
- A.C.R.O.N.Y.M.S. You can substantially increase the length and memorability of your passwords if you build them from acronyms. First, choose a phrase that describes something only you would know: “Before I die I want to sing in front of a crowd.” Next, build your acronym: bidiwtsifoac. Finally, add a few uncommon subs and caps. b3dIwtsif#ac. Now, you’ve got a long password that’s easy to remember.
Did you know the President always carries a plastic card that contains the nuclear launch codes? A new one arrives each day. Somehow, it got the nickname “the biscuit.” Each card also contains fake codes, and the President must memorize which ones are the real launch codes. The reason: so he or she can prove they’re the real President of the United States.
This is an example of two-factor authentication (TFA), which you can also use to prevent data thieves from impersonating you and launching your data toward other countries. TFA requires two factors of information: what you have and what you know.
When you sign onto a social media site with your username and password (i.e. what you know), the site texts your phone an authentication code (i.e. what you have). Steam asks, “Is it really you?”, and, by entering the code sent to your phone, you say, “Yes, it is”.
For a cyberthief to sign into your account, they would need your credentials AND your phone—maybe not as hard as impersonating the President, but still a pretty tough trick to pull off.
You just got back to your dorm room after a long morning of tests. You open your laptop to catch up on social media. A few rooms over, a hacker stares at the phony Facebook login page he’s created. He’s been intercepting all of your floor’s internet traffic for two hours now.
You open your browser and go to Facebook. The hacker now watches the forms fill up—his keylogging software recording your every keystroke. You hit enter, but nothing happens.
Frustrated, you refresh the page. Now, the real Facebook page appears and you try again. Success! After a few minutes of scrolling through your feed, you’re suddenly kicked out of your own account.
Public WiFi hotspots are great. They’re free, don’t require a password, and keep your mobile data plan from exploding. But there’s a data security cost to connecting to them. Whether it’s the coffee shop across the street or your own dorm room, public WiFi spots can house hackers who want to steal your data or invade your privacy.
Hackers use open networks to launch man-in-the-middle attacks, so called because they position the cyberthief between you and the network’s router. From this position, cyberthieves can create fake login pages to steal your credentials or capture the data sent from your device.
You can protect against man-in-the-middle attacks by getting a virtual private network or VPN. A VPN routes your internet traffic through smaller, private networks. It also encrypts your data and hides your location. When you’re surfing public networks, data encryption makes your private info useless to cyberthieves even if they’re able to intercept it.
If you’re planning an overseas visit for study or fun, consider getting a VPN for extra security. No one checking their Facebook should have to worry about account theft.
Torrents of trouble
When you illegally torrent Black Panther for the watch party tonight, you’re risking more than just a copyright troll sending you a nasty letter. You’re also putting your data and devices at risk from malware infection. One study showed you’re 28 times more likely to get malware downloading from content theft sites than from licensed content providers.
Torrents are peer-to-peer networks that let you download small parts of a file from many different users. As a result, everyone else can see your IP address. When hackers aren’t offering malware-infested media for download, they’re trolling these IP addresses for vulnerable devices.
To torrent safely and legally, download only from sites that offer public domain or user-generated content. VPN data encryption also helps protect you while torrenting, but here are a few things to keep in mind.
- Connection reliability can vary depending on the VPN.
- If the VPN encounters a problem during download, it will default to your regular ISP and leave your data unencrypted. Make sure your VPN has a “kill switch” feature to stop the download if this happens.
- Netflix and Hulu don’t allow you to stream their content with all VPNs, but some have permission.
Protect your data. Destroy it.
So grandma came through on your birthday and you’ve got some cash for a new phone. But what about that old brick of yours? You could keep it as a backup, sell it on Craigslist, trade it in or make it a hand-me-down for your little sister.
Whatever you choose to do, wipe everything first. That includes those embarrassing selfies and that checking account number you added as a “contact”. Factory resetting your devices keeps your data out of the greedy clutches of cyberthieves—and your little sister’s. Follow these tips:
- Back up your data to the cloud or external drive.
- Remove or erase any storage devices. Don’t sell your laptop with a DVD or SD card still inside. That goes for your SIM card too.
- Follow the steps for resetting your phone to factory settings. For Android phones, encrypt your data before resetting. Cyberthieves can still get to some data even after a factory reset.
- Double-check that your data is gone. Look through your contacts, voicemails, and downloads folder.
- Before selling, consider a recycling and donation program from your phone manufacturer.
- Update your serial number and registration information with campus police.
If you opt for destroying your device to keep your data safe, at least do it right, and that doesn’t mean throwing it off the Student Union. Remember the mantra: “Data is hard to destroy,” and repeat it every time you swing the hammer.
The same rules for digital data destruction go for analog too. Invest in a paper shredder and run your old receipts, credit card offers, insurance forms, bank statements, doctor bills, and old credit cards through it. Cyberthieves aren’t above digging through the dorm dumpster.
Protecting your identity
In February 2013, Ohio resident Amy Krebs got a call from her credit company saying someone was applying for a credit card in her name. Amy explained it wasn’t her, hung up, assuming someone had stolen her card and “gone out to eat.” What Amy didn’t know was that the call was only the beginning of a two-year long nightmare to prove her own identity to the world.
In six months, an identity thief used Amy’s Social Security number, birthday, and former addresses to open more than 50 accounts. Many were for purchases, some for utilities, and some even for doctor’s visits. Amy soon realized her credit report was wrecked. It would take many months of phone calls and emails to lenders, filling out government forms, and some of her own sleuthing before Amy could get things back to a new normal.
“When you are a victim of identity theft,” she explains, “you are put in the position of having to prove who you are to a greater extent than the criminal had to to get goods and services.”
In 2013, victims like Amy were created every two minutes. Today, identity fraud and theft continues to ruin the credit scores and identities of millions of people every year — 1.3 million in 2016. Before diving into how to protect yourself, let’s look at some concepts you need to know.
Fraud vs. identity
Identity fraud is when someone steals your credit card and buys a $2,000 big screen with it. You see the TV on your credit bill, call the company and say, “Hey, I didn’t buy that!”. After proving you’re the victim of fraud, you’ll probably be charged $50 — the liability limit of most credit card companies.
Identity theft is when someone uses your SSN, DOB, and other personal info to get a new credit card, get an ID, or file taxes all in your name. In short, they’re creating another you, not just using the existing you. The liability limit doesn’t exist for identity theft. If the thief had bought the TV with an new credit card in your name, you’d likely be on the hook for the entire two grand. If given the choice, you want to be defrauded not thefted, but both suck.
Phishing attacks are how cyberthieves get you to hand over your personal information voluntarily. That’s right. No hacking needed, just a few social engineering tricks. Here’s a common phishing email tactic:
You receive an email from your bank that says, “Attention needed: You’re account is overdrawn. Please sign into account and resolve the issue or your account will be closed.” After several minutes of hyperventilating, you click the link to find out what’s going on. You’re now at your bank’s website and you sign in. There’s a problem. Despite looking official, that email wasn’t from your bank and you didn’t just sign into the website. Instead, you just gave your account credentials to a cyberthief. You can start hyperventilating again.
How did this happen? Because in all of the fear and excitement, you hyper-focused on the consequences of the message and not the message itself. For example, you may not have noticed that “You’re” and “over-drawn” are misspelled. Bad spelling and grammar are two signs you’ve got a phishing email on your hands. Here are some others:
- Suspicious links. Don’t ever sign into your accounts by following a link in an email. Your bank will never ask you to do that. Before clicking any email link, check to see if it’s taking you to the right URL. Hover your cursor over the link and check the lower left-hand corner of your browser to see the address. If they’re different, be extremely cautious. To check a URL on a smartphone, long press the link and a window will open to reveal the address.
- Bad logos. If you suspect a phishing email, go over the company’s branding. Do the logos look legit? Are they bad quality versions? Does the font match? Pro Tip: Screen capture authentic emails from your account holders so you can compare them to suspected phishing emails later.
- Body image. To bypass spam filters, cyberthieves make the body of their phishing emails from images rather than text files.
- Tough tone. Just like in the above example, phishing emails often use threatening tones to scare their victims.
Cyberthieves don’t just phish with email. They use websites as bait, too. One common website scam is to buy a domain name similar to a popular one so you can trick people into visiting it. (Example: reddit.com and reddit.co). If you’re not sure an email or website represents a legitimate online company, look up its email sender score.
What kind of consumer are you?
Identity thieves target some consumers more than others. Know what kind of consumer your are and adjust your habits to lessen your risk of identity theft or fraud.
- Offline consumers don’t go on Facebook or Twitter, and they don’t buy things online . It’s hard to steal their identity, but when you do, they don’t notice it for a long time. That means there’s more damage done to their credit scores.
- Social consumers are people who are very active on social media, but never buy online. Identity thieves love them because they over-post personal info and are highly susceptible to phishing and other social engineering tricks. These consumers are 46% more likely to have their credit card account taken over.
- E-commerce consumers spend a lot of money online. They share their credit card info with e-com stores. Although they’re at higher risk for credit card fraud, they detect it quicker than other consumer types.
- Digitally-connected consumers are a mashup of social and e-com consumers. They’re on social media and they shop online, which puts them 36% higher risk of fraud.
These consumer types show that specific online activities, like oversharing information on social media and account inattention, raise the risks for and damages from fraud and identity theft.
Don’t overshare on social media
Of course, everyone wants to see adorable pics of your dachshund, Bark Obama, wearing a hot dog costume, but you might want to keep his name out of the post. Personal information like your first dog’s name are common security questions for your financial accounts. Check your account’s privacy settings to make sure your profile is visible only to friends and people you trust
Be careful what sites you “like” or “favorite”. If you like a specific bank or credit card company, a cybercriminal can use that information to send you a phishing email from that institution.
Also, be skeptical of online quizzes. Yes, it’s tough to resist the call of the “What type of Nutella lover are you?” quiz, but taking it may land you on a phishing site or get you to reveal sensitive information. Before sharing any personal information, think about how others could misuse it.
Monitor your accounts
Identity thieves make a living from people who don’t check their accounts regularly. Sign up for regular alerts from your credit card company or bank. These companies will alert you to suspicious activities, like large cash or out of state purchases, via text or email.
Your credit report needs watching, too. The three major credit reporting agencies are Equifax, Experian, and TransUnion. Federal law requires each of these reporting agencies to give you a free credit report upon request once per year. AnnualCreditReport.com is the only authorized website to get free credit reports. Pro tip: Request a report from all three agencies throughout the year—Equifax in January, Experian in May, and TransUnion in August. That way, you can get a free report every four months. Boom! Working the system.
If you suspect identity theft or fraud, lock or freeze your credit report. Both will make it impossible for anyone to open a credit card, apply for a loan, or get a mortgage using your identity.
Protecting your reputation
Just like cyberthieves, cyberbullies and online con artists can steal your reputation and peace of mind — which is more valuable than your credit score. Playground name calling and verbal abuse have moved online to social media and text messages. Internet trolls or ex-girlfriends can do permanent damage to someone’s reputation. The embarrassing pics or videos never go away. Cruel tweets are screen captured and shared. The damage goes on and on. Here are some common online threats and ways to deal with them.
Cyberbullying isn’t just a middle and high school issue. It carries over into college. Research shows that 22% of undergraduate students reported being cyberbullied.
The best way to prevent cyberbullying is to follow the cybersecurity guidelines above. Protect your passwords, set your social media accounts to private, and don’t share anything online you wouldn’t want to see become an internet meme. If you’re the victim of cyberbullying, here are some guidelines:
- Don’t retaliate. That’s exactly what the cyberbully wants. Take away that part of their motivation.
- Ask for help. You’re not alone. Reach out to your school’s student services, counseling center, or campus police. They can help you report the abuse.
Know the law. Most states have laws on the books for prosecuting cyberbullies. Know them.
- Record every incident and when it happens. Screenshot harmful posts or content. When you keep a consistent record, it helps prove the cyberbullying is a pattern of behavior.
- Block the bully. Use all of the services available on your phone or apps to block the person. It may not solve the problem completely, but you will be less tempted to retaliate, and it will lower your stress levels.
You don’t need to be a victim to act. If you see anyone being cyberbullied, take action. Give them this guide, encourage them to report the abuse, and help them stay positive.
Have you got the Friday night blues? Is finding a date in college a little harder than you thought? If so, you may be considering joining the online dating scene. But before you swipe right on your new long distance relationship with “Tanya32,” consider that the FTC gets thousands of complaints every year concerning “romance scammers.” And dating scams reports have tripled over the last five years.
Yes, Tanya32 may actually be a 35-year-old Russian male with a goatee who’s less interested in “going to the gun show” than going to the ATM. And if you’re not careful, “she” may talk you into sending her money before you actually meet. Here are some signs you’re being sucked into an online dating scam:
- Your online other professes their love for you a little too soon. Real love is a marathon, not a sprint. Don’t fall for it.
- Says she’s from the U.S. but is currently “overseas”.
- Plans to come for a visit, but can’t because of an emergency.
- Asks for money to pay for the “emergency”.
Don’t be fooled by these flimsy attempts to make a long distance love connection. Slow your roll. Don’t wire money, and if you already have, [facepalm] contact your bank ASAP. You can also file a report to the FTC and the FBI.
There’s really no reason to ever text images of your naughty bits or explicit descriptions of said bits to anyone else. Maybe if you had a fishing accident and needed medical advice it would be okay to text the ER a pic of the affected area. Otherwise, just don’t do it. Those explicit images and messages may eventually find their way to a wider audience.
If you receive explicit text messages of someone’s private parts or nude photos, don’t pass them on to others. If that person is under the age of 18, you could be charged with distributing child pornography. People motivated by money or revenge resort to “revenge porn” tactics or sextortion to get what they want. Don’t encourage or aid that activity by sharing the evidence. Delete any nude photos immediately from your phone and the cloud. Then block the sender.
You don’t need to become a conspiracy theorist or super distrustful of people to practice good cybersecurity. It’s true that most people are honest. But you do need to change your attitude about your data and your online habits. It’s easy to forget how people can misuse what is otherwise just innocent information about yourself, but it’s a fact of life with the internet. That’s why it’s best to start building good habits right now. In college, you’re already open to new experiences and discovering who you are. Don’t let a cyberthief ruin your newly-formed identity by handing it over to them.
Cybersecurity: 5 things to do before the day is done
Update your OS
Your operating system is the James Bond of your devices. That’s why cybercriminals want to kidnap it, tie it to a chair, and torture it until it gives up your data. Hackers target out-of-date operating systems because their security is weaker — they lack the latest security patches and virus signatures to defeat spyware, ransomware, and even dinnerware! Can’t remember to update? Just set your OS to update automatically and you’ll never have to.
Create timeouts and login screens for your devices
Like most college students today, you’re probably awash in a sea of digital screens. Each one is an access point to your private info, which is why you should set screen timeouts and logins for all your devices. Just as screen protectors guard your phone against breaks, screen logins guard it against break-ins. They keep prying eyes off your data when you’re distracted and make it harder for cyberthieves to hack.
Encrypt your data
Data encryption turns your personal data into an encoded message only you can read. Even if a hacker swipes your data or device, they can’t use the information because they don’t have the encoding key. Encryption software is easy to find. Choose one and use it to scramble your bank statements and those sext messages you can’t part with.
Back up your data
Yes, you should back up your data in case your hard drive croaks, but you also need backups for cybersecurity reasons. Hackers use ransomware to encrypt your data and hold it for ransom. Depending on the sensitivity of the data, you might be find yourself begging your roommate for a few hundred dollars to payoff a cyberthief who’s heisted your 2,000-word essay on George Washington Carver. But with your data backed up, you can save that cash for something more essential, like a house party.
Change your attitude about cybersecurity
It’s tempting to feel immune from cyberthieves. After all, you’re a college student. You don’t have anything worth stealing, right? Wrong. Consider these stats: 1.3 million people fall victim to identity theft every year, ransomware attacks in the US are up 250%, 22% of college students report being cyberbullied. Make surfing the internet as important as driving your car. Adopting a new attitude towards cybersecurity keeps your data, devices, and reputation safer.