Cybercriminals see education as an amazing resource. But they’re not taking classes or gaining qualifications – they target universities and other educational institutions for the wealth of personal information they hold.

In Episode 5 of our series hacker:HUNTER Behind the Screens, The Backdoor into Campus, Royal Holloway, University of London cybersecurity experts talk about the challenges they face keeping students and staff safe from identity theft.

How are educational institutions attacked?

Educational institutions often have large numbers of people using their systems, including staff, students and visitors. They use these systems to offer many kinds of services. 

Mike Johnson is Chief Information Officer at Royal Holloway, University of London. He describes a major security incident at his institution. “A staff member’s credentials were stolen and used to send convincing offers of part-time work to students. Some students undertook the work and were paid. But they were overpaid, then asked to return some of the money. It was money laundering on a significant scale.”

Why is identity theft so compelling for cybercriminals?

Just one stolen identity is enough to conduct a lot of crime. In the digital age, if you know enough about someone, you can impersonate them to access money or commit other crimes, leading law enforcement to the wrong person.

“Commonly we find those who try to attack us are looking to harvest identities,” says Johnson. “When they’ve got them, they’ll try to harvest more, until they’re sure they can attack us in the way they want to.”

How can educational institutions prevent identity theft?

It’s all about authentication, says Keith Martin, Professor of Information Security at Royal Holloway, University of London: Knowing the person trying to access your online spaces is the right person. He uses real-world situations to explain. “Imagine a front door. Whoever’s got the key can open it. To breach that, you need to get hold of the key. Entering a country is more high security. The person at border control not only looks at credentials – a passport – but also at the person submitting it.”

Professor Martin continues, “In cyberspace it’s a bigger problem, because we can’t see who’s asking for access. The most popular authentication is a password, but they’re like keys – easily copied or stolen. So we need to use the passport model – asking for multiple things to gain access.”

It’s called multi-factor authentication. Those who want to gain access need more than a password, for example, a code sent by sms or biometrics, like a fingerprint.

Senior security researcher at Kaspersky, Noushin Shabab recommends for the greatest security, multi-factor authentication should combine biometrics like facial recognition with another credential.

Developing ‘cyber common sense’ in education

Professor Martin says the most important thing anyone can do is develop ‘cyber common sense.’ “Just hesitate before doing anything in cyberspace – if you’re sent a link or a message asking for information, just hesitate, and ask, why do they want this?”

Johnson feels education institutes are the perfect places to learn cybersecurity awareness. “We’ve got to be willing to have a conversation with students about digital security and what protecting their identities means. Fundamentally, we’re educators – we’re well placed to help people operate in an environment they’ll operate in for a long time.”

For more videos on protecting tomorrow, subscribe to Tomorrow Unlocked on YouTube or follow us on Instagram.

Can we prevent our identities from being stolen?