Week in security with Tony Anscombe

How malware exploits security flaws in kernel drivers – Watch out for cryptocurrency scams – Why loyalty accounts are a target for criminals

In this edition of Week in security, Tony looks at these topics:

ESET research into malware that exploits vulnerabilities in kernel drivers and how this type of exploitation can be thwarted Cryptocurrency scams and how to avoid becoming the next victim of fraud targeting not only people investing into bitcoin and other digital coins Why loyalty accounts are a target for cybercriminals and what you can do to keep your rewards safe

Connect with us on FacebookTwitterLinkedIn and Instagram.

Making loyalty pay: How to keep your loyalty rewards safe from scammers

Is loyalty fraud on your radar? Here’s why your hard-earned reward points and air miles may be easy pickings for cybercriminals.

Loyalty accounts are big business, and hackers and fraudsters are increasingly zeroing in on a potential goldmine. According to one study, the global market for loyalty management is set to grow at an annual growth rate of 12.3% over the coming seven years to reach nearly US$18 billion by 2028. And where there’s money and users, cybercrime inevitably follows.

From British beauty and health retailer Boots, Australia’s supermarket chain Woolworths, to multinational brands like Tesco and Dunkin Donuts, attacks on loyalty card programs are increasingly common. Social media is awash with stories from angry victims who have had their accounts drained.

@Morrisons I’ve had £175 of More points stolen as a result of my account being hacked, you won’t reimburse them and you’re blaming me. Two years saving them, are you for real??

— Matt Hughes (@matt_hughes89) June 10, 2019

In fact, there’s an estimated US$48 trillion of unspent loyalty points globally, so it’s no surprise these programs have become an increasingly popular target for cybercriminals over the years, with the COVID-19 pandemic further exacerbating the threat. If you’re a loyal spender, you should take extra precautions to protect your rewards accounts. It’s not just the points you’ll be guarding – the same applies to any sensitive personal information stored with them.

How popular are loyalty programs?

Oracle claims that around three-quarters (72%) of US millennials are either members of their favorite brand’s loyalty program or would join one. Such programs are a popular way to build closer ties with customers online at a time when loyalty is hard won but easily lost. They typically offer discounts and special deals, or even free goods, services and experiences for members who accrue enough points.

These could include:

Free flights and hotel stays (e.g., air miles) Free or subsidised taxi rides (e.g., Uber) Free groceries

In return, the companies in question get highly valuable data to track customer purchasing and browsing behavior – with which they then improve their marketing and promotional efforts.

What are the bad guys doing?

There are essentially three potential vectors for loyalty card cyberthreats. On the one hand, brands could be defrauded by legitimate customers who try to game the system by, for example, opening multiple accounts. Another possible risk is of malicious employees at the firm who steal customer personally identifiable information (PII) and points. However, the biggest threat is from external attackers hijacking accounts to steal points, make purchases, transfer points and/or steal customer PII to sell on the cybercrime underground.

How do they do this?

Phishing emails, texts, phone calls and messages designed to trick the user into handing over their account logins Credential stuffing attacks which use previously breached passwords and usernames across other online accounts which shares the same credentials Harvesting logins via fake mobile applications on third-party app stores How bad is it?

There’s surprisingly little recent data detailing the scale of such attacks. However, loyalty card fraud increased 89% year-on-year in early 2020, according to one study. The same research estimates that direct and indirect losses from associated fraud reach around US$1 billion per year.

Separately, there were 100 billion credential stuffing attacks detected between July 2018 and July 2020, 63 billion of which were aimed at the retail, travel, and hospitality sectors. Hotel loyalty accounts can be sold on cybercrime forums for as much as US$850. Some entrepreneurial cybercriminals even operate shady ‘travel agencies’ which combine stolen credit cards and airline and hotel loyalty programs.

How can you protect loyalty points?

What can you do to protect your most important online accounts? It boils down to best practices around password management and awareness of phishing threats.

Here are our top seven tips:

Use strong, unique passwords for each account and consider storing them in a password manager Switch on multi-factor authentication for all accounts that offer it. This will go a long way towards protecting your accounts from attackers Only install mobile apps from trusted sources Use scanning software to ensure apps are free of malware before downloading Deploy security software from a reputable provider on all devices Never click on links or open attachments in unsolicited emails/texts/social media messages If you’re going to log into a loyalty account, visit the site directly rather than following links

Loyalty and reward card schemes are a mainstay of modern marketing and customer engagement strategies. They’re also a well-established money-maker for cybercriminals and fraudsters. Taking a few best-practice steps can help to secure your account against this activity. Also, with trillions of dollars of unspent reward points languishing in these accounts, another good way to keep points out of the bad guys’ hands is to make sure you actually redeem your rewards.

Cryptocurrency scams: What to know and how to protect yourself

As you attempt to strike it rich in the digital gold rush, make sure you know how to recognize various schemes that want to part you from your digital coins

The world seems to have gone ‘crypto-mad’. Digital currencies like bitcoin, Monero, Ethereum and Dogecoin are all over the internet. Their soaring value promises big wins for investors (before the coins’ prices plunge, that is). And the “fortunes” to be made by mining for virtual money have echoes of gold rushes in the 1800s. Or at least, that’s what many, including a long list of scammers, will have you believe.

In reality, if you’re interested in cryptocurrency today, you’re quite possibly at a major risk for fraud. This is the new Wild West – a lawless, unregulated world where bad actors often have the upper hand. But normal rules for fraud prevention apply here too. Everything you read online should be carefully scrutinized and fact-checked. Don’t believe the hype and you’ll stand a great chance of staying safe.

Why are cryptocurrency scams on the rise?

Fraudsters are past masters at using current events and buzzy trends to trick their victims. And they don’t come much more “zeitgeist-y” than cryptocurrency. Media stories and social media posts are partly to blame, creating a feedback loop that only adds to the hysteria over virtual currencies. The result? Between October 2020 and May 2021, Americans lost an estimated $80m (€71m) to thousands of cryptocurrency scams, according to the FTC. In the UK, the figure is even higher: police claim that victims lost over £146m (€172m) in the first nine months of 2021.

Why are scams on the rise? Because:

There are few if any regulations governing the cryptocurrency market for investors, versus the traditional stock market Huge media interest makes it a regular hook for phishing and scams Soaring cryptocurrency prices attract consumers dreaming of getting rich quick Social media helps to amplify the buzz, real or fictional There’s also the lure of mining coins for money which phishers can use as a hook What are the most common cryptocurrency scams?

If you have virtual money safely stored in a cryptocurrency exchange, it may be at risk from hackers. On numerous occasions threat actors have successfully managed to extract funds from these businesses, sometimes making off with hundreds of millions. However, usually the breached companies will promise to recompense their blameless customers. Unfortunately, there are no such assurances for the victims of cryptocurrency fraud. Fall for a scam and you may be out-of-pocket for a lot of money.

It pays to understand what these scams look like. Here are some of the most common:

Ponzi schemes

This is a type of investment scam where victims are tricked into investing in a non-existent company or a “get rich quick scheme,” which in fact is doing nothing but lining the pocket of the fraudster. Cryptocurrency is ideal for this as fraudsters are always inventing new, unspecified ‘cutting edge’ technology to attract investors and generate larger virtual profits. Falsifying the data is easy when the currency is virtual anyway.

Pump and dump

Scammers encourage investors to buy shares in little-known cryptocurrency companies, based on false information. The share price subsequently rises and the fraudster sells their own shares, making a tidy profit and leaving the victim with worthless stocks.

Fake celebrity endorsements

Scammers hijack celebrity social media accounts or create fake ones, and encourage followers to invest in fake schemes like the ones above. In one ploy, some $2m was lost to scammers who even name-dropped Elon Musk into a Bitcoin address in order to make the ruse more trustworthy.

Seems like someone hacked Indian medical association’s twitter handle and is running a crypto giveaway scam posing as Elon Musk. @elonmusk#CryptoScam pic.twitter.com/fkCZHh1uOC

— Sidhartha Shukla (@sidcoins) January 2, 2022

Fake exchanges

Fraudsters send emails or post social media messages promising access to virtual cash stored in cryptocurrency exchanges. The only catch is the user must usually pay a small fee first. The exchange doesn’t exist and their money is lost forever.

Impostor apps

Cybercriminals spoof legitimate cryptocurrency apps and upload them to app stores. If you install one it could steal your personal and financial details or implant malware on your device. Others may trick users into paying for non-existent services, or try to steal logins for your cryptocurrency wallet.

Bogus press releases

Sometimes the scammers even manage to fool journalists, who republish fake information. This happened on two occasions when legitimate news sites wrote stories about big-name retailers preparing to accept certain cryptocurrencies. The fake press releases that these stories were based on were part of pump-and-dump schemes designed to make the fraudsters’ shares in the mentioned currencies more valuable.

Phishing/impersonation

Phishing is one of the most popular ways fraudsters operate. Emails, texts and social media messages are spoofed to appear as if sent from a legitimate, trusted source. Sometimes that “source” – for example, a credit card provider, bank or government official—requests payment for something in cryptocurrency. They’ll try to hurry you into acting without thinking.

How you can avoid falling victim

The best weapon to fight fraud is incredulity. Unfortunately, we live in an age when not everything we read online is true. And quite a lot of it is explicitly crafted to trick and harm us. With that in mind, try the following to avoid getting scammed:

Never provide your personal details to an entity that makes unsolicited contact with you, via email, text, social media etc. It may even appear to be your friend, but in reality could be a hacker who has hijacked their email or social account. Check with them separately via another contact method If something is too good to be true it usually is. Treat any investment schemes with a heavy pinch of salt Switch on two-factor authentication for any cryptocurrency account you have Dismiss any investment ‘opportunity’ which requires an up-front payment Never use unofficial app stores Download anti-malware software

CES 2022: Wireless power for all

We don’t need no stinkin’ wall power – CES shows off the promise of usable long-range wireless charging

While wireless charging has been around for some time (like charging my iPhone in my Toyota’s center console), CES is showcasing real power at real distances measured in meters, not centimeters. At one booth I saw an infrared transmitter charging a few automatic blinds six meters away across the booth, and toy trains running around the place that had no power plugs at all: they are all charged wirelessly.

It’s not super-efficient (10% right now, but slated to get as high as 30% in the future), but with remote power applications (like LED lighting, game console controllers, etc.) consuming lower amounts of power, this technology can change how we wire – or don’t wire – gobs of stuff in the future. Also, you won’t need tons of batteries to replace every year. Wi-Charge, for example, figures a single transmitter can help to avoid replacing around 5,000 batteries over the lifespan of the unit. You’ll still have costs, but they figure it amounts to less than $3 per year to charge; smart locks and wireless IP security cameras would be even less. And you can get it right now … well, at least if you’re a large manufacturer. But it’s coming soon to you.

For security, though, this means an attacker could conceivably place lower power transmitters pointing around a location to rogue sensors slurping up information and keep them powered up and transmitting silently for amazing amounts of time. Since the power transmitters operate in the infrared spectrum, as long as there is line of sight between the sensors, you have an ad hoc network. And since the power transmitters sync with multiple endpoints needing power, it can be multiple sensors powered by a single base station. It’s still limited by distance, but the range will get better in the future, not worse.

At previous years’ CES we saw concepts of car chargers, but they had to be very close and looked daunting to buy and implement. But they’re getting better. Several vendors are highlighting much more practical car chargers (both wireless and wired) that can charge much more efficiently, and the price is dropping.

One vendor, Nimbus, figured out a way to way to run significantly more power at distances of many meters, and highlighted a running electric motor on the receiving sensor end. While this supplier of higher power at higher distances is more of a scrappy startup, they have some demoes here that are pretty impressive.

For the consumer market, pricing is super sensitive, so if your remote charger costs five times what it seeks to replace, it’s a nonstarter. But as the combination of power requirements of the remote device drop, the pain of swapping batteries in far-flung sensors and devices, and efficiencies and scale of manufacture increase, expect to see way more wireless charge devices appearing.

One application that has been getting traction is supply-chain and warehouse management, where their electric-powered material-handling vehicles (think “forklifts”) proceed along a set path to move material but return to a charging base when at rest between operations. While this could’ve been handled by wiring a bunch of dedicated charging stations, if there’s a wireless charging option that could deliver little bits of power to a proximity, the savings of not wiring a factory could be quite significant. Also, if you want to change the floor layout, you don’t need an electrician – just point the charger in a different location.

With every new – or better – technology, there is a raft of innovation and new ways to think about securing it all. But hopefully we’ll see secure, wireless networks taking shape in places that were simply unattainable or impractical previously. At next year’s CES we’ll probably be seeing some of them.

CES 2022 – the “anyone can make an electric car” edition

But as we learned in mashing up other technologies, the security devil is in the details

Cars have historically been monumentally difficult to manufacture and sell successfully, but in today’s world, you can mash up an electric car with off-the-shelf doodads from any of a number of manufacturers displaying here at CES, and voila! You have an e-car. But as we learned in mashing up other technologies, the security devil is in the details.

This feels an awful lot like the migration from mainframes to personal computers you could build yourself. Not that the average person could or would, but many nerds did and it spawned a whole industry, much to the chagrin of the mainframe vendors who felt their wares were far too lofty for the masses.

But if you take a battery pack from one of a (growing) number of vendors, then add some electric motors similarly sourced, then get some designers to design a cabin that (hopefully) looks different enough to differentiate in the marketplace, you have a car. It’s sort of becoming a big, fancy branding exercise.

In the past, it took hundreds of millions of dollars to produce a new engine that customers wanted; then there came the fabulously complex work of building a car around it, with a complex drivetrain, brakes, engine cooling, cabin comfort and the like. Then you had to get it certified for emissions and safety standards. But bolting batteries onto a box with wheels is radically simpler. Electric drill simple, or at least rapidly approaching the simplicity of commodity electrified products.

But as we learned with PCs, mashing up technologies in a rush to market was inviting maliciousness, the kind we’re still fighting.

While some automotive technologies focus on security, they need to be interoperable across standards that make them usable for a variety of mobile platforms. That means sprinkling lots of API mash-ups over automotive buses and hoping for the best.

Some electric vehicle producers with the early advantage at least engaged with the security community. This resulted in embarrassing published exploits, but also served as a bridge to the community that showed they had a commitment to improving, which was definitely a step in the right direction. But will others follow?

I saw a number of self-driving trucks and delivery vehicle concepts on the show floor, and there promise to be more next year. I don’t know what the new entrants’ security postures will be, but they’ll lose a bit of the limelight when they’re not the first, second, or third to market, so there won’t be as much pressure to get security right.

Then there’s a bunch of automotive-parts suppliers who have to sell products to the manufacturers for integration or face tough business headwinds, but will security come first? We hope so. Maybe we’ll see next year.

Week in security with Tony Anscombe

CES gives us a glimpse of our connected future – 10 bad cybersecurity habits to break this year – How hackers steal passwords

In this edition of Week in security, Tony looks at these topics:

How the vast volume and variety of tiny sensors will soon influence almost everything in our world 10 bad cybersecurity habits that may be putting you at risk and that you should consider breaking in 2022 Some of the most common tricks that hackers use to steal passwords

All this – and more – on WeLiveSecurity.com. Connect with us on FacebookTwitterLinkedIn and Instagram.

CES 2022: Space security – no more flying blind

And no more worrying about your satellite being smashed by a “drunk driver” as new tech promises to predict hazards in orbit

Headed to space and worried about astral fender benders from space junk collisions? There’s a CES vendor for that. Worried too many satellites are snooping in your direction? Same thing. Want a comfy flight suit and tasty stellar snacks while you’re there? Yeah, that too.

One startup here called SpaceMap hopes to be the Google Maps of space, preventing everything from satellite collisions to predicting where pretty much everything whizzing around at thousands of miles an hour is, so they don’t hit each other.

From a security standpoint, SpaceMap could also alert you when a foreign object is approaching your satellite, perhaps intending to do harm.

We opined here previously that space hacking would be the next cybersecurity frontier. Recent reports confirm the continual digital pounding of space infrastructure, from the ground stations on up, looking for vulnerabilities to exploit. But if an adversary can fly up and meddle directly, how would you know?

Enter conjunction assessment. It’s the space equivalent of knowing a drunk driver is careening through space toward your multimillion-dollar platform, and it can detect potential space wrecks days in advance.

If “a drunk is coming”, the tech can help you swerve in time to avoid close calls. SpaceMap says it can also help you navigate to less crowded orbits with fewer problems in the future, by assessing space congestion and helping you to steer clear.

Speaking of optimization and directing traffic, if optimizing the shortest path for data to travel between satellites reduces latency in network traffic, that could mean network speedups.

It may also be interesting if you need to coordinate a space service call to fix issues with your satellite, aiding in the rendezvous, but it’s too soon to tell.

If folks are looking for the best way to clean up space junk, technology like this will aid the “trash trucks” of space to do a little celestial cleaning in the future.

This is the first year that space tech has had a dedicated spot on the show floor, and it’s admittedly small, but not if these scrappy startups have anything to say about it. We’ve already seen the ramping up of the commoditization of space; now it’s time to make it more accessible, and mapping it all out will be fundamental to avoiding traffic jams. With satellites still costing millions, optimizing their paths even a few percent might be worth it. Also, SpaceMap has a cool domain – spacemap42.com. Don’t tell me you study the universe and don’t know the interstellar meaning of 42?

Outside the main CES halls, Sierra Space has a mockup of a spacecraft it hopes will be used in the future to swoop would-be travelers back and forth to space, complete with sexy low-profile space suits, mockups of comfy space apartments and veggie gardens in space. Chicken, however, will be much harder to come by. They weren’t offering rides at the show.

CES 2022: More sensors than people

A sea of sensors will soon influence almost everything in your world

Probably for the first time in its history, CES has more sensors on the show floor than attendees. What the show lacks in physical attendees, it makes up for with the sheer volume and variety of tiny sensors that will influence almost everything in your world in the next couple of years.

One company has made a sensor that’s about as thin as paper and interacts with any movement within a hand’s width. Pair that with a spatial sensor, both ridiculously cheap, and you get 3D spatial awareness in an almost throwaway form factor. As sensors become disposable (think hotel swipe-card room keys), they also represent an almost undetectable fire-and-forget threat to security.

It used to be that people dropped USB keys in parking lots with malicious payloads, now something that looks like a piece of trash can be silently slurping up information and malicious actors won’t care much if it’s thrown away, since it’s cheap to dispense them widely for other employees to pick up – and some most likely will.

This means renewed emphasis on zero-trust models and beefing up defenses against the insider threat, which now may come from something that may look like a wadded-up piece of trash.

And sensors will be heading into your body. With medical tech advances, tiny sensors will be enabling future surgery, imagery and remote hands – doctors will be listening to robots inside you.

Those robots will be augmenting reality to show the doctor myriads of related data about you, real time, in tasty virtual reality suites, allowing a new level of situational awareness to the surgical suite. If your doctor is a fan of gaming consoles, they’ll feel right at home.

It will also mean far fewer trips to the hospital – they’ll just query embedded sensors from afar and add it to your medical record.

If you live in a city, expect way more sensors perched atop lamp posts (since they already have power). When bundled with AI compute cores, these sensors will provide a continuous view of traffic all around them, including license plate numbers, car type and speed, sort of a traffic radar on steroids. Initially cities hope to sell their use to reduce congestion and avert emergencies, but when the deployment costs get factored in, expect myriads of digital sensors to send you a bill if you speed, park illegally, or engage in other activities the municipal authorities regard as fundraising opportunities.

Speaking of opportunities, citizen privacy groups will continue to move into center stage as a primary method to oppose mass, unchecked surveillance that keeps oozing our way. It will be interesting to watch how initiatives like GDPR and those launching in places like California will stymie such smart city initiatives. Expect big fights. But it had to come. Your right to be left alone will be coveted by you, but despised by the many sensors and their overlords.

Also, since people shied away a bit from the in-person version of CES, it’s the first time that I’ve been able to find a seat here to type these dispatches from.

5 ways hackers steal passwords (and how to stop them)

From social engineering to looking over your shoulder, here are some of the most common tricks that bad guys use to steal passwords

The concept of the password has been around for centuries and passwords were introduced into computing way sooner than most of us can remember. One reason for the enduring popularity of passwords is that people know instinctively how they work. But there’s also a problem. Passwords are the Achilles’ heel of the digital lives of many people, especially as we live in an age when the average person has 100 login credentials to remember, with the number only trending upwards in recent years. It’s little wonder many people cut corners and security suffers as a result.

Given that the password is often the only thing standing between a cybercriminal and your personal and financial data, crooks are more than eager to steal or crack these logins. We must put at least the same amount of effort into protecting our online accounts.

What can a hacker do with my password?

Passwords are the virtual keys to your digital world – providing access to your online banking, email and social media services, our Netflix and Uber accounts, and all the data hosted in our cloud storage. With working logins, a hacker could:

Steal your personal identity information and sell it to fellow criminals. Sell access to the account itself. Dark web criminal sites do a brisk trade in these logins. Unscrupulous buyers could use access to get everything from free taxi rides and video streaming to discounted travel from hijacked Air Miles accounts. Use passwords to unlock other accounts where you use the same password. How do hackers steal passwords?

Familiarize yourself with these typical cybercrime techniques and you’ll be far better placed to manage the threat:

Phishing and social engineering

Human beings are fallible and suggestible creatures. We’re also prone to make the wrong decisions when rushed. Cyber-criminals exploit these weaknesses through social engineering, a psychological con trick designed to make us do something we shouldn’t. Phishing is perhaps the most famous example. Here, hackers masquerade as legitimate entities: like friends, family, and companies you’ve done business with etc. The email or text you get will look authentic, but includes a malicious link or attachment which, if clicked on, will download malware or take you to a page to fill in your personal details.

Fortunately, there are plenty of ways to spot the warning signs of a phishing attack, as we explain here. Scammers are even using phone calls to directly elicit log-ins and other personal information from their victims, often pretending to be tech support engineers. This is described as “vishing” (voice-based phishing).

Another popular way to get hold of your passwords is via malware. Phishing emails are a prime vector for this kind of attack, although you might fall victim by clicking on a malicious advert online (malvertising), or even by visiting a compromised website (drive-by-download). As demonstrated many times by ESET researcher Lukas Stefanko, malware could even be hidden in a legitimate-looking mobile app, often found on third-party app stores.

There are various varieties of information-stealing malware out there but some of the most common are designed to log your keystrokes or take screenshots of your device and send it back to the attackers.

Brute forcing

The average number of passwords the average person has to manage increased by an estimated 25% year-on-year in 2020. Many of us use easy-to-remember (and guess) passwords as a consequence, and reuse them across multiple sites. However, this can open the door to so-called brute-force techniques.

One of the most common is credential stuffing. Here, attackers feed large volumes of previously breached username/password combinations into automated software. The tool then tries these across large numbers of sites, hoping to find a match. In this way, hackers can unlock several of your accounts with just one password. There were an estimated 193 billion such attempts globally last year, according to one estimate. One notable victim recently was the Canadian government.

1/5 The GC has taken action in response to credential stuffing attacks mounted on the GCKey service and the CRA. pic.twitter.com/KZhvFKFQot

— Digital Government (@DigitalCDN) August 15, 2020

Another brute force technique is password spraying. Here, hackers use automated software to try a list of commonly used passwords against your account.

Although hackers have automated tooling at their disposal for brute-forcing your password, sometimes these are not even needed: even simple guesswork – as opposed to the more systematic approach used in brute-force attacks – can do the job. The most common password of 2020 was “123456”, followed by “123456789”. Coming in at number four was the one and only “password”.

And if you’re like most people and recycle the same password, or use a close derivate of it, across multiple accounts, then you’re making things even easier for attackers and put yourself at additional risk of identity theft and fraud.

Shoulder surfing

All of the paths to password compromise we’ve explored so far have been virtual. However, as lockdowns ease and many workers start heading back to the office, it’s worth remembering that some tried-and-tested eavesdropping techniques also pose a risk. This is not the only reason why shoulder surfing is still a risk, and ESET’s Jake Moore recently ran an experiment to find out how easy it is to hack someone’s Snapchat using this simple technique.

A more hi-tech version, known as a “man-in-the-middle” attack involving Wi-Fi eavesdropping, can enable hackers sitting on public Wi-Fi connections to snoop on your password as you enter it in while connected to the same hub. Both techniques have been around for years, but that doesn’t mean they’re not still a threat.

How to protect your login credentials

There’s plenty you can do to block these techniques – either by adding a second form of authentication to the mix, managing your passwords more effectively, or taking steps to stop

Instagram and teens: A quick guide for parents to keep their kids safe

How can you help your kids navigate Instagram safely? Here are a few tips to help you protect their privacy on the app.

While many teens have recently been captivated by other social media apps du jour, most notably TikTok, Instagram continues to hold its own among young internet users. Indeed, children aged 13-17 make up eight percent of Instagram’s entire userbase, with the Facebook-owned photo-sharing platform boasting almost 1.4 billion active users of all ages every month.

Being a social media platform, however, Instagram may also put children at heightened risk of various threats commonly associated with social media, including cyberbullying, predators, scams, to being exposed to inappropriate content. In this article, we’ll look at how you can help protect your child’s privacy on Instagram using some of the site’s built-in features.

Account privacy and who can see what

The first order of business should probably deal with the account’s privacy. Instagram offers two options – any account can be either public or private. In fact, as part of recent measures aimed at its youngest users and their parents and guardians, Instagram now defaults users under 16 years of age into private accounts when they join the site, although they can still choose to switch to a public account. A private account is generally the better option, however, especially because it requires that its owner approve who exactly can follow them and so see their content.

Should your teen have compelling reasons to use a public account instead, consider helping them making at least some of their content available only to their close friends list. It’s also worth having a discussion with your kids about the risks that having a public-facing profile carries – it may not be wise to let anybody see all they have on their feed, the stories they shared, and so on, since this can provide unsavory characters with enough material for all manner of nefarious ploys, including those that involve cloning victims’ accounts.

Also, those who have their accounts public are free to switch to a private account at any time, but it bears mentioning that the followers they already had when switching to private will remain with them.

Direct messages, plus comments, tags and mentions

Perhaps you’ve heard the term “sliding into their DMs”, which means to send a direct message (DM) to someone. DMs are a common part of Instagram culture: teens do not just like and comment on each other’s posts or watch stories – they often communicate through DMs. That being said, it’s prudent to have some level of control over who is able to message your children.

With this in mind, Instagram now prevents adults from sending messages to those under 18 years of age unless they follow those adults. Another safety feature that the platform recently rolled out to protect young users is sharing prompts or safety notices to encourage vigilance in teens in conversations with adults they’re already following.

“Safety notices in DMs will notify young people when an adult who has been exhibiting potentially suspicious behavior is interacting with them in DMs. For example, if an adult is sending a large amount of friend or message requests to people under 18, we’ll use this tool to alert the recipients within their DMs and give them an option to end the conversation, or block, report, or restrict the adult”, Instagram announced in March 2021.

Comments, Tags, and Mentions are some other ways users can interact with each other and you’ll probably have no shortage of minors using these functions to their hearts’ content. Generally speaking, it’s wise to make sure random strangers can’t tag or mention your children in their posts and to further curb what may be inappropriate interactions with them. Importantly, Instagram said a few weeks ago that it would “switch off the ability for people to tag or mention teens who don’t follow them, or to include their content in Reels Remixes or Guides by default when they first join Instagram”.

Hiding words

All of us are well aware that social media interactions can sometimes devolve into a cesspit of maliciously spewed comments and insulting messages, often after a heated discussion on a hot-button topic. This is often caused by online trolls who try to egg on commenters. However, online trolling can even turn into cyberbullying or cyberstalking. Instagram has a handful of handy features and settings to protect its users from such abusive behavior, which can be found in the Hidden words settings.

If you want to hide offensive comments from both your children’s eyes and the eyes of their followers, you can turn on Instagram’s comment filtering system. The system will then hide comments that contain the flagged terms, with the same option being available for DMs. Additionally, you can set up a custom word list, where you can include terms that you find personally offensive. Instagram also recently rolled out several new features that are designed to curb cyberbullying.

Closing words

Regardless of whether your kids use Instagram to stay connected with friends, interact with like-minded people, keep up with the latest trends, showcase parts of their lives, or even shop for statement pieces, make sure that privacy and security are not an afterthought.

Indeed, consider nudging your children to take additional steps aimed at promoting prudent use of the app. As per its blogpost in December 2021, Instagram is, for example, starting to encourage kids to take regular breaks from screens. Also, it is helping them manage their digital footprint by making it easier to bulk-delete old content, likes and comments. Additionally, in March 2022, the platform will roll out its first set of parental controls, giving parents the opportunity to see how much time kids spend on the site and set screen time limits.

To learn more about more dangers faced by children online as well as about how technology can help, head over to Safer Kids Online.