Getting Schooled in Cyber Security

Due to increasing cyber attacks on districts, educational services are playing catch-up in online security

Photo Credit: Yeshiva University

James Connor, Freelancer

New technology and online sites have pushed forwards the educational potential of school districts. Websites, apps, and other technological developments are responsible for enhancing the way that students learn and communicate throughout a school day. However, as is the case with all online services, cyber security should remain a primary focus. Yet most major educational websites, including Khan Academy, Quizlet, and TEDx, lack basic account settings to help students and educators secure their accounts.

In the age of data breaches and phishing scams, passwords cannot be trusted to serve as the only line of defense against hackers. A technology called “multi-factor authentication” was created to solve this problem. In addition to a password, multi-factor authentication requires a code which is sent to a user’s email or phone, to verify authentication through a different medium. This is extremely beneficial to the security of an online account. Despite this, ten of the online web services analyzed, many of which are utilized in school districts, do not support any form of multi-factor authentication. These websites are Khan Academy, Turn it In, Quizlet, Remind, Castle Learning, TED, edX, Coursera, CK-12, and Conjuguemos. While many people may view multi-factor authentication as unnecessary, supporting this extra layer of security can be beneficial to the online safety of students and educators.

Another more pressing issue found in half of the explored sites was a lack of required authentication to modify account information. Picture this: a student that needs to do some extra work accesses an account at school. They do their work, then get up and leave when they’re done; or perhaps they get up to use the bathroom. In the time that the student is away, another person gets on the computer. Since no authentication is necessary to change the password, backup email, or other important account info, the person can simply change this information, compromising the entire account. It’s not an unheard of scenario in a school building in which many students share the same computers. Sites specifically designed for use in schools could improve educational security by requiring a password to be re-entered before changing account information. However, Turn it In, TED, and Conjuguemos don’t, while Khan Academy and Quizlet allow a password to be added before requiring authentication. These sites are used by thousands of students, including many in the Northport-East Northport School District, but lack this basic form of online security.

All ten analyzed sites were asked for the reasoning behind the design of these account settings. Castle Learning, a service for providing online and offline testing; Remind, a web-based communication service aimed towards educators; and Khan Academy, a website made for students to study key subjects, each responded to our request for comment. Castle Learning explained the design decisions behind not offering multi-factor authentication: “The current security controls in Castle Learning are based on requests from our school/district administrators”. These requests included support for “relatively easy access for younger students”, “centralized control/management of student user IDs and passwords” and “centralized and automated enrollment updates”. Meanwhile Quenton Cook, Vice President of Product at Remind, explained that “Given that so many Remind users are [text message]-only, MFA hasn’t yet made it on our roadmap—but it’s definitely something we plan to tackle in the future.” Khan Academy followed this same line of thinking, saying that in an effort “to operate with minimal personal information” they don’t support their own form of MFA. They did go on to explain that they “support using either a Google or Facebook account to log in, and both of those authentication options have the ability to set up MFA”. It’s important to note that while connecting an external account would support MFA, having a non-Google email address linked to the account would bypass any additional means of authentication. Multi-factor authentication, while important, appears to have taken a backseat until users start to request the ‘feature’ en masse. Seven of the sites – including almost all of the sites that didn’t require re-authentication to change account information – did not immediately respond to a request for comment.

So why should students and educators be request MFA? What cause for concern is there for the regular operations of a school district? Unfortunately, educational providers have become targets for hackers in recent years. Many districts face phishing attacks on a regular basis, while others have been subjected to expensive and damaging ransomware attacks. As the New York Times has reported, school districts across the United States, including those in Houston, Louisiana, Upstate New York, and even here on Long Island, are beginning to face cyber attacks and data breaches. With these new emerging threats to cyber security, school districts and educational service providers need to empower users to protect their information in the online world.

The settings for TurnItIn, one of the sites whose user settings were analyzed. / Photo Credit: James Connor
The settings for Conjuguemos, one of the educational sites analyzed. / Photo Credit: James Connor