Yahoo security questions password reset – It’s just not enough, is it?
Yahoo Security breach has meant that Yahoo have come under fire for not informing users sooner of a data breach in 2014 that led to the potential release of personal details of “at least” 500 million users reported last week.
If Yahoo were aware of the breach in 2014 then, they have been exceptionally slow in coming forward with the details, in fact this writer would go so far as to saying that if they were aware then they were negligent.
If Yahoo were not aware, then the security procedures that were in place were insufficient and therefore Yahoo was negligent.
The breach is thought to be the largest reported breach of its type to date, overtaking the previous record of just over 359 million user details exposed in a 2008 breach at MySpace.
Protecting your details
Let’s assume that you have a Yahoo account and that for some reason Yahoo Security standards don’t worry you, you want to keep using it; what should you do?
- 1) Change all of your security questions
- 2) Change your Password and make it a very complex password.
- You should look at an application such as LastPass which will generate and store passwords.
- Make sure that you set a good and secure password on the password application itself.
- 3) Change your password on a regular basis
- 4) Don’t log in on a public network.
What about our rights?
Obviously the Yahoo Security breach is one that needs looking at, the Information Commissioners Office are the first port of call.
Information Commissioner Elizabeth Denham said the number of people affected by the breach is “staggering” and demonstrates just how severe the consequences of a security hack can be.
“The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that.”
“We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find,” she said.
That all sounds great; however, I have had dealings with the ICO in the past having reported incidents to them, they tend to have a need to be politically correct. Therefore, this is one person who is not expecting much of an outcome.
Michael Lipinski, CISO and chief security strategist at Securonix “We can’t keep accepting this level of ignorance as the best we can do,” he said, adding that he does not believe it took two years to find the breach.
I find the choice of words interesting; “We can’t keep accepting this level of ignorance as the best we can do”.
What should be “the best we can do”?
There are simple things that everyone that holds your data could do to protect you:
- 1) Force complex passwords
- 2) Encrypt username, password, challenge questions
- 3) Use multifactor authentication to confirm logins from none standard locations
- 4) Put a guarantee scheme in place that protects the user and provides a level of compensation in place for users of such breaches
It is my belief that only by adding the 4th clause above that we will be able to protect the users data in the future. The cost of a breach to larger companies is always very costly but it is the users who suffer the most. If there had been a clause in the Yahoo Security T’s & C’s that meant that; so long as you had taken all reasonable precautions to secure your account information and a breach resulted in that information becoming available in the public domain then Yahoo would be liable to pay you compensation…. Well lets just say I doubt the breach would have happened.
If your data is stolen and as a result you become the victim of fraud then you have a long road to financial recovery. True, if you are a victim of card or bank fraud then the recovery of lost monies can be expected relatively quickly, however, it is up to you to prove that you took all reasonable steps to protect your data.
What about other types of fraud?
Unfortunately if the fraud that takes place relates to a product or service like a pension then you can be certain of one thing…. The resolution will be a long one; the way forward is through the Financial Services Compensation Scheme where if you are lucky you will receive 80% of the total loss.
The Threat Landscape
The threat landscape is particularly hostile at present; there are threats that have been developed over a period of time that show a high level of sophistication. Socially engineered attacks aimed at small businesses with links to larger firms are proving to be successful in gaining access to those larger businesses.
The threats are not limited to Windows users any more than they are limited to Yahoo account holders. No matter the operating system or the device, believe me you are a target.
Most worrying are the poor levels of security being applied around financial institutions, Computer Weekly reported last week:
The theft of $81m from an account belonging to the Bangladesh central bank in February 2016 was a watershed event, according to Alain Desausoi, CISO at financial messaging service Swift.
The threat for you
It is our experience that the majority of companies in North Wales have a similar attitude to Cyber Security as Yahoo Security! The majority think that they have little or nothing to protect or worse still that they are of no interest to hackers.
You may want to stop and complete a little 10 – 15 minute exercise:
Create a list, perhaps in a spreadsheet, of the different types of information you store on your computer or online.
For example, you may have personal correspondence, photographs, work documents or personal details such as your National Insurance number, passport number, insurance policy details and passwords for online services.
For each type of information, think of its value to you. Label the most valuable types of information as ‘High’, the least valuable as ‘Low’ and those that are in between as ‘Medium’.
The value could be the cost to replace the information, in time or money, or the impact of its loss on your reputation or your companies, for example, all your emails or photographs could all be published online.
Do the same exercise for the online activities you engage in.
For example, you might use online banking, social networking services or shopping facilities online for a supermarket or Amazon or eBay.
This time, label each one with a value based on the potential cost of an unauthorised person gaining access to it.
Now look again at the list, have you included accounts with suppliers or customers? What about their information? Is it encrypted?
Support in North Wales
If you are now starting to see that there is a risk to you and your business activities then it is time to take action.
Don’t wait and think I’ll do that tomorrow; tomorrow may be too late.
Contact us and book a meeting, let us help you to assess the threat and work out how to help you move forwards.
The first hour is free and we will provide you with a plan to move forward.