Yahoo Hack Stirs Passwords Debate
The age of convenient logons may be nearing an end.That’s the upshot of the continuing wave of reports of hackers stealing consumer data from marquee retailers and tech companies, security experts say.
Yahoo is the latest example, admitting Thursday that data thieves “gained unauthorized access” to an undisclosed number of Yahoo mail users’ account credentials.
Company spokeswoman DJ Anderson emphasized the hackers did not penetrate Yahoo’s network defenses, instead stealing data from a third-party website that allows the use of Yahoo e-mail addresses to create customer accounts.
Sidebar Q&A: Why it’s time to use passwords more judiciously
Yahoo is contacting victims individually and advising them to change their passwords and to use distinctive passwords for any online accounts tied to Yahoo mail.
“It’s really important for users to understand never to use the same password on multiple sites or services,” Anderson told CyberTruth.
But that maxim has been true for the past decade, and too many consumers are still ignorant of it, or ignore it.
Meanwhile, Web commerce has come to revolve around account usernames based on a valid e-mail address. Many consumers use the same e-mail address and password to create financial transaction accounts across multiple websites. Cybercriminals know this and are expert at correlating valid e-mail accounts with third-party services. This enables them to steal from financial accounts and carry out a variety of other scams.
“The simple username and password just is not an option any longer,” says Robert Siciliano, McAfee online security analyst. “It’s obvious that neither consumers, nor the companies collecting this data, are up to the challenge of keeping this data secure.”
Context: Data theft jumps five-fold in 2013
The latest Yahoo breach follows disclosures of e-mail addresses stolen from Target, Neiman-Marcus and Michaels. And last year similar data was stolen from Adobe, Yahoo, LinkedIn and hundreds of other organizations.
“Attackers are focusing on valuable data in defined areas,” says J.J. Thompson, CEO of consultancy Rook Security. “It’s much easier to attack large collections of consumer data, instead of having to work harder attacking consumers individually.”
There is consensus among the financial services industry and the cybersecurity community that one quick way to slow the trend would be if consumers were to embrace typing in single-use security codes each time they access any web service.
Data breaches are “part of the fabric of the Internet now,” observes Roger Thompson, chief emerging threats researcher, ICSA Labs. “Until organizations move from passwords to stronger forms of authentication everyone should adopt a one password per site policy.”
It’s not just consumers who should be concerned about exposure to, say, having their online bank accounts hijacked, or credit history stained. The proliferation of stolen e-mail account credentials makes spear phishing attacks more viable, says Eric Chiu, president and co-founder of cloud security firm HyTrust.
“The fact that usernames and passwords were stolen is scary for enterprises since most people use the same credentials for personal and work accounts,” Chiu says. “Stolen credentials can have a major impact if the attacker can get on a corporate network.”
The technology to slow, if not reverse, these trends is readily available. Most major banks, PayPal and even Yahoo support services that will issue a single-use security code via a text message. And Google supports an open source service, called Authenticator, that can be used across its Gmail service and many third-party accounts.
But such services are voluntary. To date the vast majority of the public are either unaware of them — or don’t want to trouble with them.
“It’s not as difficult as people think, but it is one more thing to remember,” says Dr. Lance Larson, who teaches information management at San Diego State University. “The problem with society is a lot of providers don’t require users to set multi-factor authentication.”
Yahoo’s Anderson says consumers who don’t want to take the extra authentication steps should at least be smarter about how they use passwords. “It’s a basic, but a very healthy exercise,” she says.