29 Sep 2016

Your Childhood Best Friend and the Yahoo Hack

Who was your childhood best friend?

While the recent Yahoo hack garnered headlines for a variety of reasons (even though the hack is reported to have occurred years ago), what may turn out to have more of a lasting impact on your cybersecurity is the compromising of the security questions and answers that websites use to verify your identity. As Yahoo reports, “In some cases, encrypted or unencrypted security questions and answers” were stolen.

What is your favorite vacation spot?

Yahoo hackers now know more about you – they know your childhood best friend. They know your favorite vacation destination. They know your favorite pet’s name, your mother’s maiden name, and the model of your first car.

The danger here is that these personal facts are often used with security questions at other websites: your online banking website, online stock brokerage account, social media accounts, etc. A password you can change, but your mother’s maiden name? The model of your first car? These security tokens are indelible. Once these personal facts are compromised, they can be used to compromise your identity across the Internet.

The business world is moving to “two-factor” authentication to provide an additional layer of security on top of your password. The idea is that adding even just one additional factor to the authentication process increases your security exponentially. The most common implementation of two-factor authentication is requiring you to enter your password (factor one) and then answer a question about yourself where the service provider knows the answer (factor two). This 2nd factor might be a security PIN or a security question. What will be interesting to see is what happens when this type of “security question”-based two-factor authentication becomes pervasive as a cybersecurity best practice. With all the online accounts the average person maintains, if each of these websites maintains a set of your personal security questions and answers, it won’t be long before a hack at a single website compromises the two-factor authentication process for all of your accounts that share at least some of the same security questions.

Once these questions become ubiquitous as a cybersecurity best practice, hackers will certainly perceive a greater value associated with the answers to these questions, perhaps causing this information to become the prized target of a future hacking attempt.

So, the Yahoo hackers know your mother’s maiden name. What can you do? It will be increasingly necessary to vet the security practices at websites you are considering creating an account at. Does the website use these generic security questions or a unique PIN number? Better yet, do they give you a security device that generates a temporary PIN to use as the 2nd factor in the authentication process? Many banks now do this.

Enterprise businesses are increasingly transparent about their cybersecurity practices, and it is now commonplace to find regular blog articles by a company’s head of information security that detail their company’s cybersecurity strategy. Certainly if a breach has happened in the past, affected companies will often publicly outline steps they will take to prevent reoccurrences. In the case of Yahoo, where a massive data breach has taken more than two years to come to light, (giving hackers ample time to benefit from the stolen information,) users will certainly be assessing their next steps carefully.