How to Boost your Yahoo! Sign-In Security
17th October, 2018 | Cyberprivacy | Entropic
The record for one of the largest data breaches in history lies with Yahoo! Inc, now part of Oath - a subsidiary of Verizon Communications.
This breach collectively consisted of two major events instigated by Russian hackers contracted by the Russian Federal Security Service (or FSB) - one that occurred in late 2013 and one in late 2014. This resulted in the loss of names, addresses, security questions, DOB, and hashed passwords for all of Yahoo's then user base - over 3 billion users. Magnifying the impact was that Yahoo! took over 2 years to report this breach to authorities and their customer base.
What we can learn from this is that at any time, your personal information might be in transit to hackers who have already found and exploited a previously unseen vulnerability in a given service. Additionally, we know that you are more likely to find out about the theft of your personal information months or years later. With this delay in discovery and reporting in mind, it's very good plan to regularly and frequently check the security of your Yahoo! account.
Despite the imperfections of two-factor authentication (2FA) in terms of security and usability, this data breach would have to be one of the single biggest reasons to enable this type of account protection. Unfortunately, at this point, Yahoo! does not appear to provide any secure, industry-accepted methods of 2FA. Given Yahoo's track record with data breaches, along with the massive volume of personal information they have amassed and centralized over the past 24 years of their existence, it seems unusual that they haven't been more aggressive about adopting industry-established methods of authentication, such as authenticator app and security key based approaches - ones that that are now commonly supported by Google, Twitter, and Facebook. Let's review the options provided by Yahoo! beyond basic username/password security.
What are Your Current Sign-in Security Options?
Two-step Verification
One of these is an SMS-based method of 2FA account protection, called "Two-step verification". This method of 2FA has long been known as vulnerable to SIM card hijacking attacks. In addition, recent events have revealed how some of the information collected during the setup of this type of account protection can be abused by the company collecting them. Facebook was recently caught feeding the phone numbers entrusted to them by their customers during two-factor authentication setup, to enhance other unrelated advertising services.
Yahoo! Account Key
The other method of account protection, "Yahoo Account Key" eliminates the need to use a password after an initial setup procedure. Once configured with a password and a special code, it works by simply sending a sign-in confirmation request to one of your registered devices with a Yahoo! app installed, such as a smartphone. While this method of sign-in authentication lacks some of the key problems of SMS-based 2FA mentioned above, and has a relatively smooth user experience, it is a custom approach developed by Yahoo! that does not appear to follow any established industry practices for sign-in authentication.
With this said, and in consideration of the problems that SMS-based Two-step Verification brings, we believe the Yahoo! Account Key approach to be the better form of account protection for now, until Yahoo! implements more industry-accepted options for account protection.
Below we have listed, from best to worst (security, not convenience), the options that Yahoo! provides for increasing your account security. Please note also that the methods provided by Yahoo! described below are subject to change over time, as they adapt their security.
How to Enable
Follow the Yahoo! setup procedures to enable account key protection or enable two-step verification.
Features to Avoid
For these additional types of authentication offered by Yahoo!, there are convenience features that tend to break down the security of the 2FA/Account Key features. So if possible, try to avoid depending on them too much, or at least be vigilant about how you use them.
Some examples are:
- The ability to generate an app-specific password, in cases where you can't use 2FA or Account Key.
Possible risks:
- After taking a picture of the app-specific passwords you generate, that picture might be synched to a cloud storage or backup service, meaning that it might become accessible to other people, or systems over time.
- After printing the app-specific passwords, you might forget that your left a copy of these passwords in your Downloads folder, or they might be lying around in your trash after you deleted them, or the printed passwords might be intercepted in your baggage while you travel,...and so forth.
- Each app-specific password is subject to the usual single-factor authentication risks, such as brute force password attacks.
Regular Review
On a regular basis, you should regularly review the following on your Yahoo! account:
- Your password - update your password regularly using Yahoo! Password Tips.
- The Recent Activity section in Yahoo! settings, to check if there are any devices you don't recognize.
- The Recent account access changes section directly below this section.
- The Manage where you receive notifications section under the "Account Security" section, to check that you recognize all of the devices listed.
- The Phone numbers section directly below this section, to check that you recognize them and that they are up to date.
- The Recovery e-mail address(es) section directly below this section, to check that you recognize them and that they are up to date.
Conclusion
When it comes to investigating criminal activity, a less advertised benefit of blockchain-based payment systems has been used by law enforcement with cyber-crime investigations for several years. Information about Bitcoin transactions made available on the public blockchain ledger can be used to correlate historical payments made by cybercriminals, as part of their overall cyber-attack operations. An example of one such investigation into the Mt. Gox exchange hack is discussed in this article by Sarah Rothrie originally posted on CoinCentral.com.
If you have any feedback, questions, or suggestions, please let us know.
Acknowledgements:
Photo by Flo P on Unsplash