Yahoo breach is an opportunity to make hacks irrelevant
Once again, more news of a big breach hits the wire. A blockbuster breach with staggering size and scope that has actually been baking since 2014 when the original breach occurred and was reported on. Still, 500 million records lost will likely make this one of the biggest on record. Sadly, while that number may be what Yahoo is aware of today, we can probably expect this number to rise. With this attack of a half a billion user accounts, we are likely to see well over a billion accounts breached this year alone compared to about 800 million in 2015.
Clearly, hacks are getting bigger and more impactful. Like a dirty snowball gaining speed and momentum, hacks are gaining in scope, sophistication, and impact. All while feeding a fraud engine that leads to identity theft, account fraud and a myriad of other crimes that can be stopped.
This breach will rattle consumers badly. First, we all have to start accepting that breaches are an unhappy fact of life and our personal records are being shared on the dark web – sometimes years after the breach occurs. This one, in particular, hits everyone hard. Yahoo has a lot of long standing and trusted accounts. After all, who doesn’t have a Yahoo account? Even an old one sitting around might have emails and other personal information in it that could be used by a hacker later on.
You’ll hear a lot in the next few days about changing your password, and yes, while it’s good practice to change your usernames and passwords often and make them complex, it’s just not enough on its own. Data breaches build upon each other, with each one feeding additional tidbits of personal data into identity profiles. These profiles become more complete with every addition, and sometimes the process takes years. For a large segment of our population identity profiles like this are up for sale on the dark web. Once purchased, fraudsters use these profiles to reset passwords on banking and e-tailer sites linked to Yahoo accounts. They can use the data to apply for a new credit card and loans. Even more frighteningly, with a complete and valid identity, gain access to your work credentials where the damage could be colossal. Victims may be completely unaware until the bills start arriving, or your workplace is impacted.
Where credit card fraud was all the rage a couple years ago, it is this kind of account takeover and new account fraud that is on the painful and dramatic rise. In 2016 we’ve seen in our own database of 81 billion of behavioral events annually a steady 10% month-over-month increase in new account fraud.
There are behavior-based methods that online merchants, banks, and providers, are going to need to deploy that will help keep consumer accounts safe, even if valid credentials are presented. These solutions give deep insight into who sits behind the device – and provide near-perfect trust that it is the consumer, and not a fraudster using our identity information online. You can and should start expecting these multi-behavior based solutions from those providers that protect your online accounts.
Knowing that we haven’t been able to stop these breaches from happening, and accepting the fact that much of our identity information is already on the dark web, is the first step that responsible providers need to take. The second step is putting into place security systems designed to protect their customers from the nefarious use of these stolen identities. The best of these systems use multiple points of interaction to authenticate, instead of single points (like password), authenticate at multiple touchpoints even before the transaction occurs, and are completely frictionless to consumers.
It’s time to make these breaches irrelevant by devaluing the data that hackers like “Peace” use. So even if they keep trying to steal “pieces” of our data, the data can become irrelevant, because no matter how sophisticated they get, they can’t steal our behavior!”
Want to read more posts like this? See our full blog here.