A billion accounts compromised
A few weeks ago, Yahoo discovered another major cyberattack, when it revealed that more than one billion user accounts were compromised in an incident dating back to August 2013. The sheer number of users affected has made it the largest such breach in history… so far. In a statement, the company said that an “unauthorised party” had broke into the accounts, and in a theme that was alleged to have troubled the recent US elections, Yahoo believes the hack was “state-sponsored”.
The damage of such a compromise can be deep and catastrophic. In the modern-day, connected world – like an elephant, consumers never forget. If a previously respected brand suffers a cyber breach, the reputational damage inflicted can lead to a not-so-slow-death. In today’s landscape, brand equity – intangibles such as customer loyalty, prestige and positive brand recognition – means everything.
For large corporations, this equity is its most valuable asset, and clawing back a damaged corporate reputation can be a long, painful and expensive business. Just ask Volkswagen, which is still trying to restore its good name following the 2015 emissions scandal, and continually having its previously good name dragged through the courts. Or spare a thought for Whirlpool, which is having to modify five million faulty tumble dryers that are at risk of catching fire.
A legacy problem
In some ways, hacks from a while ago that are only now coming to light are the most dangerous. This is because the data was stolen at a time when security around log-in authentication and Customer Identity Management (CIM) processes didn’t even come close to where we are today. But we still have a long way to go.
The 2013 attack on Yahoo is only one of the many types of attacks that data security professionals must guard against. Another type of hack on the rise is known as the account takeover (ATO). In this scenario, cybercriminals recruit armies of bots (often private computers infected with “zombie” malware) to hit websites with thousands of login attempts in short periods of time, in an attempt to guess user passwords.
Businesses can thwart these types of hacking attempts by implementing technology within their CIM that will monitor for ATOs and step up user authentication whenever they are detected. This can be done by setting thresholds for failed login attempts, then implement CAPTCHA tests or send one-time passwords to affected users ‒ based on their account email or IP address ‒ when those thresholds are crossed. Importantly, once a threshold is crossed on one site, stepped-up authentication will occur on any other site where login attempts from flagged email or IP addresses happen.
An all-too-familiar story
Data breaches such as the one suffered by Yahoo have become a recurring and all-too-familiar story of late, making it easy for our eyes to glaze over at the latest announcement of stolen customer credentials. Yet, the outcome for Yahoo could be disastrous. A pending acquisition of the company by Verizon Communications is thought to have been put at risk. The FBI is investigating. And a multitude of information security experts were quick to advise people to stop using services such as Yahoo Mail.
However, even the experts concede that whilst Yahoo could perhaps have done a better job of protecting customer data, there is no magic bullet when it comes to security, and it would be naive for an organisation to ever regard their infrastructure as completely impenetrable.
Protect from bad habits
Unfortunately, the user can often be the weakest link. A survey Gigya undertook , revealed that some eight out of ten people use the same password across most sites. This is far from best practice and makes a user’s identity relatively easy to break into when using bots that can run through thousands of password combinations in minutes. We should, therefore, be working hard as an industry to change user behaviour and break their reliance on password- and PIN-driven CIM. Businesses and consumers alike need to understand that old-school passwords and email logins just don’t cut it in today’s rapidly evolving tech world.
The cybercriminals have already realised the immense value of consumers’ online accounts, so now is the time to act. With massive losses possible for those that don’t, what can businesses do to protect customers from their own bad habits?
One approach is to insist on the use of multifactor authentication, where a customer needs to combine something they know (i.e. a password) with something they have (such as a token or mobile phone) or something they are (such as a fingerprint). The key is that these other factors aren’t reusable or replicable and can’t be pilfered on the internet.
Expect to see more of this type of network-level security and that detailed above to stop ATOs in 2017. By combining innovative technologies with good old common sense, 2017 will see us working together to make our digital world a safer place.
The ripples of a breach
It’s too early to assess the financial cost to Yahoo post breach, but I shudder when I think about the ripples it will have sent through the one billion users who trusted Yahoo to keep their data secure.
More than anything else, a brand’s equity relies on trust. The issue of trust is so important because, in the online world, customers need to share their identity ‒ email addresses, personal preferences, credit card numbers, etc. ‒ to connect with the businesses that provide them goods and services. So they feel like they are giving businesses the key to their kingdom. If customers can’t rely on a business to protect that personal and sensitive data, then the implicit trust that underpins brand equity is lost. In other words, identity is the currency of trust.
Trust is earned in drips and lost in buckets. As the Yahoo hack dramatically illustrates, every business that wants to build online relationships needs to make protecting customer identity a priority ‒ or risk doing untold damage to its brand equity.
Richard Lack, Managing Director, EMEA, Gigya
Image source: Shutterstock/Bloomicon