Story image

Yahoo breach news is shocking but not surprising - what to do now?

28 Sep 2016

The 2014 compromise of a half billion user records at Yahoo! by a state-sponsored actor is shocking but not surprising. For years, we have been noting (what our clients have told us),  which is that:

·       More American identities have been compromised than have not (See The Global Identity Dilemma: Static Biometrics are NOT the answer ).

·       State sponsored actors are buying up enormous amounts of stolen identity and account data for intelligence purposes (See Where has all the Stolen Data Gone ) in order to steal information and assets from companies in the U.S. and across the globe.

·       Fraudsters use stolen credentials and data to take over accounts at online service providers in widespread and hard-to-detect ‘credential stuffing’ attacks (see  Where have all our passwords gone).

Identity Proofing Solutions

Identity proofing is clearly a top global fraud issue. What can organisations who need to prove electronic identities do to overcome this issue?

In our last blog, we summarised our bottom-line recommendation that organisations REDUCE reliance on STATIC data, such as the data compromised in the Yahoo! breach, and instead INCREASE their reliance on DYNAMIC information. (See The Global Identity Dilemma: Static Biometrics are NOT the answer ).

Here we present a four-layer identity proofing approach (See Absolute Identity Proofing is Dead; Use Dynamic Identity Assessment ) that outlines the types of measures that should be implemented to achieve high confidence in user identities. These measures should be taken upon every risky transaction, such as new account creation, log in, changes to profile data (e.g. address, phone number), and financial transactions such as purchases, money transfers, use of stored value in loyalty programs and other electronic wallets, and more.

User authentication is not a binary yes/no process anymore. The days of confidently verifying an identity based on a password or even a static biometric are over.  A continuous layered identity proofing approach must be used because static credentials can and have been compromised and accounts taken over.

Out of band push notification – not a panacea either

Several seasoned fraud managers I speak with are turning to out-of-band push notifications on mobile phones in order to confidently authenticate a user (along with a layered identity proofing approach). This will provide a strong second factor authentication factor, as they plan to verify the phone belongs to the legitimate user through ‘device binding’ during user enrollment. This sounds like the strongest user authentication method around, especially if it also includes the use of dynamic biometrics on top of the push notification app.

But even this method is bound to be circumvented one day, at the least when fraudsters socially engineer a consumer to authenticate themselves during a fraudulent transaction that the fraudster is conducting surreptitiously against their account                            .

There’s no getting around defense in depth and a layered continuous identity proofing approach. That job is getting harder by the day, as more and more stolen identity-related records sit around in criminal databases, just waiting to be sold and used. The only comfort I get personally is in the law of statistical averages. I just keep hoping the criminals won’t have enough time to get around to using my identity. Famous last words…

Article by Avivah Litan, analyst at Gartner

Better data management: Whose job is it?
An Experian executive’s practical advice on how to structure data-management roles within a modern business environment.
Platform9 and Intersect partner to bring unified cloud to A/NZ
“For Intersect, Platform9 represents the single most strategic solution to a set of challenges we see expanding across the board."
Meet the future of women in IT
Emily Sopers has just won Kordia’s first ever Women in Technology Scholarship, which was established to address gender imbalance in the information and communications technology (ICT) sector.
Web design programmers do an about face – again!
Google is aggressively pushing speed in the mobile environment as a critical ranking factor, and many eb design teams struggling to reach 80%+ speed scores on Google speed tests with gorgeous – but heavy - WordPress templates and themes.
Digital spending to hit US$1.2 trillion by 2022
A recent study by Zinnov shows that IoT spend reached US$201 billion in 2018 while outsourcing service providers generated $40 billion in revenue.
'Iwi Algorithm' can grow Aotearoa's mana
Ngāti Whātua Ōrākei innovation officer Te Aroha Grace says AI can help to combine the values from different cultures to help grow Aotearoa’s mana and brand – and AI is not just for commercial gain.
Dropbox brings in-country document hosting to A/NZ & Japan
Dropbox Business users in New Zealand, Australia, and Japan will be able to store their Dropbox files in-country, beginning in the second half of 2019.
Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”