Analyzing the Yahoo! Breach

This is one Yahoo! service that Verizon definitely didn’t bargain for in its planned $4.8 billion acquisition of struggling Internet giant. You can pick from the 450,000 Yahoo Voices accounts compromised in 2012, 22,000,000 Yahoo Japan logins lost in 2013, or 500,000,000 user accounts breached in 2014 – all brought to you by Yahoo! Password Distribution Network (PDN)..

When does the data breach go beyond a single organization issue and become a national security issue? OPM breach sure qualifies because of the nature of the data compromised. Does Yahoo qualify because of the sheer volume - half a billion accounts? When is the company too big to be breached?

As we in the user behavior analytics space well know, having multiple angles at the user identity, or multiple dimensions of user data, qualitatively changes our knowledge of user identity and behavior - it's like moving from black-and-white TV screen to 3D IMAX experience. A combination of data from somewhat orthogonal slices of life, like OPM, Anthem, United Airlines and Yahoo, allows a savvy attacker to build a pretty complete profile of the target for further exploitation.

The hacker known as "Peace", who offered 200 million Yahoo accounts for 3 bitcoins back in August, might be just Yahoo's (and Yahoo users) problem, but 500 million Yahoo accounts correlated with a wealth of information stolen earlier is a priceless treasure for a nation-state. From the user perspective, the biggest problem is unencrypted security questions/answers lost in this breach: while you can easily change that constantly compromised password, how many favorite pets can you possibly have? From the national security perspective, the problem is much bigger: how to preserve security in the digital world when the attacker has as much identity verification data as the user itself?

Registration, or enrollment, and password resets are the most vulnerable steps in any authentication scheme. Both rely on some extra information provided by the user, be it previously established security challenge questions and answers or some data that can be verified by the third party, like credit bureau. The problem is that most of this information is either static or doesn’t change often, and considering that all three credit bureaus have acknowledged breaches too, can be successfully used by attackers for years to come.

Out-of-band authentication – text message or a call to confirm the transaction - was one bright spot in the fight against fraudsters, until the mobile came along. Conducting online banking on the same mobile device that is used for transaction confirmation or identity verification takes the “out” out: now the attacker who has access to the mobile device controls both channels: transaction initiation and confirmation.

What’s a poor girl to do? Behavioral analytics is one technology that security-conscious organizations turn to for preventing unauthorized access and detecting compromised accounts. Constantly monitoring multiple channels for any anomalies and correlating these changes with peer behavior and patterns of life, this technology is becoming exceedingly adept at detecting malicious activities missed by traditional signature-based controls.