Late last year on the eve of a $4.8B sale to Verizon, Yahoo announced that its servers had been breached yet again to the tune of one billion compromised accounts, double that of the hack announced just three months earlier. The day after the announcement, Bloomberg reported that Verizon’s legal team was “working toward either killing the deal or renegotiating the Yahoo purchase at a lower price.” Months later, the deal is still on, but Yahoo faces an SEC probe.
While it may be tempting to look at this story, draw the simple conclusion that weak security can affect your company’s value, and move on from there, the true implication is much larger. Passwords are not enough when it comes to security and, as a result of massive hacks such as this, any company using single factor authentication is risking its bottom line.
Factors of Authentication
Before we go any further, we should take a brief look at the basics of authentication. Authentication can be broken down into three basic factors: knowledge, possession and inherence. In other words, in order to gain access to a system, a user needs to provide either something they know (a password), something they possess (a smartphone) or something they are (a fingerprint).
Single factor authentication, as was used by Yahoo, requires just one of these and provides a single point of failure. Multi-factor authentication, however, requires two or more factors and can greatly increase the security of a service. The most common form of multi-factor authentication requires a user to first provide a password and then verify their intention to authenticate using their smartphone. If one of these factors cannot be verified, access is not granted.
Yahoo’s Single Factor Failure
The example set by Yahoo is one of a company desperately looking to modernize, but doing so at the peril of other aspects of its business, namely security. Whereas companies such as Google began offering multi-factor authentication as early as 2011, Yahoo failed to offer multi-factor authentication until March of 2016. Previously, the company relied solely upon passwords and security questions—both a form of knowledge factor.
In the security world, the trade-off between ease-of-use and security is a well-known axiom. In the case of Yahoo, it appears that security was forgone in lieu of ease-of-use. Anything that could potentially drive more users away, such as a more complicated log-in procedure, was avoided.
When we look at the details of the hack, we can see the hazards of relying upon single factor authentication. Hackers figured out that cookies—small text files stored on the user side—signaled to Yahoo servers whether or not a user had been authenticated. The hackers then forged these authenticated cookies and gained easy access. The company’s neglect for improving security (they still used an MD5 hash to store passwords well into 2013, despite the fact that this has been proven to be weak) leaves them selling to Verizon for a fraction of their previous value. After all, user account data is worth much less if it is no longer secure.
The Ripple Effect
In terms of the sheer number of accounts compromised, the Yahoo hack, shortly behind River City, not only dwarves other hacks, it greatly contributes to an environment where the password is less secure than before. These hacks put an exclamation point on the end of the declaration that passwords just aren’t enough anymore!
The basic problem for passwords lies in user behavior—even recent surveys show that, while 91 percent of people say they know that reusing passwords is risky, more than 60 percent still reuse them. Furthermore, many people use significant dates and information that can be easily gleaned in our modern era of social media and online transparency. Whereas once upon a time, backup security questions (such as your city of birth or the name of your first niece) may have offered an extra level of security, they do little to secure modern accounts. And now, with billions of these passwords and security questions widely available to hackers, the password is less valuable and more vulnerable than ever before.
Moving Into Multi-Factor Authentication and Beyond
For the majority of modern online services, we’ve barely scratched the surface of online security. Even services like Google, which act as the center of billions of online identities, do not make two-factor authentication a base requirement. It is worth noting that there are plenty of low security use cases where it is a citizen’s right to favor convenience over security. Though it may be too late for some of these Internet giants to change their model, we need to move as quickly as we can to a future where we use more convenient authentication techniques—based on context—periodically throughout an engagement, instead of a one size fits all model to create an adaptive authentication approach based on the risk profile of any access request.
[su_box title=”About Ethan Ayer” style=”noise” box_color=”#336588″][short_info id=’101539′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.