Yahoo! Breach! Yowza!
Posted December 15, 2016
For anyone following the string of corporate data breaches over the past several years, the Yahoo breach barely raises an eyebrow. It is interesting that this latest breach announcement regarding the theft of 1 billion account records comes only three months after Yahoo announced the breach of 500 million account records. The two breaches appear to be separate instances. Yowza!
This latest breach is another clear illustration that even the most sophisticated technology company cannot prevent these large-scale breaches. It’s also clear that these massive breaches of consumer information will continue and the amount of personal data available to cybercriminals is simply unfathomable.
Both Yahoo hacks reportedly exposed names, email addresses, phone numbers, birthdates, security questions and answers (potentially unencrypted) and passwords hashed with the outdated MD5 algorithm. Yahoo “thinks” bank account information and payment card data were not affected. Combine the Yahoo breached records with data from other massive breaches (as cybercriminals reportedly do) and it’s easy to see how comprehensive identity profiles can be stitched together. We also know that users regularly reuse passwords across multiple accounts. Again, the risk associated with breached consumer data is profound.
What now? What do we do in the face of billions upon billions of consumer records now available to cybercriminals? We must continue to shore up defenses to prevent future breaches. More importantly, we must be able to detect when breached data is being fraudulently used.
Years ago, I advised financial institutions to design fraud protection systems under the assumption that their customer’s username and password have been compromised. Today, institutions must assume that virtually every piece of their customer’s identity data has been compromised. While this may sound like a no-win situation, there is an answer.
The data compromised in these massive corporate breaches contain static identity data. Static identity data generally does not change. Once it’s gone, it’s gone. Static data can be changed with varying levels of nuisance (think of changing one’s social security number vs. a password), but will not change unless the owner intentionally acts. Inertia is tough to overcome.
Fortunately, dynamic identity intelligence, the real-time data gathered from current and historical transactions, can be combined with static data to provide more accurate validation of a user’s identity. Dynamic identity intelligence includes, but is not limited to, the analysis of multiple layers of information gleaned from the user’s device, location, behavior, account, and provided identity data. This multi-layered data is continuous analyzed and compared against historical user information to ascertain the veracity of the user and transaction. Better yet, this dynamic identity intelligence can be shared and compared across providers, across industries, around the globe to create a unique digital footprint for every digital user that is almost impossible to impersonate.
Cybercriminals may have won the battle over static data, but we can still win the war on fraud using dynamic identity intelligence.