Kyle Kilcoyne By Kyle Kilcoyne • December 21, 2016

Yahoo! Identities Are Now Being Sold to Criminals

Reports surfaced this week that stolen data from Yahoo’s billion-plus account hack in 2014 (originally reported by the company as 500 million in September) had been sold for $300,000 and that those identities are now turning up for sale on the dark web.

 

Should consumers be alarmed?

Consumers should definitely be made aware of these practices. And that's a difficult ask when their favorite online stores and apps continue to trust outdated security methods. The fact that leading organizations like Yahoo continue to solicit personal customer knowledge (an early security method known as KBA) for account security purposes is very troubling. These methods are unsafe and create honeypots of personally identifiable information (PII) that are susceptible to outside attackers.

What has been consistent with attacks on high-value targets is the intent to expose sensitive user information such as encrypted passwords, unencrypted security questions, phone numbers, names and just about all information the user has ever shared with the organization.

 

What's the solution?

With surging demand for stolen identities, organizations must evolve beyond KBA and simple two-factor authentication technologies like one-time passwords in instances of elevated risk. For starters, they should run from identity processes that involve in-house storing of sensitive user data and weak encryption standards and move towards higher-grade security models - such as biometrics and forensics - which yield greater overall data security and identity confidence.

For example, Confirm.io establishes factual data not through something the customer knows but rather through something the customer possesses (a drivers' licenses or passport). This approach does not require anyone to hold a bank of security answers but instead uses document authentication to uncover instances of fraud to create a link between the document and the assumed identity.

 MorphoTrust USA, who powers Confirm's facial recognition technologies and the likes of US Customs and Border Patrol, trusts the use of biometrics in government applications and anticipates heavy adoption and growth in the consumer channels as well. These technologies, combined with an intelligent approach to privacy's role in identity, will shape the future of identity verification.