Seven Ways Yahoo's 500M-User Data Breach Affects Banks

Editor at Large

The good news for the financial services industry is that the massive data breach Yahoo revealed Thursday didn't compromise any bank account or payment card data, according to the company.

The bad news is that the names, email addresses, phone numbers, dates of birth, hashed passwords and, in some cases, encrypted and unencrypted security questions and answers of 500 million Yahoo users — some large percentage of them bank customers — were stolen in late 2014. If it hasn't been already, that information could be used to harm banks and their customers.

This may be the biggest data breach in the world, ever. For banks, it's the latest in a string of data thefts that put their customers' most important person information out on the Internet for hackers to grab and use as they will. And it's one more reason for banks to deploy multifactor authentication, to prevent Yahoo's hackers from breaking into their servers, and it's yet one more security concern to educate customers and employees about.

Following are seven ways the Yahoo data indirectly affects banks:

1. Phishing. Fraudsters who can create a reasonable semblance of the Yahoo logo should be able to fool flummoxed Yahoo users with realistic-looking emails that appear to be from the company. The emails would tell users to reset their passwords and get them to click on a malicious website that could then download a banking Trojan or other malware. Such sites might also trick users into giving up an online banking password. Clever phishers are sure to come up with many variations on this theme.

"I think users have gotten smarter about that, but phishing could be used to socially engineer consumers to give information away," said Avivah Litan, vice president at Gartner.

2. New-account fraud. Hackers could use the stolen personal information to create new bank or payment accounts. This is the most dangerous scenario, in Litan's view.

"No bank is going to open an account with just an email address and phone number, but it's all used together — the criminals have all these databases on the dark web for sale … the data goes into those databases and contributes to identity compromise," she said. "You can't rely on static data for identity proofing. It's the biggest issue we get calls on. You can't rely on this data to open accounts and verify new customers."

3. Knowledge-based authentication break-ins. Many banks still use knowledge-based authentication — also kown as challenge or security questions — on their websites, in their mobile apps and in their call centers to help customers who have forgotten their passwords access their accounts. The hackers who stole Yahoo customers' security answers (mother's maiden name, name of first pet, etc.) could use them to social-engineer their way into the customers' bank accounts.

"When you get a half a billion accounts with those KBA questions, even if they're not the best questions in the world, they're likely to be used by other companies, too," Litan noted. "There's a limit to how many questions you can come up with. You only have one first car."

4. Password hacks. Hackers could theoretically access the online banking accounts of consumers whose Yahoo password is the same as their online banking password.

The risk may be remote, since Yahoo said only encrypted passwords were compromised in its breach. Still, depending on the strength of the encryption, passwords can be decrypted with easily obtained open-source tools, said Joram Borenstein, vice president of marketing at NICE Actimize. The hackers have had two years to try out different methods of decryption on the bcrypt hashing algorithm Yahoo uses. However, Borenstein acknowledged this would require a lot of effort.

Given the use of bcrypt, the only way for the attacker to successfully obtain the original password is through brute-force guessing, said Brett McDowell, executive director of the FIDO Alliance, a group that created and promotes the FIDO authentication standards. "This is computationally feasible, especially if people are using simple passwords," he said. "But if users are using a randomly generated password, like one suggested from a password manager, or a highly complex password, it's unlikely the attacker will be able to attain the original password."

And in this case the guessers would be armed with two clues: the knowledge that the person is a Yahoo customer and the person's name and email address, which is probably their user name.

5. Yahoo email listening. The fact that since late 2014 hackers have had the ability to easily read Yahoo users' emails, including messages to and from their banks, creates vulnerabilities, according to Mary Ann Miller, senior director and fraud executive advisor at Nice Actimize.

"Lots of sensitive information is shared via email," she said. "This is certainly true in a home purchase and mortgage transaction."

Some hackers have been reading people's emails at title companies, so they know exactly when there's a mortgage closing, Litan noted. During the closing, they'll call and pretend to be the seller or the buyer and say the money has to go into a different account. "These are huge amounts of money, a half million dollars can turn up in the wrong account," she said.

This method could also be used in business email scams. "Reading people's emails is the new way to get money," Litan said.

6. General identity theft. An unknown number of hackers have customers' names, email addresses, telephone numbers, dates of birth, and, in some cases, encrypted and unencrypted security questions and answers. These could be used for various types of fraud that could affect banks, including IRS fraud.

7. Old fraud cases may need to be reviewed. "The fact that this breach happened so long ago makes life extraordinarily difficult for banks," Borenstein said. "It is advisable that bank security teams go back and review account takeovers and fraudulent account openings from the past year and a half to determine if perhaps this new data breach can solve some of those cases."

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Bank technology Data breaches Cyber security
MORE FROM AMERICAN BANKER