Yahoo established its formal bug bounty program nearly two years ago, and the company has paid out more than $1 million in rewards to researchers in that time. But security officials say the value the program has provided to the company has been just as great. Although Yahoo was among the latter wave of major […]
Tag Archives: Yahoo
Facebook Hires Ex-Yahoo CISO Alex Stamos
Facebook has hired away the top security executive at Yahoo, Alex Stamos, to become the company’s new CSO. Stamos said Wednesday that he is joining Facebook because he believes the company is in the best position to address some of the large security challenges facing users and companies right now. “There is no company in […]
How safe are one-time passwords?
Most people have dozens of passwords, for dozens of online accounts. At times it can be tricky to remember them all, as best practice says they should all be slightly different.
If you’re one of these many people, Yahoo’s recent announcement may get you excited. Earlier in March, Yahoo revealed an innovative idea that would mean we never have to remember a password again.
The concept is very simple. By selecting to use one-time passwords in your account settings, the next time you login it will send a password to your phone that you can use to login in with via a SMS.
While this seems very convenient, is it secure?
Generally speaking, there are three types of authentication in use today
- ID and Password
- ID, Password, Verification Code (using SMS)
- Two Factor authentication using ID, Password and another device providing a unique password
The Yahoo solution seems to be half way between the least secure option A and Option B.
Sending a password on demand to a device is a step in the right direction, but there may be other security risks involved when transmitting data over SMS and to a potentially unprotected device.
The phone may not have a passcode and could be infected with malware that reads the SMS. This could mean the email account and all the data inside gets compromised.
If you do want to enable one-time passwords, I would recommend you have both of these: a passcode and AVG AntiVirus for Android on the phone to keep yourself protected.
What would I do differently?
Using the mobile device to add another layer of security is a smart idea as most people have one. Most of us also use apps regularly and if you’re a Yahoo user then you probably have the Yahoo app.
I would change the delivery method of the password from SMS and instead deliver it, in an encrypted format, via their own app.
On top of this, the Yahoo app with this one-time passwords enabled should require the device to have PIN security.
This would mean that an attacker would need the ID, the phone and the PIN in order to access the account. The app could even go further and check for the presence of an Anti-Virus product to ensure that it’s being scanned regularly.
It could be that there are currently technical limitations with one-time passwords, and that in the future we’ll see a lot more secure and comprehensive process.
My top advice right now though is if you’re going to use this service then be sure to have a security app and a PIN on your phone so you can help ensure that the password is being sent to a secure device.
Follow me on Twitter @tonyatavg
U.S. Government Requests for Yahoo User Data Drop
Yahoo received nearly 5,000 requests for user data from the United States government in the last six months of 2014 and disclosed some content in nearly 25 percent of those cases. The company said in its new transparency report that it received between 0-999 National Security Letters from the U.S. government, too. The latest report from […]
Yahoo Previews End-To-End Email Encryption Plug-In
Yahoo CISO Alex Stamos said a preview of the company’s end to end encryption plugin has been released to GitHub for review.
Researcher: ‘Lax’ Crossdomain Policy Puts Yahoo Mail At Risk
A security researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that puts email content and contacts at risk.
Yahoo Plans to Disclose All New Bugs It Finds Within 90 Days
Yahoo officials say that the company will disclose any new vulnerabilities that the company’s security team finds within 90 days of discovery. The new policy is the same one used by Google’s Project Zero, a team of researchers that looks for vulnerabilities in a variety of commonly used software packages and platforms. That team has […]
Facebook, Yahoo Curb Identity Theft with New Email Ownership Header
A new SMTP header developed by Facebook and Yahoo confirms ownership of Yahoo email accounts.
Yahoo told to “pull your pants up†after Shellshock hack claims
Yesterday, security researcher Jonathan Hall, of a company called Future South Technologies, accused Yahoo of having suffered a serious security breach via the recently discovered Shellshock vulnerability in Bash.
The post Yahoo told to “pull your pants up” after Shellshock hack claims appeared first on We Live Security.
Yahoo Confirms Infected Servers Unrelated to Shellshock
Yahoo CISO Alex Stamos confirmed that three servers had been infected with malware by hackers looking for machines vulnerable to Shellshock.