Thursday, October 5, 2017

Enable two-factor on your Yahoo account... if you can

Yahoo! accounts have very different security options depending on their origin.
Unless you've been living under a rock, you know by now that Yahoo! suffered a massive data breach in 2013. The number of accounts reportedly affected changed a number of times, until this week it announced that every single account had been compromised. All 3 billion of them.

Zack Whittaker, security editor for ZDNet, had this to say:

Secure your Yahoo account with 2FA, but do not delete it. Deleting it will recycle your account after 30 days — and anyone can hijack it.

That's good advice - if you can. Many cannot.

In 2002, Yahoo! and regional telecom company SBC launched a co-branded dial-up Internet service, and later added DSL as an early broadband offering. Three years later, SBC Communications bought AT&T, introducing a tangle of AT&T, SBC Global, and Yahoo! user IDs and email addresses.

Customers at the time were urged to merge their Yahoo!, AT&T, and sbcglobal.net accounts. Those long-time customers have since endured over a decade and a half in the forgotten hinterlands of Yahoo!.

To Zack's point, deleting a long-standing Yahoo! account is an easy knee-jerk reaction, but probably not the best of ideas. Email is often the back door to recovering access to everything else; if your Yahoo! account was ever added as the recovery account for a now-long-forgotten service, and you were to delete your Yahoo! account, 30 days from now anyone could recreate an account with the same email alias, and gain access to your forgotten services.

For a Yahoo! account created after the SBC/AT&T debacle, establishing two-factor authentication is a straightforward process: from the user profile icon, select "Account info."


Select the Account Security tab, and flip the toggle switch to enable Two-step verification:


Then provide a phone number to receive an extra password by SMS (text message). Those that have followed me long know that I am not a fan of SMS-based two-factor because it is becoming easier for malicious actors to intercept an SMS code. Ideally, you want the additional factor to be an authenticator app such as Duo or Google Authenticator, or a physical device such as a Yubikey or an RSA token. If SMS is all that a service offers though, it is still nominally better than a password alone. 


So, about those merged AT&T/Yahoo! accounts


The Account Security tab for merged accounts looks just a bit different:


Conspicuously missing is, well, anything other than the option to change your password.

Those of us that ever had broadband Internet service through SBC Communications are completely out of luck.


OK, so now what?


My recommendations are:

  • Whether you have a native Yahoo! account or a merged Yahoo!/AT&T account (even a dormant one), don't delete it. Set your password to the strongest you can get away with. Alas AT&T limits passwords to 24 characters, allows only hyphen and underscore as special characters - and if you violate these restrictions, it only informs you of one error at a time. Yahoo! native accounts in my limited testing do not limit password length or character choice.
  • If you have a Yahoo! native account, set up two-step verification, as described above.
  • If you have a merged account and cannot enable two-step verification, DON'T use that account as the email recovery for anything else. If your online banking or social media are protected by strong two-factor authentication, but uses a weak Yahoo! account as its backup, anyone that can phish your Yahoo! account password can gain full control over your bank accounts or your social media accounts. Your best bet is a new email account from a provider with strong security controls.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.