It was the biggest data breach in history and tech giant Yahoo is paying a heavy price for failing to protect the account details of an estimated 500 million customers. Apart from the reputational damage caused by the revelation, the sale of Yahoo’s core Internet assets to telecoms company Verizon has suffered too, with the asking price being slashed by £1bn.
But of course, Yahoo’s trouble are only the latest in a sorry string of data breaches suffered by online companies. And what they all reveal is that hackers are able to make use of any piece of secret information they can find.
Even if the criminals can’t get at credit card details of users (which they couldn’t at Yahoo), they can still inflict damage by knowing just a password. The password allows them into the breached account, of course, but since users tend to re-use password across multiple websites, the dedicated hacker can usually gain access to several others of that user’s accounts.
So why do online companies of the 21st century still rely almost solely on usernames and passwords to authenticate users? It’s probably a mix of laziness and fear that users will be put off by heavy-handed security.
And yet, a simple solution exists that could stop the hackers in their stride. If new users were to supply their mobile phone number when they register for a new website, then whenever they log on, they could just receive a simple message to ensure they are the person logging on.
This text message could come in the form of a six-digit code that they enter into their terminal to complete their login. Or it could just be a message saying “Someone is asking to use your account – is that you?” The user just hits “Accept” to gain access, or “Deny” if they’re nowhere near a terminal and their details have been stolen.
A simple text message supplies a second layer of security, based on “something you have (the phone), as well as “something you know” (the password), and basically prevents anyone breaking into an account with a stolen password.
Fortunately, SecurEnvoy provides the software and infrastructure for such a security system to be implemented and managed with virtually no management overhead. Its products are designed to deliver high levels of security, while also being very simple for users to handle.