The authentication software runs in background and gathers information about the user’s profile. Some users always login from a particular geo-location or computer/network and would only have one entry in their profile. Other users might travel or use public computers, login from varied geo-locations or computers/networks, and that user’s profile would reflect what’s called a “roaming” profile.

The same applies for mobile users. For a “roamer”, the profile for that user would show that they travel and often use varied computer/networks. Rules can be tailored to allow challenges at varied levels so as to not be incovenient to the user. Obviously, banks and financial institutions would require tougher challenges than do free email services. However, with Yahoo entering the payment field, they should be taking the same precautions with user accounts as financial institutions must to comply with FFIEC rules for multi-factor authentication. If they want to enter that game, they have to increase their level of protections on customer accounts and data.

The strong multi-factor authentication should provide security for those concerned with data breaches, phishing, trojans and worms that collect login credentials to empty bank accounts, or in Sarah Palin’s instance, violated the privacy of her account due to weak security questions. Again, there’s nothing that prevents mobile access or access from roaming locations.

And talking about security: NO ONE should use webmail providers like yahoo, google, microsoft etc. if it’s not for mobile access!

However, the password recovery feature implemented for yahoo accounts is indeed a security issue in itself. It needs fixing and it should not rely on any social factors like age, birthdates, schools etc. Those are mostly accessible today by (ab)using social network sites.

Lastly I can only recommend to always use fake information based on something that can be remembered easily. Never enter your real birthdate (who needs to know that anyways? If children want to access 18+ content they are smart enough to fake it), always enter fake answers to security questions etc.

I’m told by security pros that the process for resetting the password on Yahoo is weak at authenticating the party is the true owner of the account. They are recommending that Yahoo implement multi-factor authentication and allow the customer to choose their own security questions.

We had an interesting thread discussion of the topic over on Yahoo finance, but our thread was deleted by Yahoo for some reason. Why is Yahoo censoring discussion of this topic?

Lengthening or encrypting the password would not have prevented the social engineering that occurred.

A kid without any computer hacking skills was able to access Palin’s account simply because Yahoo’s security questions are too easy to guess. Anyone can Google Palin and determine her zip code or where she met her husband.

These questions need to be made less obvious.

What actually happened is a college student was able to do social engineering on a public persona by exploiting weaknesses in Yahoo’s ‘password reset’ feature.

First and foremost, no account maintenance should ever be allowed on anyone’s accounts from any proxy used to mask identity. Had the student used a foreign proxy, FBI/SS would have had a much more difficult time in obtaining logs that identified the perpetrator.

Secondly, Yahoo needs to strengthen the challenge questions. For public persona, name, address, and zip code are all easily found in public records. All this individual had to do was guess on the question of where Palin met her spouse. Again, this is publicly obtained information.

I work in security and have implemented systems for financial firms which are mandated by FFIEC regulations to use strong multi-factor authentication systems. If Yahoo is to be entrusted with personal information by customers, they should do the same.

There are good third party software products that provide features that would have prevented the Palin incident. RSA provides a product that passively examines machine information, stores it as profile data about that user, and uses it to challenge if somebody tries to access the account from a different computer/network. Challenge questions are presented, and if failure to answer challenge correctly, the account can be frozen until customer can be contacted to confirm identity.

In security terms, the “what you know” aspect of Yahoo’s security questions are too easy to be social engineered from public data, and require strengthening, at a bare minimum. Again, nobody should be allowed to do account maintenance like password reset, or changing any account data from any proxy. Proxy’s are the main tools used by cyber criminals to mask identity.

Banning proxy traffic from its site would also help to resolve problems Yahoo has had with click fraud. spam rings, and “pay to post rings” operating on their sites.

Or, users should have the choice of recovering only by phone or text message. That way, they would have to lose their phone to have their password changed.

help.yahoo.com/l/us/yahoo/acct/info/sqachange.html

Difficult? I searched all over the help site and account info page trying to find this setting. Where is it? I don’t think you can change it. The only thing I’ve found to attempt to reduce your exposure to the recovery attack is to use an email address that’s different from your Yahoo! ID AND lie about your birthday, country of residence and ZIP CODE. Once you’ve established an account, the only thing you can change is your ZIP. When recovering a password for an email address that is different from your ID, it will ask for the DOB, country, and ZIP. Pretty weak protection.

As far as I can tell, all you need is a user’s birthday, country, and postal code. It doesn’t matter whether you’ve created a wonderfully long, complex sequence of letters and symbols. It doesn’t matter whether you see the right picture on your log in page. Yahoo, of course, is not alone in needing to beef up its protection of user privacy.

The only solution at this point is for users to provide Yahoo with something other than their actual birthday, postal code, etc. This diminishes the usability of the MyYahoo page, and you might forget these answers, but at least you reduce the chance of a social engineering attack on your account.

And then Yahoo! makes it difficult to change the secret question. I could have the best password in the world, but all a hacker really needs to know is the answer to the “secret question”. Which for some people, could be found on myspace, facebook, or Yahoo! 360.

Yahoo! could do a better job of recovering passwords…

They used the recover the password feature.

How can our accounts be protected when no matter how strong the password is, you are handing it over?

Will one way encryption and password resets be added?

If not will recovery questions become less obvious?