The topic that has been on everyone’s minds this week, aside from the next act in Wells Fargo’s little drama, is cybersecurity. It’s one of those things that businesses of all kinds are constantly thinking about, but only makes a public appearance when something has gone horribly, horribly wrong.
Like when data is stolen from your company by a “sophisticated adversary” and you don’t discover it for two years and then try to pretend that everything is fine while all of your cybersecurity people are sniped by other institutions and your company crumbles from within. For instance.
While Yahoo is not a finance company, its recently reported breach—and breach is underselling it a bit considering the hack resulted in data stolen from 500 million users so maybe huge, smoking crater where the firewall used to be is a better descriptor—certainly has implications for the finance world, according to people familiar with the matter.
Joram Borenstein, vice president of marketing for NICE Actimize, a company dedicated to detecting and preventing financial crime, told Bank Innovation:
First, the sheer scale of a half a billion accounts being compromised has significant implications for global customers. Second, the fact that we’re now seeing reports that Yahoo management supposedly knew about these incidents and chose to either ignore or downplay them… may be an indication that many companies are continuing to downplay the risks from security incidents and that they are not being transparent enough, or fast enough, when it comes to disclosing these incidents.
The government (and perhaps more importantly Twitter) certainly doesn’t seem to think so. Several senators and other political leaders are calling for the SEC to investigate why Yahoo did not report the hack earlier, while many others in the cybersecurity community are debating the truth of whether the company’s claims that this was a “sophisticated adversary” or “state-sponsored actor.”
“It seems like Yahoo is indicating that this is the work of a nation-state,” says Chris Pierson, chief security officer and founding executive team member for Viewpost, a creator of digital invoices for businesses.
Pierson added that despite the media flak, Yahoo’s system is “actually quite good,” and that there is regrettably no system that will completely prevent attacks.
However, this is the single biggest breach of a stand-alone company’s network that the public knows about, so caution—and maybe a touch of panic—is not an irrational response.
But what does it all mean for banking?
Well, for one thing, a good many people use Yahoo mail to receive and thus store personal information—electronic receipts, Amazon shipping information, bank statements, and if a user’s account was breached, all of that data went with it.
According to Borenstein:
The way this hack related to financial crime and fraud is through two mechanisms: first, users rely on their email accounts to lock down their online banking and to receive statements. Second, most consumers are lazy and use the same password for multiple financial and non-financial accounts so one can assume that any Yahoo passwords that have been uncovered are being tested with online banking platforms to see if the criminals can access those financial accounts.
So, in case this hasn’t sunk in from any of the previous monster hacks, using one password for everything is bad—in this case, if you use the same password for your Yahoo account and your banking account, data from both of those is—well, someone has it who isn’t you, Yahoo or your bank.
At this point, we still don’t know who that someone is, but consumers can learn a few valuable lessons from this hack, and so can financial institutions. One thing that seems to be clear is that banks need to help educate consumers about being safe online — and get rid of passwords as soon as possible.
To learn more about cybersecurity, join us at Bank Innovation Israel in Tel Aviv on Nov. 1-3. Register here.