On Thursday, as the world learned of a massive data breach at Yahoo Inc., and the theft of 500 million user accounts, Yahoo’s users have responded with outrage, while corporate leaders have vowed to do better.
But will they? Even as billions of people worldwide store their most sensitive information online, relatively few of them do everything possible to keep it safe. Meanwhile, the companies providing these cloud-based services have been reluctant to force more robust security measures onto their customers. As a result, breaches like the one at Yahoo have become routine events, and there’s no end in sight.
“These online services want to operate at massive scale and want to keep their costs as low as possible,” said Ben Edelman, computer security researcher and associate professor at Harvard Business School. “They have plenty of ways they could improve security but they don’t want to.”
Peter Tran,senior director at RSA Security in Bedford, noted that banks and credit card companies use software that detects possibly fraudulent transactions based on location. If someone in Singapore tries to use a credit card belonging to a Boston resident, the company will often block the transaction and contact the cardholder to make sure it’s legitimate. Tran said Internet companies could use similar systems to double-check attempted logins from unusual locations.
Tran also called for greater use of multi-factor authentication systems. These require an additional proof of identity, beyond the traditional username and password, such as a code number relayed to a user’s phone as a text message. Responding to the text message unlocks the account. Even if a would-be attacker managed to steal a heap of usernames and passwords, he would still need access to each victim’s phone to break into the account.
“I don’t know why it hasn’t been implemented at the urgency and speed that it should have been,” said Tran. “It’s not a technical challenge.”
Josh Shaul, vice president of web security for Akamai Technologies Inc., an Internet security provider in Cambridge, favors multi-factor authentication, but warned that it’s not a panacea. Hackers could find security flaws that would let them bypass the authentication system and gain access to a company’s servers. Then they could access users’ files without the need for individual passwords.
“They may be able to get that website to cough up all the data,” he said.
Yahoo and many other consumer Internet services have long offered multi-factor authentication, but only as an option. Tran and Edelman both said it should be required at all Internet sites that collect sensitive personal information.
But Edelman said companies have little incentive to make their customers use a multi-factor security. It makes logging in more difficult, and that could scare off valuable users. “If this causes you to log into your Yahoo account less often, then you’re going to open a Gmail account as a backup,” said Edelman. “Next thing you know, you’re using Gmail instead.”
The only way to make multi-factor authentication stick, he said, is to make it mandatory, said Tran. But such a law would be controversial and difficult to draft. For instance, would it be required for all sites where users must log in, or only certain sites like e-mail services or social networks. “You start looking at how much oversight is too much,” said Tran.
Edelman said a voluntary agreement among the big Internet companies might be a better approach. “We all look each other in the eye and say we’re going to do it,” he said. It would be similar to the voluntary adoption of HTTPS, an encryption standard for web sites that has been embraced in recent years by the US government and many of the biggest commercial sites, including Yahoo.Hiawatha Bray can be reached at email@example.com. Follow him on Twitter @GlobeTechLab.