Home / HR Courses / Cybersecurity 101 for HR Pros / Real World Lessons / Yahoo Security Questions

Yahoo Security Questions

This video is premium content

Lesson:

Yahoo Security Questions

Course: Cybersecurity 101 for HR Pros
Module: Real World Lessons
Lesson Type: Video
Lesson Duration: 2:36

Lesson Content

In the concepts section, I referenced two attacks on Yahoo over the last few years. When attackers accessed the user data for 1 billion Yahoo accounts, they were able to obtain: names, email addresses, telephone numbers, dates of birth, hashed passwords, and quote encrypted or unencrypted security questions and answers.

That’s a lot of personal information on a lot of people to take in one sweeping attack. With a breach like this, one of the first things to consider is: “Is the damage contained to this service?”. When a company loses factual data about who you are, it can aid someone trying to steal your identity. And factual information is problematic because unlike usernames or passwords, you can’t change that information if you feel threatened online because it is a part of you and your history.

Of all of the data points stolen, one of the most concerning to me is the security questions and answers. Security questions are something that give many people a false sense of safety while undermining their ability to protect themselves from identity theft.

It’s important to ask yourself: why are they asking me to give answers to security questions? The reason is simple: they are an old fashioned form of two factor authentication.

The best way to prevent identity theft concerns when using security questions is simple: don’t answer the questions honestly. No company is checking to find out if you correctly gave them your mother’s maiden name or city of birth. They don’t need to know which high school you attended or the road you lived on during elementary school. Security Questions and answers are just another layer of passwords. All that matters is that at some point in the future, during an attempt to authenticate your account, that you’re able to give the answer that matches what they have on record.

Since so many sites and services ask the same or similar questions, a breach on one site can allow someone to take control of other accounts in your life. The rolling effect I have mentioned previously where someone gains control to many accounts through a single breach is my biggest fear for anyone online. This Yahoo breach could absolutely have been used to get into someone’s bank account, social network, cloud storage, or other deeply personal services.

The only way to counter this kind of breach is to give different answers to every site that asks security questions. Since this is just another password, use the kinds of random password generation I covered previously, store the answer in a password manager, and move on without worrying about it. The key is to understand that nobody is checking on the answer, and you are free to give it any response you like.

I expect security questions to disappear as a form of security in the coming years, but until then it’s crucial that you understand why they exist, and how best to use them when required while staying safe and protecting your identity.

Instructor:

Michael Wilson

Michael Wilson works with small businesses to build and protect their brands online. He is an IT Generalist whose primary services include: Web Design & Development, Cybersecurity Consulting & Training,...

Michael's Full Bio

Module 1 0/2

Welcome

HR's Cybersecurity Risks

Introduction to Cybersecurity

Module 2 0/5

Concepts

Defining Security

What are Attackers After?

Attack Vectors

The Human Element

Global Principles

Module 3 0/4

Securing Your Accounts

Introduction

Passwords

Password Managers

Two Factor Authentication

Module 4 0/3

Securing Your Devices

Introduction

Best Practices

Conclusion

Module 5 0/3

Phishing

Introduction

Best Practices

Conclusion

Module 6 0/4

Data Loss Prevention

Module 7 0/3

Real World Lessons

Political Phishing

W2s

Yahoo Security Questions

Module 8 0/2

Conclusion

Closing Remarks

Quiz

HR Courses

Human Resources Training Programs

Self-paced HR Courses

The following HR courses are self-paced (asynchronous), and qualify for both SHRM and HRCI recertification credits. These courses are included in the HR Recertification Subscription.

Effective Disciplinary Action Policies and Procedures