Whilst no one doubts the abilities of the fraudsters to infiltrate sites for the purpose of injecting malware into a computer, when the core business is marketing, and you rely on visitors to your website as your core advertising medium, then it’s totally unacceptable that Yahoo was not better prepared and alert. No matter the amount of apologies Yahoo gives its clients, its reputation has been seriously dented and trust shattered. The simple fact of the matter is that one should not expect to find malware on an internationally recognised site such as Yahoo, and such companies have a social and moral responsibility to take all measures to ensure that such a breach should not occur. The consequence for many clients is that their personal and financial data has been compromised, the implications of which can be shocking on some of the more vulnerable members of our society. All very well for Yahoo to issue stock statements about the nature of the attack, and the basic “help” on what steps to take if one is concerned that their PC may have been infected, but that will be little consolation to those clients who now feel vulnerable, exposed and worried.
Unfortunately, Yahoo is not alone in terms of major companies where significant breaches have occurred and who have hit the headlines in the past year, and sadly we can expect more of the same this year. Once a network or system is compromised, the lost data remains at large and the data owners remain vulnerable to attacks that can compromise their bank accounts, and other accounts of value.
Given the ease at which the fraudsters carry out mass attacks with increasing impact, there is no doubt that the premise now must be to focus on how to render stolen data unusable by hackers/ thieves. The correlation between identity theft and subsequent fraud is clearly proven, and I stand behind the view that improving our capabilities before the fraud event, or as the event is occurring must be the next stage of the evolution of security defences. Being able to determine the difference between a fraud event and a false positive is of course the ultimate weapon in the defence against crime, and the ultimate in terms of best practice consumer protection and customer satisfaction. The key of course lies in the security architecture, providing the highest levels of security and privacy by combining invisible security layers, and low or no friction on the consumer side. Corporate mind sets have to change. The technology exists today to enable these complementary security layers to augment existing security defences. The payback for those entities that get this right will be swift and significant - consumers will be quick to recognise the brand of trust that provides them with the assurance that their banking credentials are protected, their transactions are secure and their interactions are intuitive.