Hearing about Yahoo’s massive leak tonight made me think I should double check that I don’t care too much about that password. Not that it really matters since this cow left the barn two years ago. Or something like that. The details are pretty vague - "miscreant", "dark web" and "state sponsored" all mentioned. Whatever.
I don’t think I’ve got anything to fear personally since I don’t really use Yahoo at all. But for good measure I tried to log in.
They said I needed to enter a verification code that they were emailing me. They showed an email "template", something like this.
Verifcation was sent to:
●●●●●●●●●●●@t●●●●●●●●●.com
The only problem is that I can not think of how I would ever have used an email address with that form. My domain is xed.ch and I would definitely have used some yahoo specific name at that domain (as my notes clearly indicate). Sure enough I eventually did get an email but it did not contain a verification code. Only an exhortation to change my password. Uh, ya, that’s what I was trying to do. But at least the message did say this.
On Thu, Sep 22, 2016 9:46 PM PDT, we noticed an attempt to sign in
to your Yahoo account from an unrecognized device in United
States.
So far so good. But then they falter with this ridiculous request.
If this was you, please sign in from a device you regularly use.
It’s quite possible I haven’t logged into my Yahoo account in years, in fact, since I was living elsewhere. Should I go knock on the door of my former residence and ask if I can borrow their internet and hope somehow the IP address hasn’t changed? So that’s very ugly Yahoo.
Let’s compare this with Google. I don’t use Google much either but today I needed to send an SMS text message (no, not to RSVP for a turn of the century theme party). I first had to install the Google Voice client called Chromium since I don’t like the long tentacles of Google stuff mixing with non Google stuff, for which I use Firefox. Anyway…
It’s pretty rare for me to log into Google at all and I did this on my laptop at work and so I got this perfectly competent message.
Hi Chris X, Your Google Account …….@gmail.com was just used to sign in from Chrome on Linux.
Chris X Edwards …….@gmail.com
Linux Thursday, September 22, 2016 8:27 AM (Pacific Daylight Time) San Diego, CA, USA Chrome Don’t recognize this activity?
Why are we sending this? We take security very seriously and we want to keep you in the loop on important actions in your account.
Nicely done, Google. That’s a good example of how this should be done.
And finally, the bad. Let’s say you create a brand new AWS account from San Diego, California. Then a couple of hours later you fire up the maximum number of VMs and start mining cryptocurrency full gas… from China. What kind of security email do you get verifying that you took some kind of super fast military aircraft from California to China to do the exact thing criminals are most likely to do? Answer: none. That is one reason why I believe AWS' security is bad. It’s not even problematic across all of Amazon; if a retail order is placed, even a small one, a verification email is sent. But not AWS. AWS waits until the charges are many times more than the credit limit of the credit card on file for the account and then decides to double check with you. It’s hard not to be cynical.