Online account compromise occurs regularly and will probably continue in the foreseeable future. Often hackers employ botnets to hijack accounts from millions of unsuspecting consumers. In turn, these hijacked accounts are sold and used to initiate email scams, with messages seemingly sent from the legitimate account owners to their contacts. Scams can range from the less harmful check this cool stuff advertising spam to the more damaging send money to help your friend email. Worse still, the scam emails may contain malicious links that lead to the installation of malware on computers, which then makes the computers part of the ever-growing botnet networks.
To thwart account compromise, Yahoo! is introducing a stronger user authentication feature that aims to prevent account hijackers with a stolen password from accessing a person's account. If you have a Yahoo! account, you can now further protect it by activating this new second sign-in verification feature from Yahoo! Account Info. As part of the process, you will be required to add a mobile phone number to your account and verify it via SMS.
Once the feature is turned on, any suspicious account sign-in attempt will be challenged by a second sign-in verification beyond the initial password validation. To confirm the legitimacy of the sign-in attempt, you or the hijacker will have to answer your account security question or enter a verification code that will be sent to your mobile phone. Presumably, only you, as the legitimate user, can sign in. Account hijackers will be blocked since they neither know your security answer nor possess your mobile phone. In short, this second sign-in verification step acts as an additional, stronger beyond-the-password challenge against any unauthorized access attempt. And our systems are also capable of other refinements to accomplish our ultimate goal: to block all account hijackers from accessing Yahoo! accounts.
Given the complexity of behind-the-scenes working systems, we are offering this feature first to users residing in the United States, Canada, India, and the Philippines. We will be extending this feature gradually to all worldwide users by March 2012. As we continue to improve how to better prevent account compromise and keep you aware of any suspicious account activity, you can enact stronger protection on your account by turning on the second sign-in verification feature and by monitoring your recent sign-in activity.