Hack Attack: Internet & Email Security - Knowledge Share Wednesday, 04/26/17, 1-4pm ET

---

@miusername wrote:

Does ATT still trust Yahoo! to handle their customers' email?

---

@miusernameAT&T and Yahoo! continue to work as partners to provide the best possible customer experience. 

---

@Tigereyze209 wrote:

---

@ATTU-verseCare wrote:

Hi @Tigereyze209,

 

That is a good question. Both AT&T and Yahoo work together to ensure the E-mail functions properly.

it unclear.   I was mainly referring to legacy accounts in "free" status, and technically no longer entitled to in person support.. If their account is hacked, and the automated recovery options do not work, what are their options for account recover, if any?

 

As an ACE, I see a lot of posts in regards to this, and often, I honestly have no idea how to advise them.

 

Any feedback appreciated.

---

 

---

I'm curious about this too.  

This is/was an issue for Hotmail, GMail, and some others, and now they tend to "rather vigorously" pursue having you set up two-factor, for changing account credentials.

This puts the onus back on the user, which is the way it probably should be, although I admit the general public knowledge of just how two-factor works (it's really fairly simple, but often explanations get way too involved) is lacking, if almost non-existant.

---

@Tigereyze209 wrote:

---

@ATTU-verseCare wrote:

Hi @Tigereyze209,

 

That is a good question. Both AT&T and Yahoo work together to ensure the E-mail functions properly.

 

As often happens, if an att customer who has an account that, for whatever reason, loses their password for, especiley the legacy accounts, who do they need to contact to see about getting that account reactivated? (Also, whatever information they might need to provide to verify ownership of that account.)

 

 Okay, I apologise. I can see I was a bit unclear.   I was mainly referring to legacy accounts in "free" status, and technically no longer entitled to in person support.. If their account is hacked, and the automated recovery options do not work, what are their options for account recover, if any?

 

As an ACE, I see a lot of posts in regards to this, and often, I honestly have no idea how to advise them.

 

Any feedback appreciated.

---

 

---

@Tigereyze209 Thank you for clarifying. Whether it is a paid or legacy account, it is still handled by the same team. Sadly, if the recovery options do not work and the account is not updated, there may be no way to help out. For security reasons, if the customer does not update their account, and only has the information from the recovery process on their account, but they do not know it, our hands our tied as well and there is no other forms of authentication. 

The best thing to advise is to link them to this article, which covers how to get back into the account and offers a number if they get stuck.

-ATTU-verseCare

@Tigereyze209, @ATTU-verseCare, I did find the Yahoo two-factor (not quite as nicely granular as hotmail/outlook.com, but still better) doc here:

https://help.yahoo.com/kb/SLN5013.html

If users did this, or were "heavily prompted" to do so, there would be FAR less issues like this, IMHO.  Of course that doesn't do much if you're trying to recover, and your phone has died or gotten changed or something, or maybe you're in a country where you can't readily receive a text message...
I have my two-factor set up with both a number AND another secondary email, to try to avoid the potential issue.

Adding two-factor authentication to your account really cuts down on the blatant hijacks, in terms of people gaining absolute control over your account.

@pgrey, Also, with two-factor authentication (where available) unless the person trying to access your account has your mobile device you've registered for the two-factor authentication method, they won't be able to get into your account, since a code is required, is unique and will be sent via text message to your device.

Email has and is an excellent form of non-verbal communications. However, when using email assume the worst and that is your email may be read by someone other than who you intended it for. Encrypting email content is a method that could be used to minimize exposure.

---

@RossCS wrote:

Adding two-factor authentication to your account really cuts down on the blatant hijacks, in terms of people gaining absolute control over your account.

@pgrey, Also, with two-factor authentication (where available) unless the person trying to access your account has your mobile device you've registered for the two-factor authentication method, they won't be able to get into your account, since a code is required, is unique and will be sent via text message to your device.

---

Yep, 110%.  

The downside that's coming, is more and more are using apps or web-based texting (like the AT&T text backup and internet messaging), which can hose your two-factor protection, unless you have it protected (with a different password, and set to NOT keep you signed in, IMO).

It's a tricky world, getting more-so, hence my "double two-factor" setup ;-]

---

@ApexRon wrote:

Email has and is an excellent form of non-verbal communications. However, when using email assume the worst and that is your email may be read by someone other than who you intended it for. Encrypting email content is a method that could be used to minimize exposure.

---

Yep, encrypted email is an excellent tool, although the standards around sharing the PSK (key for de-crypting) has never really solidified, IMO.  There are some out there, but very few follow them, and I've seen some really bright people (medical field included) struggle with how to do this, consistently.  Plus you need to "rotate" the key occasionally, or the same problems exist.

To be "actually secure" too, the PSK needs to come through a different transmission mechanism, such as a text message or similar, or retrieved, again through a secure portal or similar.  If you're sending the key un-encrypted, to the same email, your security is VERY low (although some might presume that it's good, obfuscation is VERY dangerous, IME).

This is why "secure portals" are good for this type of communication, like the AT&T messaging.  More of a hassle, but they can be highly secure, with minimal effort, and implemented across any array of devices, as long as they have a secure browser.

It has been a while since I checked up on this, but last time i did, two step verification was available for Yahoo accounts (in beta) but was NOT available for ATT e-mail accounts.

If this has changed, then cool. But as I said, unless it has changed, 2 step was not available to ATT accounts.