Chris Quin: Telecom upping the ante against cyber-criminals

Chris Quin, Telecom CEO of retail.

Telecom's Yahoo Xtra email service has been in the news lately, for disappointing reasons. We wish security issues weren't affecting our customers, and to say that - like them - I'm frustrated with the situation is a huge understatement.

Many people have called for Telecom to move Xtra away from Yahoo, believing this would fix email security issues and stop spam being sent from customer accounts. If only it were that simple.

It's important to understand the background to this issue. During the past year, there have been several incidents in which overseas cyber-criminals have obtained a customer's email address, password and addresses for their contacts. That information has been used to send spam emails.

These are the sorts of dodgy emails we all get from time to time, but they have more credence when they appear to come from someone we know.

For security reasons, Yahoo can give only limited information publicly on what its investigations of the breaches have revealed. But it has said that the list of usernames and passwords used to execute the most recent attack was probably collected from a third-party database compromise, where customers had used their Xtra address and password combination to register with a different online service or website.

Yahoo determined the best way to stop an account being misused is to lock it, requiring the customer to change their password and leaving the cyber-criminal with a password that no longer works.

More recently a related problem has arisen. Although cyber criminals can't access customer accounts without valid passwords, they can still send spam by "spoofing" the customer's email address (akin to setting up another account with a copied email name). To the recipient, this means the email appears to be coming from someone they know, although it is from a completely different entity.

So where does all this leave Telecom and Xtra email?

When reviewing the Xtra email service, we have looked at the options of withdrawing from email altogether, or taking email back in-house.

Our first consideration is always what customers tell us they want, and the clear message has been that they value their Xtra email address. Another factor is that many of our customers have not had any problems with their Xtra accounts.

To walk away from Yahoo would mean hundreds of thousands of our customers would lose the Xtra email accounts they've told us they want to keep.

Taking email in-house would mean fighting the global cybercrime battle without the resources and expertise of a global player (who is becoming more adept at shutting attacks down quickly).

So we've opted instead to stick with Yahoo, but with all the additional security protection we can create.

Over the next six months, Telecom and Yahoo will introduce enhancements to ensure the Xtra email service is as secure as possible. These include making SSL - an additional encryption layer - mandatory for customers and strengthening password management.

People can also take steps to protect themselves. They can choose a strong and unique email password, change that password regularly, never reuse an old password, and never send or store sensitive information (such as passwords or credit card details) in their emails.

Just as we wouldn't leave our homes unlocked, so we must secure our virtual assets. We can't stop cyber- criminals from attempting to steal information, but if we and our customers remain vigilant about online security, we can make it a whole lot more difficult for them to steal anything useful.

• Chris Quin is chief executive of Telecom Retail