Corporate Obligations and ResponsibilitiesSecurity
- Protection of User Information (Confidentiality)
- Constant Service and Data Availability (Availability and Integrity)
- Information Security System
- Layered Security against Cyber-Attacks
- Development and Dissemination of Information Security Rules
- Acquisition of Information Security Management System (ISMS) Certification
- Acquisition of ISO 15408 Certification
- Acquisition of PCI DSS Accreditation
- Initiatives to Enhance Login Security
- Enhancements to Anti-Spam Measures
- YAHUOKU! Fraud Prevention Measures
Corporate Obligations and ResponsibilitiesSecurity
To remain capable of continuously providing safe and secure services to our users over the long term, Yahoo Japan Corporation (“Yahoo! JAPAN”) pursues policies and maintains systems with an eye to achieving maximum information security.
Protection of User Information (Confidentiality)
Yahoo! JAPAN gives top priority to the security of all users’ personal information which requires especially high level of confidentiality. Our activities regarding personal information entrusted to us consist of an effective combination of systematic measures minimizing the number of staff authorized to access users’ personal information with physical measures blocking staff access to securely monitored areas where users’ personal information is stored.
The personal information of each user can be viewed, altered, or deleted only by the user in question directly on the system. Except in cases where a response to a user inquiry is required, no executive or employee is able to access identifying personal information, such as names or addresses.
Constant Service and Data Availability (Availability and Integrity)
Providing services around the clock, we have also implemented measures to ensure that information and contents received from users is not falsified or otherwise altered. Regarding services of high importance to users and society, we have implemented special measures safeguarding uninterrupted provision even under the most challenging conditions.
Information Security System
We have a cross-functional information security system in place that allows the Chief Information Security Officer (CISO), appointed by the CEO, to focus on information security and thus control and evaluate security matters. Accordingly, authority and responsibility for the information security of Yahoo! JAPAN and the Yahoo Japan Group has been transferred to the CISO.
Under the supervision of the CISO, supervisory organizations of information security are established to manage Information Security Management Systems (ISMS) and conduct countermeasures against cyber-attacks under the leadership of the CISO.
Chiefs of information security for each service company and group are appointed by corporate officers of each service company/group and manage information security of their supervision.
Subsidiaries and affiliated companies of Yahoo! JAPAN are placed under the supervision of service companies and groups, and information security is also managed and led by the chiefs of information security for each service company or group.
Yahoo! JAPAN Computer Security Incident Response Team (YJ-CSIRT) leads the responses to vulnerabilities in information security which are centrally managed. It also supports the response measures of the service companies, groups as well as theYahoo Japan Group companies. CISO-Board is established under the supervision of CISO to assist the CISO, and to assume a leading role in planning and promoting security strategy and policy for the whole company.
Layered Security against Cyber-Attacks
We adopt layered security as our policy toward cyber-attacks from external sources (mostly through the Internet), which employs multiple layers of security measures. Because attack methods change and evolve from day to day, hour to hour, we often hold consultations and information exchanges with both internal and external experts to flexibly reflect these changes to our measures.
Development and Dissemination of Information Security Rules
The Yahoo Japan Group has established information security rules and the rules are disseminated to and followed by the executives and employees.
These security rules divide the information handled into information classifications by legal requirements, value, importance, and other criteria. The rules also stipulate matters such as the handling of information, system construction, and specifications for information handling spaces for each information classification.
Quarterly education and self-assessment are conducted to enhance executive and employee understanding of the information security rules. Their compliance is determined through internal and third-party audits. Deviations from the rules are managed by supervisory organizations of information security as information security risks and monitored until corrective actions are complete.
Acquisition of Information Security Management System (ISMS) Certification
In August 2004, Yahoo! JAPAN acquired Information Security Management System (ISMS) certification BS7799-2:2002, the international standard at the time, and ISMS certification standards (Ver. 2.0), the Japanese version of the American standard at the time. Since then, Yahoo! JAPAN and its principal subsidiaries have complied with each standards revision in order to maintain valid certification. Currently, Yahoo! JAPAN and its principal subsidiaries, having passed third party-examination for all their businesses, hold ISO/IEC 27001:2013 certification, the international standard, and JIS Q27001:2014 certification, the Japanese standard.
Each of Yahoo! JAPAN’s principal subsidiaries holding ISMS certification comply with Yahoo! JAPAN’s information security rules and maintain security information management systems identical to those of Yahoo! JAPAN.
Acquisition of ISO 15408 Certification
In November 2007, Yahoo! JAPAN developed iTres, a proprietary monitoring system for detecting information leaks in Yahoo Japan Group’s databases, and subsequently acquired ISO 15408 certification. iTres, a system that protects corporate databases from information leaks by monitoring access thereto based on pre-established policies, is Japan's first ISO-certified product to be made available for public use in the field of database access monitoring systems. iTres has been incorporated into the management of Yahoo! JAPAN’s massive database of users’ personal and other information as part of an effort to strengthen Yahoo! JAPAN’s oversight and monitoring capabilities.
Acquisition of PCI DSS Accreditation
In November 2008,Yahoo! JAPAN obtained Payment Card Industry Data Security Standard (PCI DSS) accreditation for its Yahoo! Wallet online payment service. PCI DSS is the international standard for payment processing, including the handling and storage of credit card holder and transaction information.
Owing to Yahoo! Wallet’s high transaction value, Yahoo! JAPAN was obligated to obtain level-1 PCI DSS certification entailing the most stringent examination process. All systems related to information management and transaction processing of Yahoo! Wallet, one of Japan's largest online payment services, have international-level security accreditation.
We acquired licenses to issue credit cards and manage participating retailers for VISA and MasterCard, and since March 2012 we have provided financial payment services independently for almost all credit-card payments required to offer our services. We acquired PCI DSS accreditation for these operations in February 2012 and have subsequently renewed certification validity annually.
Initiatives to Enhance Login Security
We provide alert services to inform users by e-mail when their Yahoo! JAPAN ID has been used to login. Potentially unauthorized logins are immediately detected, and the option of temporarily locking an account should a login occur without user’s knowledge contributes to preventing the escalation of unauthorized use of IDs.
Users can check the dates and for what services their IDs were used to login in Yahoo! JAPAN website. By checking the record of the past 30 successful Yahoo! JAPAN logins, users can confirm for themselves that no third party gained unauthorized access to their account.
We offer login themes on the Yahoo! JAPAN login screen. These theme images enable users to judge whether the website is legitimate or not when users login to Yahoo! JAPAN. Use of login themes increases the likelihood of users recognizing fake login screens and enables the users to avoid the dangers of phishing schemes.
One-time password is a security feature that functions as a strong protection against unauthorized use of IDs. Should a user’s password become known to a third party, users can protect themselves by adding one-time password authentication to avoid unauthorized logins.
Unlike Yahoo! JAPAN IDs or user names, a secret ID is used only at login. Because IDs often consist of information accessible to others, it may be used without authorization if IDs become known to malicious persons. In addition to a password, a secret ID known only to the user may be used to mitigate the danger of others learning that user’s ID.
Enhancements to Anti-Spam Measures
We provide a number of tools that offer protective measures for Yahoo! Mail users, such as automatic filters to remove spam and rejection of spoof mails. A help page provides detailed explanations on how to set up and use such tools as part of our efforts to support users in anti-spam measures.
YAHUOKU! Fraud Prevention Measures
We strengthen both management and systems as part of fraud prevention measures for our YAHUOKU! service. We promote such measures on various fronts, such as raising user awareness and cooperation with rights holders’ associations to protect intellectual property. Moving forward, we will continue our active efforts to achieve a zero-fraud environment.
We provide our users with safety information so that YAHUOKU! can be safely used. We have a help page with advices on items to reconfirm or note in the various process of the auction transaction, such as: listing, bidding, purchase, payment and receiving items. Points that users should be aware of in order to avoid trading of fraudulent goods and inadvertent access to phishing sites are also disclosed in this help page.
Validation before Items Are Put up for Sale on YAHUOKU!
In November 2006, we introduced a validation method at YAHUOKU! requiring sellers to present documents confirming their identity before items are put up for sale. In August 2012, we introduced a mobile validation method that uses devices (feature phones/smartphones) for which user identity is confirmed by the mobile operators. Either validation method may be used to list items for auction.
Yahoo! JAPAN collaborates with big brand companies to eradicate distribution of counterfeit items on YAHUOKU!. At present, we have partnered with Louis Vuitton Malletier and COACH, INC. to conduct anti-counterfeit measures, both companies agreeing to cooperate in measures to prevent the distribution of counterfeit goods.
Along with cooperating with law enforcement in criminal investigations, we also share information with government offices pursuing anti-counterfeit measures, such as the Ministry of Economy, Trade and Industry.
Meanwhile, we continue to raise awareness among our users and encourage them to avoid purchasing counterfeits.
Moving forward, in addition to pursuing partnerships with concerned parties, we hope to set a global standard for operation of Internet auction services through these efforts to raise users’ awareness.
Initiatives to Protect Intellectual Property Rights
In December 2005, we established the Council for Intellectual Property Protection on Internet (CIPP) together with rights holders and rights holders’ associations, with relevant government offices as observers. This council drew up the “Guidelines for the Prevention of Distribution of Internet IPR Infringing Goods” and is working in cooperation with rights holders and Internet service providers to prevent distribution of items that infringe upon intellectual property rights. According to the CIPP Report for FY 2015, Internet auction sites conducting measures to protect intellectual property rights had remarkably low level of infringing items listed; items violating copyrights: 0.25% (out of 4,762 items verified) and items violating trademarks: 1.83% (out of 2,292 items verified).
While the total number of products up for sale has increased across all Internet auction sites, the exceedingly low rate of products infringing on intellectual property rights can be attributed to countermeasures conducted by Internet service providers together with rights holders.
Introduction of Fraud Detection Models
Yahoo! JAPAN operates fraud detection models to prevent unauthorized use of auction sites. Patrol efficiency is enhanced by utilizing data-mining technology to analyze data from models based on behavioral patterns of unauthorized users.
Compensation System for Undelivered Items
Yahoo! JAPAN operates an original compensation system for YAHUOKU! users who, despite following rules such as terms of service, become victims of fraud and other types of misuse.