Uber was recently compromised by a cyber attack, in which a 17 year old hacker gained access to the company’s network and systems that store massive amounts of user data, and did so with ease by passing their two factor authentication process.
The hacker got access via social engineering an Uber employee.
After gaining his credentials via phishing, the hacker was challenged on getting pass the employee’s two factor authentication methods, which was a push notification to the employee’s phone.
Two factor authentication is widely recommended since it adds an extra layer of security. It forces the user to confirm that they are the ones logging into the system.
This was bypassed by essentially pushing so many two factor authentication notification requests to the employees’ phone, that user eventually accepted out of pure frustration
This person was, of course, socially engineered and tracked, so the hacker knew the best approach to gain access to the systems.
Cyber security experts are now analysing how the hacker gained access to Uber’s systems in the first place by gaining such ease through the company’s two factor authentication security.
You can read in detail on how the hacker was able to get passed the security systems of Uber, and gain admin access including their internal communications platform here:
Not all two factor authentication or multi factor authentication alternatives are created equal; some are stronger than others.
Text-message codes, which can be intercepted or stolen, have been mostly phased out in favour of mobile authenticator apps, which give out random numbers or push notifications that are near impossible to intercept.
However, as attackers get more sophisticated, some of the most powerful MFA defences are being defeated by exploiting vulnerabilities in human behaviour.
Rachel Tobac, CEO of SocialProof Security and a social engineering specialist (2022)
As evidenced by recent hacks on Twitter, Twillio, and Mailchimp, social engineering is quickly becoming one of the most popular methods of hacking a company.
In 2020, hackers got access to Twitter’s network by deceiving an employee into inputting their login credentials into a fake phishing page set up with malicious purpose, which the hacker then used to send a push notification to the employee’s mobile. The employee accepted the notification, and the hacker gained access to several Twitter accounts as well as administrative tools.
Twilio, an SMS messaging service, was recently attacked by a similar phishing attack, as was Mailchimp, an email marketing tool, which was also a social engineering phishing breach, luring an employee into turning over their credentials.
Cloudflare, which manages the vast majority of the online network and hosts websites, was the target of a cyberattack.
However, the network attack was prevented because the business uses hardware security keys that cannot be phished.
Cloudflare addressed in a blog post that some of its staff ‘did fall for the phishing messages’; however, the company’s use of hardware security tokens, which requires staff to physically plug a USB device into their computers after entering their credentials, protected them and prevented the attackers from infiltrating its network.
While multi factor authentication by randomly generated codes or push notifications is still far from being the ultimate security method, as proven by Uber’s vulnerability, it is a step in the right direction for cybersecurity.
Businesses who are using both two factor authentication and multi factor authentication must be mindful that they must limit the attack tactics in some way.
One significant development is multi factor authentication number matching, which makes social engineering attacks much more challenging.
By showing a code on the user’s screen and requiring them to enter it into an app on their verified device, it adds several layers of security for the business, and a near-impossible breach by the hacker.
The hacker would require both the target’s credentials and their verified device, comparable to a security key.
System Force I.T. analyses the way your business works, and offers the best fitting I.T. solution that can help your business succeed.
Our cyber security tools and monitoring help ensure that your company is secure and that security policies and regulations are followed correctly.
We also help with email phishing testing on employees, cyber security awareness training, and educating your staff on the ins and outs of cyberattacks to help prevent attacks from happening in your company.
>>> Click here to get in contact with us to find out more! <<<
System Force IT provides 24/7 IT support and engineering help with all our services. Our IT infrastructure management team are responsible for the backbone of your business. Monitoring and maintaining both physical and virtual services in real-time.
System Force IT provides 24/7 IT support and engineering help with all our services. Our IT infrastructure management team are responsible for the backbone of your business. Monitoring and maintaining both physical and virtual services in real-time.