Lessons From the Uber Hack

By Tomasz Kowalski, CEO and Co-Founder, Secfense

For decades, cybersecurity experts have been warning us against weak or stolen passwords. Two-factor authentication (2FA) has always been pointed out as the solution to password problem. And for years now, many companies have been introducing more and more convenient 2FA methods, starting from SMS, moving through app-generated one-time codes (TOTP), and finishing with email push notifications. Unfortunately, many of the 2FA methods turned out to be vulnerable to the sophisticated attacks used by cybercriminals who successfully prey on our weak and vulnerable access points. Uber has recently found out about it painfully. So what can we do to avoid attacks like the one that happened at Uber?

September. New York. Traffic on the street. The Uber driver receives a series of push notifications on his phone. They all look legitimate, like the ones sent by Uber to drivers. Initially, our driver resists and does not authorize anything but more and more annoying pop-ups appear. He ignores it, he has to focus on the road and on doing his job. A few minutes later someone texts him via WhatsApp. An Uber IT specialist? Or at least that’s what he says when asking for account access and authorization for notifications sent. Phew. The driver is starting to get annoyed. The green light comes on, and at the corner of the twenty-seventh next to the tenement house with metal stairs, he sees a girl waiting to be picked up by him. He confirms the annoying notification and forgets about the whole thing.

The situation described above may not be exactly what has happened but according to what has been published by Uber, it may be very close to reality. As a result of Uber employee distraction and perfectly conducted social engineering Uber’s network has been compromised.

Conclusions

Every company, organization, or institution that cares about data security must move away from using weak and selectively used forms of user identification and switch to techniques that can successfully withstand phishing and social engineering attacks.

– The weakness of the push-based 2FA is definitely that the user experience of receiving pop-up messages can make someone finally agree to them and finally click “allow” without giving much thought to what he or she is really accepting – says Tomasz Kowalski, CEO of Secfense, the company that developed the User Access Security Broker, technology that allows for the quick and no-code implementation of FIDO2 authentication on any application.

FIDO2 authentication is an open authentication standard developed by FIDO Alliance and is known to be the only authentication method that is truly resistant to phishing and social engineering.

– Of course, push notifications are better than nothing. Even old-school SMS protection is better than “just” passwords – Tomasz adds. – However, organizations need to ask themselves if they want to get slightly better protection than passwords or will they rather walk away from passwords and replace them globally with FIDO2. With the FIDO2 standard available to anyone organizations do not need to use half-measures but instead, reach for something that can allow them to forget about the “password problem” once and for all.

The Layered, Onion Approach

The best approach to building security in a company is building it on the so-called onion model, that is in layers. There is no technology, producer, or integrator in the world that will be able to protect against all possible threats.
However, data security performance can be maximized by following the guidelines of the zero-trust security model and by using multi-factor authentication (MFA) on all applications and access points in the organization. What’s important – the MFA must be based on FIDO2, a modern authentication standard that uses face or fingerprint biometric recognition to log in.

FIDO2, the safest way to log in to the future

And why FIDO2? Because it is a real revolution in terms of authentication and online security. This open standard – thanks to which every service on the Internet can be secured with the use of cryptography – is fully resistant to phishing and theft of logins and passwords.

FIDO2 allows you to use cryptographic keys but also devices that we always have with us, such as laptops with a built-in camera with Windows Hello in place or smartphones with face recognition or a fingerprint reader.

Untapped security potential

So, with FIDO2 – an open authentication standard – that’s supposed to be open and accessible to anyone, is there still a problem? Why are all companies not yet phishing-proof? Why is social engineering still the case?

Implementation is still the biggest problem. MFA implementation is complex, burdensome, and expensive. Moreover, if a company has hundreds of applications in its organization, mass implementation of all applications is practically impossible. Effect? One of the best authentication methods, the FIDO2 standard – although designed in April 2018 – is still an addition, not a universal way of securing your identity on the Internet after more than four years.

– We hope that thanks to Secfense, we will be able to change this situation. Our goal was and is to open the path to the mass use of MFA in business and to use the strongest FIDO2 standard for this purpose – says Tomasz Kowalski.

An important advantage of the Secfense broker – also strongly noticed at the Authenticate 2022 conference, held in October in Seattle, is that it enables the introduction of FIDO2-based MFA without the cost of hiring developers, without the cost of purchasing dongles and without any impact on the smoothness of operations.

The sooner the companies will introduce FIDO2 authentication globally the sooner the world will be able to move away from passwords. It is possible to eradicate passwords and phishing-based attacks once and for all. It will take time but it is possible. At Secfense we believe that the user access security broker approach to the adoption of strong authentication methods can play a big role in this transition.

About the Author

Tomasz Kowalski is a CEO and co-founder of Secfense. He has nearly 20 years of experience in the sale of IT technology. He was involved in hundreds of hardware and software implementations in large and medium-sized companies from the finance telecommunication, industry and military sectors. Tomasz can be reached online at ([email protected], Tomasz Kowalski | LinkedIn) and at our company website https://secfense.com/