Lessons from the Uber hack 

lessons from uber hack 01

For decades, cybersecurity experts have been warning us against weak or stolen passwords. Two-factor authentication (2FA) has always been pointed out as the solution to password problem. And for years, many companies have been introducing more and more convenient 2FA methods, starting from SMS, moving through app-generated one-time codes (TOTP), and finishing with email push notifications. Unfortunately, many of the 2FA methods turned out to be vulnerable to the sophisticated attacks used by cybercriminals who successfully prey on our weak and vulnerable access points. Uber has recently found out about it painfully. So what can we do to avoid attacks like the one that happened at Uber?

September. New York. Traffic on the street. The Uber driver receives a series of push notifications on his phone. They all look legitimate, like the ones sent by Uber to drivers. Initially, our driver resists and does not authorize anything but more and more annoying pop-ups appear. He ignores it, he has to focus on the road and on doing his job. A few minutes later, someone texts him via WhatsApp. An Uber IT specialist? Or at least that’s what he says when asking for account access and authorization for notifications sent. Phew. The driver is starting to get annoyed. The green light comes on, and at the corner of the twenty-seventh next to the tenement house with metal stairs, he sees a girl waiting to be picked up by him. He confirms the annoying notification and forgets about the whole thing.

The situation described above may not be precisely what has happened, but according to what has been published by Uber, it may be very close to reality. As a result of Uber employee distraction and perfectly conducted social engineering Uber’s network has been compromised.

lessons from uber hack 02 1

Conclusions 

Every company, organization, or institution that cares about data security must move away from using weak and selectively used forms of user identification and switch to techniques that can successfully withstand phishing and social engineering attacks. 

-The biggest weakness of the push-based 2FA is definitely the fact that the user experience of receiving pop-up messages can make someone finally agree to them and click “allow” without giving much thought to what he or she is really accepting. – says Tomasz Kowalski, CEO of Secfense, the company that developed the User Access Security Broker, technology that allows for the quick and no-code implementation of FIDO2 authentication on any application. FIDO2 is an open authentication standard developed by FIDO Alliance and is known to be the only authentication method that is truly resistant to phishing and social engineering. – Of course, push notifications are better than nothing. Even old-school SMS protection is better than “just” passwords. However, organizations need to ask themselves if they want to get slightly better protection than passwords or will they rather walk away from passwords and replace them globally with FIDO2. With the FIDO2 standard available to anyone, organizations do not need to use half-measures but instead reach for something that can allow them to forget about the “password problem” once and for all.

The best approach to building security in a company is building it on the so-called onion model, that is, in layers. There is no technology, producer, or integrator in the world that will be able to protect against all possible threats.

However, data security performance can be maximized by following the guidelines of the zero-trust security model and by using multi-factor authentication (MFA) on all applications and access points in the organization. What’s important – the MFA must be based on FIDO2, a modern authentication standard that uses face or fingerprint biometric recognition to log in.

FIDO2, the safest way to log in to the future

And why FIDO2? Because it is a real revolution in terms of authentication and online security. This open standard – thanks to which every service on the Internet can be secured with the use of cryptography – is fully resistant to phishing and theft of logins and passwords.

FIDO2 allows you to use cryptographic keys but also devices that we always have with us, such as laptops with a built-in camera with Windows Hello in place or smartphones with face recognition or a fingerprint reader.

lessons from uber hack 03 1

Untapped security potential

So, with FIDO2 – an open authentication standard – that’s supposed to be open and accessible to anyone, is there still a problem? Why all companies are not yet phishing-proof? Why social engineering is still the case?

Implementation is still the biggest problem. MFA implementation is complex, burdensome, and expensive. Moreover, if a company has hundreds of applications in its organization, mass implementation of all applications is practically impossible. Effect? One of the best authentication methods, the FIDO2 standard – although designed in April 2018 – is still an addition, not a universal way of securing your identity on the Internet after more than four years.

We hope that thanks to Secfense, we will be able to change this situation. Our goal was and is to open the path to the mass use of MFA in business and to use the strongest FIDO2 standard for this purpose – says Tomasz Kowalski.

An essential advantage of the Secfense broker – also strongly noticed at the Authenticate 2022 conference, held in October in Seattle, is that it enables the introduction of FIDO2-based MFA without the cost of hiring developers, without the cost of purchasing dongles and without any impact on the smoothness of operations.

The sooner the companies will introduce FIDO2 authentication globally, the sooner the world will be able to move away from passwords. It is possible to eradicate passwords and phishing-based attacks once and for all. It will take time, but it is possible. At Secfense, we believe that the user access security broker approach to the adoption of strong authentication methods can play a significant role in this transition. 

Antoni takes care of all the marketing content that comes from Secfense. Read More

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT

MPEC S.A.