Picture: Sean Gallup/Getty Picture
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the darkish underbelly of the web.
On Thursday, Uber announced that it was “responding to a cybersecurity incident.” Lower than 24 hours later, the “incident” seems to be a catastrophic knowledge breach that uncovered realms of company knowledge to a hacker who claims to be an 18 12 months previous.
The New York Instances first reported the breach and spoke to the hacker, who claimed he was in a position to socially engineer an Uber worker to grant him entry to their company account. The hacker informed Motherboard that he was after person knowledge, however finally settled on company knowledge.
Within the hours after the breach was introduced, extra particulars about it have been revealed on Twitter. The hacker has apparently been speaking to several cybersecurity experts, sharing some data on how they broke in.
The hacker mentioned that he first stole the Uber worker’s password after which triggered Uber to ship a number of multi-factor push notifications to the worker. These notifications are primarily pop-up home windows that seem on an worker’s gadget, prompting them to approve or deny the login try.
Initially, the worker didn’t authorize the log in, however the hacker contacted them on WhatsApp, mentioned he was an Uber IT employee and that the worker wanted to grant him entry. After an hour of pestering, the worker gave in, according to a screenshot of a conversation between the hacker and a cybersecurity skilled.
This breach reveals that push notifications as a multi-factor is flawed.
“In my eyes, 2FA push notifications have a weak spot in that they will turn into so annoying that the goal finally accepts,” Rachel Tobac, the founding father of SocialProof Safety and an skilled in social engineering, informed Motherboard. “In fact, push notification 2FA is healthier than none, clearly. However in sure contexts, it could possibly simply appear to be one other spammy pop-up that customers have to just accept to make it go away, that looks as if a problem.”
Do you’re employed at Uber? Do you’ve extra details about this hack? We’d love to listen to from you. From a non-work laptop or smartphone, you possibly can contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or e-mail [email protected]
For years, cybersecurity consultants have recommended folks transfer away from having solely their password as an authentication technique. Initially, two-factor or multi-factor authentication used textual content messages containing a novel code.
As Tobac recommended, any technique for two-factor is healthier than none, nevertheless it’s turn into very straightforward for cybercriminals to take advantage of two-factor authentication through textual content messages, both intercepting the texts by abusing flaws in techniques that represent the spine of telecom networks, tricking telecom suppliers’ workers into giving up their credentials after which profiting from their entry to inside instruments, or straight up bribing the telecom workers into doing SIM swapping assaults on behalf of the hackers.
One other different is utilizing an authenticator app that gives distinctive codes to enter because the second issue. These are safer than textual content messages, however hackers can nonetheless phish and social engineer targets into giving freely the codes.
Ideally, organizations, in addition to people, ought to transfer to utilizing {hardware} tokens similar to YubiKeys or Titan safety keys as a second-factor. This makes accounts just about inconceivable to phish, because the person wants a bodily token to get in. That is what not too long ago saved CloudFlare from getting hacked like Twilio and Okta did in the previous couple of weeks.
Clearly not everyone seems to be keen to purchase and use a safety key. Fortunately, there are methods to make push notifications a bit higher as a second issue.
“Sure, there are dangers to push notification MFA and if organizations are utilizing MFA with push notifications, I like to recommend they activate quantity matching and set off alerts and limits for spammed MFA push notifications to workers,” Tobac mentioned. “All MFA has some downsides, this isn’t the one sort with threat, that is simply the danger we’ve seen at this time.”
Further reporting by Joseph Cox.
Join Motherboard’s every day e-newsletter for an everyday dose of our unique reporting, plus behind-the-scenes content material about our greatest tales.