Page 100 - Cyber Defense eMagazine January 2023
P. 100
Lessons From the Uber Hack
By Tomasz Kowalski, CEO and Co-Founder, Secfense
For decades, cybersecurity experts have been warning us against weak or stolen passwords. Two-factor
authentication (2FA) has always been pointed out as the solution to password problem. And for years
now, many companies have been introducing more and more convenient 2FA methods, starting from
SMS, moving through app-generated one-time codes (TOTP), and finishing with email push notifications.
Unfortunately, many of the 2FA methods turned out to be vulnerable to the sophisticated attacks used by
cybercriminals who successfully prey on our weak and vulnerable access points. Uber has recently found
out about it painfully. So, what can we do to avoid attacks like the one that happened at Uber?
September. New York. Traffic on the street. The Uber driver receives a series of push notifications on his
phone. They all look legitimate, like the ones sent by Uber to drivers. Initially, our driver resists and does
not authorize anything but more and more annoying pop-ups appear. He ignores it, he has to focus on
the road and on doing his job. A few minutes later someone texts him via WhatsApp. An Uber IT
specialist? Or at least that's what he says when asking for account access and authorization for
notifications sent. Phew. The driver is starting to get annoyed. The green light comes on, and at the
corner of the twenty-seventh next to the tenement house with metal stairs, he sees a girl waiting to be
picked up by him. He confirms the annoying notification and forgets about the whole thing.
The situation described above may not be exactly what has happened but according to what has been
published by Uber, it may be very close to reality. As a result of Uber employee distraction and perfectly
conducted social engineering Uber's network has been compromised.
Cyber Defense eMagazine – January 2023 Edition 100
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
