Lessons From the Uber Hack | Operator Tech

Posted on

By Tomasz Kowalski, CEO and Co-Founder, Secfense

For many years, cybersecurity consultants have been warning us about weak or stolen passwords. Two-factor authentication (2FA) has all the time been touted as the answer to the password downside. And for years, many firms have been introducing more and more handy 2FA strategies, beginning with SMS, shifting by way of app-generated one-time codes (TOTP), and ending with push e mail notifications. Sadly, lots of the 2FA strategies have turned out to be weak to stylish assaults utilized by cybercriminals who efficiently make the most of our weak and weak entry factors. uber lately came upon painfully. So what can we do to stop assaults just like the one which occurred in uber?

September. NY. Site visitors on the road. The Uber driver receives a sequence of push notifications on his cellphone. All of them look legit, like those Uber sends out to drivers. At first our driver resists and doesn’t authorize something however increasingly more annoying pop-ups seem. He ignores it, he has to focus on the highway and doing his job. A couple of minutes later, somebody sends you a textual content through WhatsApp. An Uber IT specialist? Or at the very least that is what he says when he asks for entry to the account and authorization for the notifications despatched. Phew. The driving force begins to get offended. He activates the inexperienced mild, and on the nook of twenty-seventh avenue subsequent to the tenement with steel stairs, he sees a woman ready for him to select her up. He confirms the annoying notification and forgets about every part.

The state of affairs described above is probably not precisely what has occurred however as printed by Uber, it might be very near actuality. Because of Uber worker distraction and completely executed social engineering, Uber’s community has been compromised.


Any firm, group or establishment involved with information safety should cease utilizing weak and selective types of consumer identification and swap to methods that may efficiently resist phishing and social engineering assaults.

The weak point of push-based 2FA is unquestionably that the consumer expertise of receiving popups could cause somebody to lastly comply with them and at last click on “permit” with out giving a lot thought to what they’re truly agreeing to. – says Tomasz Kowalski, CEO of Secfense, the corporate that developed the Consumer Entry Safety Dealer, a know-how that allows quick, code-free implementation of FIDO2 authentication in any utility.

FIDO2 authentication is an open authentication customary developed by the FIDO Alliance and is understood to be the one authentication methodology that’s really proof against phishing and social engineering.

In fact, push notifications are higher than nothing. Even old-school SMS safety is best than “simply” passwords – provides Tomasz. – Nonetheless, organizations should ask themselves if they need barely higher safety than passwords or in the event that they need to transfer away from passwords and exchange them globally with FIDO2. With the FIDO2 customary accessible to everybody, organizations needn’t use half measures, however search for one thing that can allow them to overlook concerning the “password downside” as soon as and for all.

The Layered Onion Strategy

The most effective method to constructing safety in an organization is to construct it on the so-called onion mannequin, that’s, in layers. There is no such thing as a know-how, producer or integrator on this planet that may defend towards all attainable threats.
Nonetheless, information safety efficiency may be maximized by following zero-trust safety mannequin tips and utilizing multi-factor authentication (MFA) throughout all purposes and entry factors within the group. What’s necessary: MFA have to be primarily based on FIDO2, a contemporary authentication customary that makes use of biometric facial or fingerprint recognition to log in.

FIDO2, the most secure method to log in sooner or later

And why FIDO2? As a result of it’s a actual revolution by way of authentication and on-line safety. This open customary, because of which all Web companies may be protected with the usage of cryptography, is completely proof against phishing and theft of logins and passwords.

FIDO2 permits the usage of cryptographic keys but in addition units that we all the time carry with us, corresponding to laptops with an built-in digital camera with Home windows Howdy put in or smartphones with facial recognition or fingerprint reader.

Untapped safety potential

So with FIDO2, an open authentication customary, which is meant to be open and accessible to everybody, is there nonetheless an issue? Why aren’t all firms phishing-proof but? Why is social engineering nonetheless the case?

Implementation stays the most important downside. MFA implementation is advanced, burdensome, and costly. Additionally, if an organization has lots of of purposes of their group, mass deployment of all purposes is virtually inconceivable. Impact? Top-of-the-line authentication strategies, the FIDO2 customary, though it was designed in April 2018, continues to be an addition, not a common method to defend your id on the Web after greater than 4 years.

We hope that because of Secfense we are able to change this case. Our objective was and is to open the way in which for the mass use of MFA in enterprise and to make use of the stronger FIDO2 customary for this goal. – says Tomasz Kowalski.

A significant benefit of the Secfense dealer, additionally highlighted on the Authenticate 2022 convention in Seattle in October, is that it permits the introduction of FIDO2-based MFA with out the price of hiring builders, with out the price of buying dongles, and with none affect on the fluidity of operations.

The earlier firms introduce FIDO2 authentication globally, the earlier the world can transfer away from passwords. It’s attainable to eradicate password and phishing primarily based assaults as soon as and for all. It can take time however it’s attainable. We at Secfense consider that the consumer entry safety dealer’s method to adopting sturdy authentication strategies can play an necessary position on this transition.

Concerning the Writer

Lessons from the Uber hackTomasz Kowalski is CEO and co-founder of Secfense. He has virtually 20 years of expertise promoting IT know-how. He was concerned in lots of of {hardware} and software program implementations in giant and medium-sized firms within the monetary, telecommunications, industrial, and navy sectors. Tomasz may be reached on-line at ([email protected], Tomasz Kowalski | LinkedIn) and on our firm web site https://secfense.com/

Lessons From the Uber Hack