Cyber security lessons from the Uber hack
For decades, cyber security experts have been warning us against weak or stolen passwords. Two-factor authentication (2FA) has always been pointed out as the solution to password problem. And for years now, many companies have been introducing more and more convenient 2FA methods, starting from SMS, moving through app-generated one-time codes (TOTP), and finishing with email push notifications. Unfortunately, many of the 2FA methods turned out to be vulnerable to the sophisticated attacks used by cybercriminals who successfully prey on our weak and vulnerable access points. Uber has recently found out about it painfully. So what can we do to avoid attacks like the one that happened at Uber?
September. New York. Traffic on the street. The Uber driver receives a series of push notifications on his phone. They all look legitimate, like the ones sent by Uber to drivers. Initially, our driver resists and does not authorise anything but more and more annoying pop-ups appear. He ignores it, he has to focus on the road and on doing his job. A few minutes later someone texts him via WhatsApp. An Uber IT specialist? Or at least that's what he says when asking for account access and authorisation for notifications sent. Phew. The driver is starting to get annoyed. The green light comes on, and at the corner of the twenty-seventh next to the tenement house with metal stairs, he sees a girl waiting to be picked up by him. He confirms the annoying notification and forgets about the whole thing.
The situation described above may not be exactly what has happened but according to what has been published by Uber, it may be very close to reality. As a result of Uber employee distraction and perfectly conducted social engineering Uber's network has been compromised.
Conclusions
Every company, organisation, or institution that cares about data security must move away from using weak and selectively used forms of user identification and switch to techniques that can successfully withstand phishing and social engineering attacks.
"The weakness of the push-based 2FA is definitely that the user experience of receiving pop-up messages can make someone finally agree to them and finally click "allow" without giving much thought to what he or she is really accepting," said Tomasz Kowalski, CEO of Secfense, the company that developed the User Access Security Broker, technology that allows for the quick and no-code implementation of FIDO2 authentication on any application.
FIDO2 authentication is an open authentication standard developed by FIDO Alliance and is known to be the only authentication method that is truly resistant to phishing and social engineering.
"Of course, push notifications are better than nothing. Even old-school SMS protection is better than 'just' passwords" Tomasz added. "However, organisations need to ask themselves if they want to get slightly better protection than passwords or will they rather walk away from passwords and replace them globally with FIDO2. With the FIDO2 standard available to anyone, organisations do not need to use half-measures but instead, reach for something that can allow them to forget about the 'password problem' once and for all."
The layered, onion approach
The best approach to building security in a company is building it on the so-called onion model, that is in layers. There is no technology, producer, or integrator in the world that will be able to protect against all possible threats.
However, data security performance can be maximised by following the guidelines of the zero-trust security model and by using multi-factor authentication (MFA) on all applications and access points in the organisation. What’s important - the MFA must be based on FIDO2, a modern authentication standard that uses face or fingerprint biometric recognition to log in.
FIDO2
And why FIDO2? FIDO2 allows you to use cryptographic keys but also devices that we always have with us, such as laptops with a built-in camera with Windows Hello in place or smartphones with face recognition or a fingerprint reader.
Untapped security potential
So, with FIDO2 - an open authentication standard - that’s supposed to be open and accessible to anyone, is there still a problem? Why are all companies not yet phishing-proof? Why is social engineering still the case?
Implementation is still the biggest problem. MFA implementation is complex, burdensome, and expensive. Moreover, if a company has hundreds of applications in its organisation, mass implementation of all applications is practically impossible. Effect? One of the best authentication methods, the FIDO2 standard - although designed in April 2018 - is still an addition, not a universal way of securing your identity on the Internet after more than four years.
"We hope that thanks to Secfense, we will be able to change this situation. Our goal was and is to open the path to the mass use of MFA in business and to use the strongest FIDO2 standard for this purpose," said Kowalski.
An advantage of the Secfense broker is that it enables the introduction of FIDO2-based MFA without the cost of hiring developers, without the cost of purchasing dongles and without any impact on the smoothness of operations.
Secfense believe that the user access security broker approach to the adoption of strong authentication methods can play a big role in the transition away from passwords.