An unidentified hacker appears to have breached Uber’s security systems and gained access to vast amounts of data using a simple technique that amounts to badgering employees until they grant access using their mobile phones. It’s a tactic that is likely to work on most companies–maybe even yours.
“Hi @here I announce I am a hacker and [your company] has suffered a data breach.” What would you do if every one of your employees received that message via Slack or another companywide messaging system? Uber employees received that very message, according to press reports, and the hacker also reportedlyposted an explicit photo to an internal page for employees.
The company confirmed that it was dealing with a cyberattack. Uber assured the public that it had “not seen” that customers’ personal data or trip history had been compromised. But given the screenshots the hacker shared, though, he had gained high-level access to Uber’s systems, so it may be that he simply chose to not to access that information. (The hacker is male, according to The New York Times.) He did not appear to be after data that he could sell; rather his intent seems to have been to embarrass Uber. One of his messages contained the sign-off “uberunderpaisdrives.”
Even though none of Uber’s customer data apparently fell into the hacker’s hands, this and other recent breaches should concern you because it’s highly possible the same tactics could work against your company, or any company you do business with. According to a statement on Uber’s website, the hacker gained access to Uber’s systems via a contractor. The contractor had a device compromised by malware, giving hackers access to the contractor’s username and password. Uber believes the hacker purchased these credentials on the dark web.
But Uber also uses two-factor authentication, or MFA. In its most common form, MFA requires users to supply a code sent to them by text, but in many cases, users are simply required to respond to a push notification on their smartphones. The reasoning is that if someone attempting to log in can prove that they physically possess the smartphone associated with that account, they must be the account owner.
Hackers have learned some ways to defeat this system by tricking users into helping them, a technique called “remote social engineering.” They attempt to log in over and over, sending a flood of push requests to users asking them to confirm a sign-in. Then, the hacker pretends to be a member of the company’s tech team requesting them to go ahead and approve the sign-in. In this case, the hacker apparently attempted to log in over and over for more than an hour, thus sending an hourlong barrage of push notifications to the contractor’s phone–enough that anyone would be eager to make it stop. The hacker followed up with a message in which he claimed to be a member of Uber’s IT team and asked the contractor to confirm the sign-in on their phone. The contractor complied, probably with some relief. This type of attack is sometimes called an “exhaustion attack.”
Attacks just like this are increasingly common, security expert Cedric Owen told Wired: “These types of breaches no longer surprise me.” What can you do to help your company stay safe?
1. Spread the word.
Exhaustion attacks work because people don’t know about them. So make sure your employees, colleagues, and business partners know about them. Warn them that if they get a series of sign-in push notifications they weren’t expecting, it’s most likely a hacker and they should alert your tech team right away.
2. Make it harder.
Providing a six-digit code is a bit more effort than simply responding yes to a push notification. Unwitting employees could still be fooled into doing it, but the extra step gives them a bit more time to consider whether they really should. It adds an extra step for the hacker, too, because they now have to somehow obtain the code from the legitimate user.
3. Consider a physical key.
Google and security company Cloudflare say they have put an end to phishing attacks like this one by requiring hard keys for authentication. Deploying hard keys (small devices that connect to your computer or other device and provide encrypted authentication) is obviously more expensive, and more of a pain in the neck than using smartphone-based authentication. But it might be worth it.
4. Don’t blame the victim.
Whatever you do, don’t subject employees to discipline or public humiliation if they give in to an exhaustion attack. The last thing you want to do is create an incentive for people to keep such attacks secret.
Besides, it’s not just Uber. Twilio–which actually provides multifactor authentication for its customers–got hacked in much the same way. And even Cloudflare says that three of its own employees gave in to an exhaustion attack–and those employees were not reprimanded for their lapse. “Having a paranoid but blame-free culture is critical for security,” the company noted in its blog post about the incident. Keep that in mind if there’s ever a successful exhaustion attack on your company. It truly could happen to anyone.