What Uber’s latest hack means for multi-factor authentication

by Nick Moran, on Tue 18 October 2022

Uber suffered a jarring security breach in September, forcing the company and spectators to reevaluate the security of their login systems. While failsafes were in place, the attack still demonstrated the vulnerabilities of multifactor authentication. In this blog post, we evaluate the scope and impact of the attack, and explore opportunities to address vulnerabilities.

On Sept. 15, employees at Uber received an ominous notification on the company’s internal Slack.

“Hi @here I announce I am a hacker and Uber has suffered a data breach.”

According to Wired, the hacker had “deeply and thoroughly compromised” Uber’s internal systems, and it was time, not access, that limited how much the threat actor combed through.

To breach a multi-billion dollar international enterprise was bold, and must have required a deep understanding of cybersecurity – right?

In reality, the foe didn’t exploit a gaping technical flaw nor did they rely on sophisticated tactics. Uber was facing an 18-year-old hacker whose biggest strength was how simple and effective his plan was.

According to early reports, the hacker acquired the employee’s credentials (to put it simply, a username and password) , but then upon logging into the account, required approval directly from the employee’s device through multi-factor authentication. The hacker then sent several authentication requests to the employee before texting under the facade of being Uber IT and encouraged them to approve the authentication request. The employee obliged, and the hacker was in.

At that moment, the flood gates had been opened, and through a simple act of social engineering, Uber’s troves of cybersecurity defenses had been breached – a move that highlighted the fragility of user logins.

“Weaknesses in a company’s cybersecurity can come from a multitude of places – logins, backdoors, and more,” said Gene Shablygin, CEO, WWPass. “For a company that invests in cybersecurity as much as Uber does, it’s jarring to see such a simple exploit used to give a threat actor so much access.”

What should have been a crucial failsafe in this circumstance was the employee’s multi-factor authentication, which did temporarily block the hacker from accessing the employee’s account through credentials alone. However, a bit of deception – the very same tactics that allow scammers and hackers to siphon user credentials and personal information around the world – was all it took to circumvent that failsafe.

In some ways, multi-factor authentication – which can take the form of a randomized code, an approval button, or a text message – lulls users into a false sense of security. Touted as a foolproof defense to compromised credentials, multi-factor authentication has become commonplace, but still fails to protect against social engineering.

“Just as social engineering can siphon your logins through a fabricated email or suspicious text message, it can just as easily circumvent multi-factor authentication,” said Shablygin. “While another hoop for a hacker to jump through, the existence of multi-factor authentication doesn’t make a login invincible.”

While Uber has since confirmed that the hacker did not access user data or significantly disrupt internal workflows, the company still has plenty of work to do in reviewing its cybersecurity infrastructure.

To prevent similar breaches in the future, Uber and other enterprises should focus less on hardening traditional logins with usernames and passwords, and instead focus on alternative ways to handle logins.

“Traditional username and password logins – whether with or without multi-factor authentication – will always be susceptible to some of the most common types of hacking, including social engineering,” said Shablygin. “Instead of attempting to continually harden these traditional logins, enterprises should instead scrap them altogether and try a new approach.”

Login options without traditional credentials are becoming increasingly commonplace, especially as the lack of a username or credentials gives threat actors nothing to steal. Services like WWPass’ username and password-less login prioritize security by removing credentials as a potentially exploitable variable.

“At WWPass, we want to help companies and everyday users alike understand that a more secure approach to traditional logins exists,” said Shablygin. “That alternative doesn’t have to compromise security or convenience. In fact, WWPass is looking to set a new standard – one where cybersecurity failures like Uber’s recent breach are a thing of the past.”

To learn more about WWPass and its revolutionary approach to user logins and cybersecurity, visit www.wwpass.com.