Is this how Uber got Hacked? Just 3 weeks ago I posted this video. And yesterday, I learned that an 18-year-old allegedly hacked Uber in a similar manner… MFA bombing is a real threat! It’s worth SHARING this with your employees. This is what the 18 year old wrote: “I was spamming an employee with push auth for over a hour. I then contacted him on WhatsApp and claimed to be from Uber IT, told him if he wants it to stop he must accept it“
Hard on the outside, soft on the inside. Someone was lazy and cheap in the initial setup because it should never have been allowed that a person can authenticate from anywhere in the world with a simple push authentication. Geolocation and time of day restrictions are available from all the MFA vendors. Add in FIDO2 passwordless MFA for the trifecta. Also, using PAM and ARM with abnormal data access alarms would harden the inside and prevent lateral movement. But that will never happen so long as CFOs and board members are more concerned with how much is it going to cost to buy and implement.
Interesting how the conclusion targets the employee only (who I agree does need to be educated constantly & maintain a good level of security awareness), but NOT the company who implemented the MFA solution wrongly/ was not able to properly maintain it! Human behavior can always be improved, but unfortunately will never be perfect in facing ever-changing social engineering techniques! When technology works against the user, well unfortunately exploiting vulnerabilities in the right circumstances becomes much easier.
Good post
If you want to avoid AiTM attacks, look at FIDO2 Security Keys (I. E YUBIKEYS) as they also do "origin checking" to stop relayed authentication account takeover attempts like using OTP based 2FA. Without the YubiKey and without the count limited key pin, an attacker cant authenticate via creative methods.
Gabriel Friedlander this video is very well made. I like it in how it conveys the awareness message and advice to others. What would be also awesome, if Wizer can land a quick interview with the actual Uber victim to do a similar 34 second segment related to his experiences. then this video would be one of the rare occasions in which a security awareness message would be presented using an antiauthority tactic advocated by Dan & Chip Heath in Made to Stick.
First Uber hacked a pretty fair and decent society and turned a respectable profession in a job of utter dependance What goes around, comes around Don't cry over yesterday's sins, Uber... Now it is your turn to pay the bill Hope you become a better company after this new insight
The question we should be asking is how that 18-year old became proficient with skills to hack Uber. We need to learn how they learn and where they learn.
Wizer - Free Security Awareness Training | Founder
1yA direct link to the video if you want to share it with your team https://videos.wizer-training.com/videos/81dc42552b464e6b86addca61e69d244