How this Hack Happened
Last Friday, September 16, 2022, Uber, the ride-sharing behemoth, became the latest large company to fall victim to a cyber-attack.
While this may seem like just another “hack-in-the-news” situation of a large company getting breached…
This particular hack is one you should pay attention to.
The events of this hack are well explained in this Twitter thread, so I won’t recount how this happened.
Instead, I want to focus on how multi factor authentication was used in this attack and why that’s extremely important to your business.
There is a common misconception that multi factor authentication, or MFA, is a silver bullet security solution for preventing hackers from accessing an individual’s account.
Unfortunately, as we see in this particular hack, that is NOT the case.
In this situation, the attacker was able to gain access to an Uber employee’s account by bombarding them with a number of MFA notifications.
They then contacted the employee, masquerading as a help desk technician, instructing them to accept the MFA notification, thereby allowing the attacker access to Uber’s network.
From there, the attacker was able to compromise a significant number of Uber’s internal technology systems.
How it Impacts You and Your Business
So what does this have to do with you and your small business?
While ensuring that multi factor authentication is in place for every login to every technology system your business uses is critical, it’s important to understand that MFA is not a full security solution.
As was the case with the Uber hack, social engineering can easily be used to bypass MFA, especially when human emotion comes into play.
What allowed the attacker to bypass this MFA security was a method called “MFA-fatigue.”
Flooding a person’s smartphone with irritating MFA prompts and then disguising yourself as “tech support” that is here to alleviate your pain, is a great way to engineer an individual into divulging an MFA code or accepting an MFA prompt.
Once again, the idea of building security-as-a-culture into our businesses becomes the main topic of conversation.
Had this particular individual been better educated through frequent training and consistent messaging from management, there is a strong chance this hack could have been prevented.
Security awareness training cannot be a chore or something you are looking to check off a checklist.
Security awareness training must become part of an organization’s culture and to do that, it has to be consistently discussed and prioritized.
Security Awareness Training Takeaways
Here are 3 takeaways for your business that should be shared with everyone in your organization, RIGHT NOW:
- NEVER accept a multi factor authentication prompt or enter a multi factor authentication code unless you are 100% certain that YOU are the individual who just immediately requested it.
- NOBODY, and I mean NOBODY reputable, will EVER contact you and ask you to confirm a multi factor authentication code. (there are some organizations who may send a temporary code to your phone as a method of authenticating your identity; however, this action does not coincide with a logon event)
- When you are online, which means anytime you are using your computer, tablet, or smartphone, you must be EXTREMELY aware and mindful of every link you click, every website you visit, and every message you respond to.
President, Continuous Networks
Ross has served the IT needs of businesses across NY and NJ for more than 15 years. He’s also the host of the Legends Of I.T. Podcast, a show for dedicated I.T. Professionals to improve their skills and respective organizations each day.