What Uber’s data breach reveals about social engineering

Were you unable to attend Transform 2022? Check out all the summits in our on-demand library now! Look here.


Few techniques are as popular with cybercriminals as social engineering. Research shows that IT staff receive an average of 40 targeted phishing attacks a year, and many organizations struggle to intercept them before it’s too late.

Just yesterday, Uber was added to the long list of companies defeated by social engineering after an attacker managed to gain access to the organization’s internal IT systems, email dashboard, Slack server, endpoints, Windows domain and Amazon Web Services console .

New York Times [subscription required] reported that an 18-year-old hacker sent a text message to an Uber employee posing as support staff to trick them into giving up their password. The hacker then used it to take control of the individual’s Slack account, before later gaining access to other critical systems.

The data breach sheds light on the effectiveness of social engineering techniques and suggests that companies should reconsider their reliance on multi-factor authentication (MFA) to secure their employees’ online accounts.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to provide guidance on how metaverse technology will transform the way all industries communicate and do business on October 4th in San Francisco, CA.

Register here

Social Engineering: The Low Barrier Way to Hack

In many ways, the Uber data breach further illustrates the problem with relying on password-based authentication to control access to online accounts. Passwords are easy to steal with brute-force hacks and social engineering scams, and they provide a convenient entry point for attackers to exploit.

At the same time, no matter how good a company’s defenses are, if they rely on passwords to secure online accounts, it only takes one employee sharing their credentials for a breach to occur.

“Uber is the latest in a series of victims of social engineering attacks. Employees are only human and eventually mistakes will be made with serious consequences,” said Arti Raman, CEO and founder of Titaniam. “As this incident proved, despite security protocols in place, information can be accessed using privileged credentials, allowing hackers to steal underlying data and share it with the world.”

While measures such as turning on multi-factor authentication can help reduce the likelihood of account takeover attempts – they will not completely prevent them.

Rethinking account security

Generally speaking, user awareness is an organization’s best defense against social engineering threats. Using security awareness training to teach employees how to spot manipulation attempts in the form of phishing emails or SMS messages can reduce the likelihood that they will be tricked into divulging sensitive information.

“General cybersecurity awareness training, penetration testing and antiphishing education are powerful deterrents to such attacks,” said Neil Jones, director of cybersecurity evangelism at Egnyte.

Organizations simply cannot afford to make the mistake of thinking that multi-factor authentication is enough to prevent unauthorized access to online accounts. Instead, business managers must assess the level of risk based on the authentication options supported by the account provider and implement additional controls accordingly.

“Not all MFA factors are created equal. Factors such as push, one-time codes (OTP) and voice calls are more vulnerable and are easier to circumvent via social engineering, says Josh Yavor, CISO at Tessian.

Instead of relying on these, Yavor recommends implementing security key technology based on modern MFA protocols such as FIDO2 that have phishing resilience built into their designs. These can then be extended with secure access controls to enforce device-based requirements before granting users access to web resources.

VentureBeat’s mission will be a digital town square for technical decision makers to gain knowledge about transformative business technology and transactions. Discover our orientations.

Leave a Reply

Your email address will not be published.