Uber Breach - Why Even Multi-Factor Cannot Protect Against Every Threat

Adding multi-factor authentication (MFA) is an additional security step users can take to help protect their accounts from unauthorized access. MFA can be accomplished in several ways. It may require a code sent in email, text, or provided via an authenticator app. In a recent post we discussed the different and most effective types of multi-factor if you want a refresher or deeper explanation of the types. Unfortunately, as is witnessed in a recent Uber breach, even implementing multi-factor authentication cannot protect against every threat.

This post discusses what happened in the most recent Uber breach and why even using multi-factor authentication cannot protect against every threat.

Uber recently suffered a data breach after a user accepted a MFA request.

Uber Breach - Why Even Multi-Factor Cannot Protect Against Every Threat

The purpose of multi-factor authentication is to add an additional step when logging into accounts because this additional step makes it harder for someone to gain access to them. For example, if your account credentials are hacked or exposed, they can be used to log into any accounts that use those credentials. If you reuse passwords, any number of accounts can be at risk.

However, in a perfect world, if you have MFA enabled on your accounts, hackers should not be able to access them even if they have the account credentials. This is because they should not have access to the MFA code and would not finish the log in. Keep in mind this is not full-proof. If you use email for your MFA codes and your email is hacked, obviously someone could finish the login process.  

Additionally SMS messages can be intercepted, so they are not the most secure version of multi-factor authentication, but any additional step required when logging into accounts should be better than none. Simply having multi-factor enabled should be a deterrent if someone attempts to access one of your accounts. Realizing this secondary step is required often convinces them to look for an easier target.

Lastly, multi-factor authentication can provide protection by notifying you that someone is attempting to access one of your accounts. If you randomly receive a text or email code to access one of your accounts, and you were not attempting to log into that account, then someone else most likely was. In these cases, it is always a good idea to log into the account by going directly to it and making sure nothing has been changed.

Unfortunately, there are instances where even the presence of multi-factor authentication cannot protect against threats. Recently an Uber account with MFA enabled was hacked. You may wonder how this happened. The short answer is: user interaction.

What you need to know about multi-factor authentication

As mentioned before, there are several ways to implement MFA codes. They can be sent using text messages, in email or using an authenticator app. When using an authentication app, there are several ways the code can be provided. Some accounts provide 6-digit codes that refresh every 30 seconds and the user must type in the code before it expires. Other accounts are pop-ups that show up on the device with the authentication app like any other notification. When this form of authentication is used, users are prompted to click "approve" or "deny" to the request which is meant to make it easier for the user.

Unfortunately, this approve/deny prompt was exactly what got Uber in trouble. A user with an account was continually being prompted to approve or deny an authentication request because someone was actively trying to access their account. Eventually, the account user clicked approve to get the authenticator app to stop prompting them. This instantly allowed the hacker generating those prompts access to the user's account.

In this case, a one-click interaction with an authenticator app gave an unauthorized user access to an Uber account. At this time, what the hacker gained access to is unknown, but any access into their system is a threat. Check out this article for more on this breach.

What you can do beyond multi-factor

The most important takeaway for this data breach is to remember that had the user not clicked accept for the multi-factor request, the account would not have been breached. While it would be extremely annoying to continually receive prompts from an authenticator app, it is important that you remain diligent and NEVER click approve on something you are not requesting.

Enabling multi-factor authentication is still a good step in increasing the security of accounts. However, like other forms of protection, endpoint security, firewalls, content filters, etc., nothing is full-proof. Users still need to pay attention to what they open, what they click on, and what they approve if they want to protect their accounts.

As always, taking a little bit of time to be sure something is legitimate will save a great deal of time if it isn't.