“Two-factor authentication is not good” 3 important lessons from the Uber hack

Recently, ride-sharing service Uber admitted that it had hacked its internal network. The hackers are said to have gained access to Uber’s source code and other systems such as email and Slack. Uber has reassured the public that no customer data has been compromised, but some security experts believe Uber’s claims are not valid.
ⓒ Getty Images Bank

Of course, users still have to take the very easy and smart step of changing their Uber account information and checking to see if their old password is being used elsewhere. This is because Uber has a history of covering up serious customer data breaches for about a year. However, there is another important lesson from this case.

The hack, known as the result of social engineering techniques, thwarted security measures, including two-factor authentication (2FA). One of the fake 2FA requests was approved after the hacker contacted the employee with Chuck WhatsApp, an IT official at Uber.

These results do not mean that adding 2FA to strong and unique passwords is ineffective. It just means that social engineering techniques that prey on human error are surprisingly effective. The Uber hack reminds us how important three things are when users protect themselves online:

1. Always stop and think

2FA requests only appear while the user who has set them up is logging into a website or app. If you get a 2FA request even when you are not logged in, there is a problem. ⓒ Ed Hardie / Unsplash

Password is the first line of defense against unauthorized access to your online account, and 2FA is the second line of defense in case your password is leaked. 2FA, which requests authentication with a smartphone or an app installed on the smartphone, only appears when the user selects it and successfully enters the password.

The person who enters the password is the user, not anyone else. A website or app has something called a system permission that gives you access to your account and all the activities you did with that account. There is no need to go through individual users, and the IT team has these system privileges for work-related accounts.

Therefore, 2FA requests are only visible when you log into your account directly. If you do not try to log in and a 2FA request comes in, there is a problem. This is especially true if you are receiving multiple spam emails with authentication requests.

So the final line of defense is to use the user’s sharp and active brain. Unexpected 2FA requests are obviously suspicious, so be careful not to get caught.

2. Know what to trust

If someone tries to sneak access to your account, you should contact customer support for help. ⓒ Markus Spiske / Pexels

Only you and the company running the website or app should be able to access your account. As mentioned above, the service provider can access the user’s account without going through the user. Therefore, any contact requesting a user’s password or 2FA should always be judged to be fraudulent and should be excluded.

If you suddenly receive a two-factor authentication request, it’s a sign that you need to increase security. You should contact the website or app’s customer service department right away to inform them that your password has been used without permission and get guidance and assistance in re-protecting your account.

It’s normal to feel the urge to change your password right away. However, it is important to note that if you want to change your password while 2FA is enabled, you need to go through an additional verification process. There is a risk that the request will be mistaken for a request from you and will be granted.

3. Use more effective 2FA means

There is also a hardware key designed to be used by connecting it to the charging port of a smartphone, like Yubikey in the photo. ⓒ Yubico

The more convenient the authentication method, the easier it is to hack. This self-evident reason applies to 2FA as much as password length. Password length is discussed much more because it is often the first and only line of defense. Tech journalists and security experts breathe a sigh of relief whenever people use 2FA in any form. However, 2FA takes various forms depending on how well it can defend against hacking and human error.
  • email/text message : Relatively simple and easy to understand, often accessible from multiple devices. However, it also has the disadvantage of relying on insecure communications. Accounts that use email/text messages as 2FA are likely to be targets of social engineering.
  • Devices receiving push requests (smartphones, tablets, etc.) : This is an improved form of 2FA than email/problem messages. Moving 2FA settings to a new device is usually straightforward if needed. However, it is still weak against mistakes when swiping or tapping a smartphone screen or social engineering techniques.
  • Apps that require you to directly open the app to verify the 2FA code : An app that only needs to be opened directly to view the 2FA code is a big advantage in that only the user can view the code. However, this level of security only applies when the code can be accessed locally on the device, not when it is stored and synced to cloud storage. The downside is that restoring access to the 2FA code can be very cumbersome unless you back up your settings.
  • hardware token : A completely independent device that can generate and display a 2FA code to use, or seamlessly process 2FA authentication via a USB port or wireless connection (NFC or Bluetooth). It is very safe, as you might have guessed, but there is a risk of losing it. More than one is needed for safety.

If you think you may be vulnerable to social engineering techniques, or you think you are at risk of being socially engineered, put in place a way to prepare for the problem. Of course, you should also be prepared for the inconvenience of using a much safer form of 2FA. If you want to know more about basic security principles, please refer to ‘5 Simple Ways to Improve Security’.
[email protected]

Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!