What Uber’s information breach reveals about social engineering

Few strategies are as in style amongst cybercriminals as social engineering. Research exhibits that IT employees obtain a median of 40 focused phishing assaults a yr, and plenty of organizations are struggling to intercept them earlier than it’s too late. 

Simply yesterday, Uber was added to the lengthy listing of firms defeated by social engineering after an attacker managed to realize entry to the group’s inner IT programs, e-mail dashboard, Slack server, endpoints, Home windows area and Amazon Net Companies console. 

The New York Times [subscription required] reported that an 18-year-old hacker despatched an SMS message to an Uber worker impersonating assist employees to trick them into handing over their password. The hacker then used it to take management of the person’s Slack account, earlier than later having access to different important programs. 

The information breach sheds gentle on the effectiveness of social engineering strategies and means that enterprises ought to reevaluate reliance on multifactor authentication (MFA) to safe their staff’ on-line accounts. 

Social engineering: the low-barrier approach to hack  

In some ways, the Uber information breach additional illustrates the issue of counting on password-based authentication to regulate entry to on-line accounts. Passwords are straightforward to steal with brute-force hacks and social engineering scams, and so they present a handy entry level for attackers to take advantage of. 

On the similar time, irrespective of how good an organization’s defenses are, in the event that they’re counting on passwords to safe on-line accounts, it solely takes one worker to share their login credentials for a breach to happen. 

“Uber is the most recent in a string of social engineering assault victims. Workers are solely human, and finally, errors with dire penalties can be made,” mentioned Arti Raman, CEO and founding father of Titaniam. “As this incident proved, regardless of safety protocols in place, data may be accessed utilizing privileged credentials, permitting hackers to steal underlying information and share them with the world.”

Whereas measures like turning on multifactor authentication may also help to cut back the probability of account takeover makes an attempt — they gained’t totally stop them.

Rethinking account safety 

Usually, consumer consciousness is a company’s finest protection towards social engineering threats. Utilizing safety consciousness coaching to show staff the best way to detect manipulation makes an attempt within the type of phishing emails or SMS messages can cut back the probability of them being tricked into handing over delicate data. 

“Common cybersecurity consciousness coaching, penetration testing and antiphishing training are highly effective deterrents to such assaults,” mentioned Neil Jones, director of cybersecurity evangelism at Egnyte. 

Organizations merely can not afford to make the error of pondering that multifactor authentication is sufficient to stop unauthorized entry to on-line accounts. As an alternative, firm leaders have to assess the extent of danger based mostly on the authentication choices supported by the account supplier and implement extra controls accordingly. 

“Not all MFA components are created equal. Elements resembling push, one-time-passcodes (OTPs), and voice calls are extra susceptible and are simpler to bypass by way of social engineering,” mentioned Josh Yavor, CISO at Tessian. 

As an alternative of counting on these, Yavor recommends implementing security-key know-how based mostly on fashionable MFA protocols like FIDO2 which have phishing resilience constructed into their designs. These can then be augmented with secure-access controls to implement device-based necessities earlier than offering customers entry to on-line assets.