Former Uber employee. I'm not a fan of the company. But don't shit on the efforts of the security team please. They were actually quite thorough.
We used online MFA (you had to respond to MFA requests on your phone). Not even sure why this is a discussion as the hacker confirmed it was a case of social engineering. No MFA protects against social engineering (no, not even ____ - don't try to convince me).
And yes, at least when I was there, there was pretty good training on SE deterrence.
Further, OneLogin was used, Yubikeys were phased out early on. I'd be surprised if they had brought them back, as I remember the security team being somewhat averse to them. I'm sure OneLogin is also investigating.
The security team at Uber was quite good. Constantly under stress. Constantly overworked. The last thing they need are knowitalls speculating about how stupid they are on HN. Cut them some slack - this could happen to any company (yes, it could, even yours - don't try to convince me otherwise).
>No MFA protects against social engineering (no, not even ____ - don't try to convince me).
Certain MFAs can protect against more types of attacks than others. You covering your head in the sand when people point that out doesn't change that fact but merely indicates you prefer feeling right to being right.
>as I remember the security team being somewhat averse to them
So you're saying that the security team was averse to the thing that would have prevented this hack? And that means we shouldn't put blame on them?
Oh, cloud-based MFA. Dream stuff where you SaaS can reauthenticate at any time, and it just sends a request to the users, without having to rely on them to initiate anything. No idea what could go wrong with that. /s
> this could happen to any company (yes, it could, even yours - don't try to convince me otherwise)
There's a lot of cognitive dissonance in discussion around this story IMO. Nowadays I assume everyone has been or will be pwned, because no breech surprises me anymore. Any small gap can and will be exploited, and as organisations grow the surface area only gets larger and larger. The only way to truly secure data is to not put it on the internet from the jump. For every breach that's published, there's likely a dozen that we never find out about.
That's true - some kinds of social engineering cannot be prevented by technical means. BUT hardware keys prevent an entire class of extremely common attacks that every other form of MFA is vulnerable to. It would have prevented the method of compromise used here.
Any company not using FIDO/WebAuthn in 2022 is behind on best practices.
I mean, "social engineering" is pretty broad; saying MFA can't stop social engineering is like saying password managers can't stop hacking, or HTTPS can't stop spying. I mean, sure... but Webauthn would have in fact stopped this type of social engineering attack (which was a fake login page). And scanning internal networks for hardcoded secrets would have stopped this type of privilege escalation afterwards.
Security is never absolute, but we're not talking about a nation-state/APT attack here; current reports seem to indicate this was a bored 18 year old acting alone.
We used online MFA (you had to respond to MFA requests on your phone). Not even sure why this is a discussion as the hacker confirmed it was a case of social engineering. No MFA protects against social engineering (no, not even ____ - don't try to convince me).
And yes, at least when I was there, there was pretty good training on SE deterrence.
Further, OneLogin was used, Yubikeys were phased out early on. I'd be surprised if they had brought them back, as I remember the security team being somewhat averse to them. I'm sure OneLogin is also investigating.
The security team at Uber was quite good. Constantly under stress. Constantly overworked. The last thing they need are knowitalls speculating about how stupid they are on HN. Cut them some slack - this could happen to any company (yes, it could, even yours - don't try to convince me otherwise).