Online taxi company Uber and the Intercontinental Hotel Group (IHG) were last week the latest victims to be hit by cyber attacks.
In the case of Uber, a teenage hacker posted several screenshots within Uber systems, and appeared to have access to many of their internal platforms.
It has transpired since that the 18-year-old hacker stole an employee’s password through social engineering and also tricked the employee into approving the push notification for Uber’s Multi-Factor Authentication, or MFA. Social engineering is the psychological manipulation of people into performing actions or divulging confidential information.
The hacker confirmed they then used the stolen credentials to send repeated push notifications to the employee. They then sent the employee a WhatsApp message, claiming to be from Uber IT, stating for the authentication notifications to stop, he must accept, which he did.
This shows a classic case of the weakest point in any cyber defence, the human element. There are two points of failure, the inability to stop the details being stolen, and the lack of education for the employee to accept the instructions given in a WhatsApp message.
In the other high-profile hack of last week, 2 Vietnamese hackers infiltrated the Intercontinental Hotel Group (IHG). Initially planning a ransomware attack, IHG cyber security moved quickly to prevent this by isolating servers, however the hackers then deleted large amounts of valuable company data in response.
They initially gained access when an employee downloaded a malicious attachment from a phishing email. They also had to bypass an additional security prompt message sent to the worker’s devices as part of a MFA system.
MFA requires at least two independent factors, either something you know such as a password or pin, or something you have such as a card reader or dongle, or something you are such as a fingerprint or facial recognition.
Once past the MFA layers of security, the two hackers were able to access the company wide (200,000 employees!) password manager using the password…..Qwerty1234, giving access to every single system.
Both the Uber and IHG incidences highlight that even with MFA there are still risks posed. Not all MFA options are created equal with some being stronger than others. The less secure include the something you know, which can be engineered, or something you have where the codes can be intercepted or stolen.
The most secure MFA today is phishing-resistant authentication. This eliminates the use of shared secrets in the login process, removing the ability to intercept and replay access credentials. Even with these processes in place, MFA can be defeated by exploiting vulnerabilities in human behavior.
If you have concerns about your security and would like to enquire about a tenant security review, email protection or would like to arrange security training for your team(s), please fill in this form.