What Happened, and How Can We Prevent Attacks Like these?

Not All MFA Is Created Equal

The recent cyber-attack on Uber has had the tech community buzzing.

The incident, an example of an attack method called MFA Fatigue, brings up an essential point about MFA that all individuals and organizations need to know: Not All MFA is created equal.

We’ve all heard from experts that Multi-Factor Authentication (MFA) is a must for security. Microsoft’s Ann Johnson said some time ago, “Enable MFA for 100% of your users. 100% of the time.”  But even with MFA turned on, attackers were able to gain access to Uber networks.

But what happened and how could the Uber hack have been prevented?

The Uber story is one unfortunate example of an attack method called MFA Fatigue.

Here’s what happened:
  1. User Credentials were stolen. [To our dismay, login credentials, or usernames and passwords are relatively easy for hackers to obtain. Phishing emails, malware, dark web purchases, and just plain guesswork are standard methods attackers use to obtain credentials. In this case, the attacker allegedly found the admin password for Uber’s Privileged Access Management (PAM) solution in a PowerShell file.] 
  2. Attackers repeatedly sent requests for access via push notification.
  3. Attackers called (phone number was public knowledge) to ask that the user accept the push request.
  4. Because of  “MFA Fatigue”, where the user finally gave in, pushing the Approve button simply by accident, or to stop the barrage of alerts, the push request was finally authorized, and attackers got in. 

This type of social engineering technique has been successfully used by the Lapsus$ and Yanluowang threat actors to gain access to well-known organizations, such as Microsoft, Cisco – and now Uber.

Experts advise employees: If you receive a sudden flood of MFA push notifications, do not panic, do not approve the MFA request, and do not talk to anyone claiming to be from your organization.
Contact company IT or supervisors and explain what’s happening. Then change the password for your account if you can, to prevent hackers from continuing to log in to initiate further MFA push notifications. …

The problem with the above suggestion is that it assumes humans are infallible. We’re not. We make mistakes. Just as in the Uber case, where an employee made a mistake, one can also forget passwords, share them, use the same one for multiple accounts, and so on.

OR … Better Yet: A Patented Solution to MFA Fatigue

Luckily, there is an easy way to avoid these types of attacks, using patented technology that is built into the Passwordless MFA solution from TraitWare.

In the Uber breach, attackers were able to gain access via push notification. TraitWare’s solution doesn’t allow it. TraitWare requires that the user confirm his/her identity before any transaction is authorized. In other words, with TraitWare, a push cannot be sent to a user until the user pre-authenticates to the app (verifies they are who they say they are), thereby eliminating the brute forcing of the push MFA (accept/decline request).  This way a bad actor cannot just autofill in a username and password and send repeated attempts.

If Not All MFA is Created Equal, What is “Good” MFA?

  • It’s not phishable. Nothing that’s shareable, nothing to type in, nothing to remember, or lose, or forget. *
  • It NEVER allows a fallback onto a username and password because those we know are easily obtained by bad actors. In other words, it’s not simply layered on top of a “legacy” system. … Having that fallback defeats the purpose of having MFA in the first place.
  • It’s easy to deploy and delightful to use – so that time is not lost, frustration is eliminated, and adoption is successful.
  • It is Native to the solution – meaning it’s built-in to the technology, so that it is more secure, and doesn’t add friction for users or admins. 

* The problem of unreliable legacy MFA has become serious enough to prompt the US Government to issue warnings, urging companies to use Phishing-Resistant MFA. Here’s an excerpt from a recent White House statement:

“For routine self-service access by agency staff, contractors and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice callssupply one-time codes, or receive push notifications.” 

Read more about the differences between legacy and modern MFA here below.

With TraitWare, there is never anything to type. Instead, MFA starts at account creation with a biometric or a factor that is tied to the user and a device the user already carries, so that the system can verify at every step that the user is who they say they are.

If you’d like to learn more about how TraitWare simplifies and secures login with Passwordless MFA+SSO for True Zero Trust Access™, drop us a line and we’ll book a time to chat.