Authentication | Do the Simple Things| Uber & the Horsemen of the Breach Apocalypse
Heads rolled at Uber today as another CISO became a sacrificial lamb to the First Horseman of the Breach Apocalypse as Uber reported the loss impacts 50 Million of their customers and about 7 Million Uber drivers. Personal information ranging from names, phone numbers, email addresses, and driver’s license numbers was compromised.
The reporting by Bloomberg and early disclosures from Uber indicates that the root cause was once again a credential compromise (stolen login credentials from a cloud-based storage system used by its developers). That attack allowed a small lapse in security to spiral into a huge liability for the brand and the business.
While others may gloat at Uber’s misfortune, sadly, this is par for course in the industry. The usage of credentials (passwords, legacy OTP) that can be stolen, phished or attacked by man-in-the-middle is rampant. Such neglect hasn’t risen to board level attention or there would be rush to modernize credential systems to protect against such attacks.
It is a well-documented fact in neuroscience research that individuals are very poor at assessing risk. We worry about terrorist events when we are far more likely to be crushed by furniture. We spend millions of dollars on dubious pills when a short walk around the block would do more to extend our lifespan. We are two times more likely to be attacked by a vending machine than a shark, yet the term “Jaws” is more often associated with the gilled variety than the human.
Corporations are no different. In an age of threats such as weak credentials that stand to damage their customers, that can gut the value of their brand and jeopardize the course of their business - they persist in irrational actions and investments in when simple measures like prioritizing modern strong authentication practices would eliminate many of the threats they face to their business.
The First Horseman of the Breach Apocalypse: Weak Credentials
Weak credentials make up the First Horseman of the Breach Apocalypse and he will mercilessly continue to cut down leaders and businesses that persist in using them.
Most of the industry today is locked into shamefully weak and insecure authentication practices based on password management, legacy OTP systems that are symmetric shared secrets. These practices are vulnerable to phishing and malware and lead to scalable attacks that can harvest credentials for more damaging uses. Verizon's 2017 Data Breach Investigations Report documents that 81% of the data breaches involve a compromised credential.
Further, these businesses irrationally pour millions of dollars into firewalls/intrusion-detection/APT systems, home-grown or proprietary authentication systems ahead of investing in strong standards-based modern multi-factor authentication.
There is salvation from the First Horseman of the Breach Apocalypse - widely deployed, market tested and universally endorsed standards like those from the FIDO Alliance can provide phishing and MitM resistant strong, multi-factor, password-less authentication that is simple for users, developers and IT staff to manage.
There are other Horsemen (patching, encryption and others) to be sure and the nature of living in the modern connected world involves risk. The trick is to do the simple things that allow you to fend off the Horsemen and to limit the damage that attackers can do to your brand and customers. That and take a walk around the block…avoiding vending machines.