2FA Fatigue
By Tom Kovacs • October 14, 2022
A big story in the world of online security recently has been the breach of Uber by the online hacking group ‘Lapsus$’. When you tend to think about the security of major corporations being bypassed, your mind might go to images of a hacker frantically typing away at a keyboard while trying to breach a company’s firewall, or you might imagine a hacker sneaking into a company location and plugging themselves directly onto a local network. Like so many other things we’ve seen in the movies and on TV though, the reality of the matter is far less complex and far more boring.
An Uber contractor had their account credentials leaked onto the "Dark Web," where the attacker purchased them from. After getting the credentials, the attacker attempted to log into Uber’s network but was initially thwarted by Uber’s multi-factor authentication (MFA, also well known as 2FA) requirement.
If you’ve attended any of my ‘Tech Talk with Tom’ sessions at various FOREVER events over the years, you’re well aware of what MFA/2FA is and why it’s a critical part of protecting yourself online. For those that maybe haven’t MFA/2FA requires you to provide a second form of identification beyond your username and password to prove that you are, in fact, you.
This is most commonly done via text message, authenticator app, or even in some cases phone calls, though there are other options beyond those out there as well. MFA/2FA helps protect your account in the event of someone gaining access to your username and password, as they still won’t be able to access the protected account without that second identification form.
Uber’s MFA/2FA system did its job perfectly. Once the hacker used the stolen credentials, Uber’s system required that second identification factor, which in this case, was the form of a push notification to the contractor's phone, asking them to approve the sign-in attempt. The contractor got the notice and denied the access attempt. Case closed, right?
Wrong. The hacker continued to attempt to log into the contractor's account over and over, each time causing another push notification to require being responded to by the contractor. Eventually, the contractor got tired of denying the attempt over and over and finally approved the access attempt, presumably to stop their phone from buzzing every five seconds. At that point, the hackers were through Uber’s substantial perimeter defenses and were onto their internal network.
There were multiple things here that could have been done better in hindsight. Uber could have had a policy in place to lock out the contractor's account after so many denied MFA/2FA prompts. The contractor could have received better security awareness training from Uber IT (our employees here at FOREVER are given monthly training about security awareness….guess what we talked about this month?) to understand that the abnormal experience they were having should have been reported to Uber’s security team for investigation and action.
If you’re using MFA/2FA on all the accounts you can, great! A gold star for taking the initiative to better protect yourself in an increasingly hostile online world! But don’t let that alone make you think you’re totally secure. In the case of MFA/2FA, if you ever receive a request to approve or a code that you weren’t expecting, you should deny the request and reach out to the company the account is tied to for assistance.
This is also a great example of why you should use unique passwords for all of your online accounts, and a password management solution to manage those. When passwords are leaked, the hackers that purchase them often try them against any number of common online accounts (think Gmail, Microsoft 365, eBay, Amazon, etc.), because people tend to use their passwords across multiple sites.
Good online security comes in layers. MFA/2FA, unique passwords, and a password management solution are just some of those layers. Individually they are effective, but together they can make for a strong defense against those that may try to break into your online accounts.
Stay vigilant in protecting yourself online, and as always feel free to reach out to our Client Care Team if you ever have any questions about your FOREVER account and its security!