Suni Munshani, CEO of Protegrity, agreed. “Trolling the Dark Web is an enormous task,” he said, “and it’s reactive, hit-or-miss and doesn’t solve the core attack vector here, which appears to be a flawed authentication process.”
But James Chappell, CTO and cofounder of Digital Shadows, said there still may be some value to monitoring the Dark Web. He agreed that, “it is hard to gain a comprehensive view of the marketplaces where accounts are sold, as in most cases they require some sort of transaction to become a trusted user.”
But he said the tools needed to access the Dark Web, “are readily available and easy to use, and organizations can learn about what is being discussed and what tactics, techniques, and methods cyber criminals are using. Gaining this situational awareness can help organizations such as Uber make better and more effective security decisions.”
Cabrera added that, “many companies already either build or buy advanced threat intelligence programs (that can) create their own threat intelligence by scouring various criminal underground market places for accounts for sale.”
Then there are cases where a user gets notified that a ride he didn’t order is about to arrive in some far-away city or country. That raises the question: If the real user contacts Uber immediately, couldn’t the company notify the driver that he or she is carrying a fraudulent ride?
The Solutionary team said it might be technologically possible, but would be easier, and much safer, “to allow that fraudulent rider to finish the ride, then disable the compromised account.”
Fred Touchette, manager of security at AppRiver, agreed. “As long as Uber can authenticate the claim, it should be relatively easy,” he said, “but as far as what the driver should then do, it could be trickier, because driver safety would be a big concern.”
Munshani said the better solution would be, “to verify the individual before the transaction occurs, using something more reliable than a simple password.”
And that leads to the responsibility of users to be more concerned about safety than convenience. If they don’t want their credentials stolen, they need to make more of an effort to protect them.
The Solutionary team noted that if login credentials are stolen and the thief creates a new name, email address and different mobile number, Uber then sends a text verification with a four-digit token to the new number, plus a separate message to the older number, notifying the user of a change in the account.
“But if the authorized user had disabled SMS (short message service) notifications from Uber, they will never see the notification that changes have been made to their account. So, while Uber does an excellent job at pushing 2FA by default, it also allows users to effectively opt out of 2FA,” the team said.
Sign up for CIO Asia eNewsletters.