It has been revealed that Uber ignored a security bug that could give potential hackers access into user accounts by bypassing two-factor authentication, with the taxi giant stating the flaw “isn’t a particularly severe” problem. Javvad Malik, Security Advocate at AlienVault commented below.
Javvad Malik, Security Advocate at AlienVault:
“Bug bounties are great for identifying flaws that may have slipped through regular testing and secure design. However, they shouldn’t be used as an alternative to rigorous testing.
It also illustrates one of the oft-mentioned challenges mentioned by researchers in that their findings are either not taken seriously, or are dismissed as duplicates without any real proof. For this reason, more transparency by companies that run bug bounties is needed.
Digging a bit into the technicalities, it’s important to understand that SMS isn’t necessarily true two-factor, rather it is two-step verification.
While the phone is “something you have” the phone isn’t integral to the second factor. If the SIM card was put in a different device, or the number was ported, then it is possible to authenticate without having that device. The same is true when email is used as a second ‘factor’.
This is particularly important to understand in the context of apps that reside almost exclusively on the phone. The struggle for many companies is that the app, email, and SMS all reside on the same device, a small device that is easy to steal or clone. So it is necessary that additional controls are deployed, akin to anti-fraud controls which would evaluate the likelihood that a booking is being made by a legitimate user. Taking into consideration factors like usual geography, a new device registering, the types of trips etc.
It’s not a particularly easy problem to solve with one change. Rather security needs to be sprinkled throughout the process – as well as having secure methods by which users can report lost or stolen devices. In the whole ecosystem, we’ll likely see two- step authentication become the accepted norm in the long run – with sensitive companies moving towards two-factor.”