The Uber Hack Shows Push Notification 2FA Has a Downside: It’s Too Annoying

On Thursday, Uber announced that it was “responding to a cybersecurity incident.” Less than 24 hours later, the “incident” appears to be a catastrophic data breach that exposed realms of corporate data to a hacker who claims to be an 18 year old. 

The New York Times first reported the breach and spoke to the hacker, who claimed he was able to socially engineer an Uber employee to grant him access to their corporate account. The hacker told Motherboard that he was after user data, but eventually settled on corporate data. 

In the hours after the breach was announced, more details about it have been revealed on Twitter. The hacker has apparently been talking to several cybersecurity experts, sharing some information on how they broke in. 

The hacker said that he first stole the Uber employee's password and then triggered Uber to send several multi-factor push notifications to the employee. These notifications are essentially pop-up windows that appear on an employee’s device, prompting them to approve or deny the login attempt. 

Initially, the employee did not authorize the log in, but the hacker contacted them on WhatsApp, said he was an Uber IT worker and that the employee needed to grant him access. After an hour of pestering, the employee gave in, according to a screenshot of a conversation between the hacker and a cybersecurity expert.

This breach shows that push notifications as a multi-factor is flawed. 

“In my eyes, 2FA push notifications have a weakness in that they can become so annoying that the target eventually accepts,” Rachel Tobac, the founder of SocialProof Security and an expert in social engineering, told Motherboard. “Of course, push notification 2FA is better than none, obviously. But in certain contexts, it can just seem like another spammy pop-up that users have to accept to make it go away, that seems like an issue.”

For years, cybersecurity experts have suggested people move away from having only their password as an authentication method. Initially, two-factor or multi-factor authentication used text messages containing a unique code. 

As Tobac suggested, any method for two-factor is better than none, but it’s become very easy for cybercriminals to exploit two-factor authentication via text messages, either intercepting the texts by abusing flaws in systems that constitute the backbone of telecom networks, tricking telecom providers’ employees into giving up their credentials and then taking advantage of their access to internal tools, or straight up bribing the telecom employees into doing SIM swapping attacks on behalf of the hackers. 

Another alternative is using an authenticator app that provides unique codes to input as the second factor. These are safer than text messages, but hackers can still phish and social engineer targets into giving away the codes.

Ideally, organizations, as well as individuals, should move to using hardware tokens such as YubiKeys or Titan security keys as a second-factor. This makes accounts virtually impossible to phish, as the user needs a physical token to get in. This is what recently saved CloudFlare from getting hacked like Twilio and Okta did in the last few weeks. 

Obviously not everyone is willing to buy and use a security key. Luckily, there are ways to make push notifications a bit better as a second factor. 

“Yes, there are risks to push notification MFA and if organizations are using MFA with push notifications, I recommend they turn on number matching and set off alerts and limits for spammed MFA push notifications to employees,” Tobac said. “All MFA has some downsides, this isn’t the only type with risk, this is just the risk we’ve seen today.”

Additional reporting by Joseph Cox.

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.