Either personal (like asking your bank to revoke all cards you used with Uber) or work-related (recheck your security posture so that you won't have a Uber-level catastrophe)?
That's true. But like the parent poster, I'm likewise glad I had avoided using them.
What I hated about Uber and why I never ended up using it was that their app wanted so much info from my phone for no discernibly good reason. And Lyft didn't seem to be much better. I just wanted a ride man, I didn't want a 500 MB app that sucked all the data out of my phone and sent it to god knows where.
So I've just ended up calling taxis.
It's not that your data won't get compromised by someone else, it's just about mitigating the exposure.
I acknowledge my tradeoffs wouldn't make sense for a frequent traveller.
What data can app get from you that you don’t specifically allow? The Uber app only knows my location while I’m using it. If I choose not to give it my credit card number, I can just pay using Apple Pay and they have a one time use credit card.
Not to mention with Uber/Lyft, I know exactly where my driver is, I don’t have to flag down a taxi, I know the price before I sit in the car, etc.
Agreed. The financial aspect doesn’t bother me as it is very likely that action can be taken to prevent future misuse, and reparations can be made for past abuse.
Drivers seem to be hit with a PII breach though, and I’d have concerns if pickup and drop off locations were exposed, particularly for those where that information might be sensitive (e.g. journalists in some jurisdictions).
Good, but the attacker spammed 2FA requests at an employee until they convinced them to accept one. Other than FIDO I think, most forms of 2FA are vulnerable to this.
By setting up a dummy login screen that you unwittingly enter a valid code into (which I believe is the current best guess for how it was achieved in this case.)
Some corporate 2FA apps send a push notification to a mobile device. Because of how that is set up, it doesn't always (A) show what the login is for because it shows the name of the SSO app instead of the actual application, (B) show other correct data, e.g. if the user is on a VPN, the location may be the VPN endpoint because of IP-address based locations, and (C) it doesn't always show on the user's device that a login needs to take place, because it may be an Exchange connection refreshing periodically in the background
So, some people just accept whatever pushes they get.
You can obviously rate limit the requests, and there are other tricks as well. I tend to think FIDO is better than push notifications for other (related) reasons, but it's not impossible to mitigate this kind of attack.
The vibe I get is this is an internal compromise. Disgruntled employee, maybe looking for evidence of upcoming layoffs, doesn't find them, now makes it look like "a hacker".
PCI standard requires them to report the incident. I think most card issuers would close the affected cards (my bank had done that a few times, rather annoyingly without telling!)
I'm not pre-emptively revoking my card either. In this case the decision should be up to the issuer, not me. They have more or at least the same information as me and it's their money that's at risk.
I always used Apple Pay to pay for Uber rides, so I'm not sure there's any card # to be stolen. I'm sure someone who knows better than I do will chime in :)
I never drove for Uber nor worked as a corporate employee (no risk for SSN leak). Have only used them as a customer.
I only paid for their services using Apple Pay. Even if that number was compromised, the CVV would no longer be valid. I think most banks would automatically re-issue the account number (not the physical card number) if they detect fraudulent use.
The only time I saved a card to Uber was before the NFC era (pre-2015/2016). Those cards have long been removed from the account and have expired.
I am not too worried. Worst case scenario, they have my address and name. Which are both publicly available anyways.
Although maybe I shouldn’t be too complacent. If the data is sold, then it will make me more vulnerable to social engineering attacks. Albeit knowing Uber has been hacked I will be much more aware.
I was dumb and they have details for two physical cards + a virtual card that I use in a few other places + my personal phone number that is still pretty hard to find + my personal email address as I used 'sign in with Google' when I recently set it up in a rush instead of my normal 'services/spam' email :(
So yeah not great, but also too much effort to pre-emptively revoke anything so I'll just hope that the fallout isn't too bad.
Going to wage jihad on everything less than FIDO2/WebAuthn in any org where I'm affiliated; previously people were pushing for using push-auth shit (e.g. Microsoft Authenticator) as an option.
Previous jihads against hardcoded credentials (use Vault or equivalent).
I get the spirit of your conversation but I urge you to not normalize a term like jihad. It’s sole purpose is to exterminate people by means of brutal violence who don’t fall in line in the name of religion.
Pretty weird since in the original language it just means Struggle. Cleaner connotation than the western equivalent 'Crusade' which is used secularly all the time tbh.
It's simply a matter of how many people are affected by jihad vs crusade in the last few decades. This is the first time I'm seeing jihad used in something not associated with terrorism.
A drink called the Irish car bomb can be readily ordered anywhere in the US, despite brutal killings in the 80s-90s. Use of a term is oft separated from the historical connotations of it.
No, I meant that the systematic elimination of the use of Slack is my next holy war/crusade/jihad objective after coming solving the mfa problem. (Team communications should be e2ee, with no external party having access; for group chats up 10-20 that's viable; beyond that, company-encrypted to keys held by the company only.)
It shouldn’t be an issue given that for compliance reasons they don’t store credit card data and instead use a third party, and even if they got access to the API keys for that provider, they shouldn’t have access to enough data to somehow use your card.
Why are you assuming that any sensitive information about customers have been compromised? Uber is legally required to report to its users what is at risk of having been stolen, and so far they haven't said anything.
Absence of proof is not proof of absence. Uber has no fucking idea what's happening, just like Heroku a few months ago. They got completelly pwned. Assume everything has been leaked.
Uber is infamous for not following the law¹. There is at least one other known case of them not disclosing a data leak²:
> In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.
So many leaks I've given up caring. Actually I haven't had any fraud for a few years now, it feels like getting better? I do rely on Amex now which seems much easier to cancel any transaction.
> [From the end of the article] Lawyers for Mr. Sullivan have argued that other employees were responsible for regulatory disclosures and said the company had scapegoated Mr. Sullivan.
Unless and until CEOs are held personally responsible for such security breaches there will be no solution to the problem. A Chief Security Officer job looks more and more as a designated scape-goat for hire.
It is an idea I hear often, but I don't think it will solve anything. The CEO will be the scapegoat, and may get paid better for the risk taken. So having a CEO scapegoat or a CSO scapegoat, same thing.
You have to realize that a CEO is just an employee. An important employee, but like any other employee, he is paid to do a job, and can be fired if his employers are not satisfied with his work.
If we want to punish the people who have the ultimate responsibility, that would be the shareholders. And it may include you if you have stock in that company. The CEO could also be punished as a shareholder (CEOs usually are), but not as a CEO unless he commit fraud against the shareholders.
We could imagine prison sentences for the most important shareholders, but really, financial sanctions are the most fair. Shareholders will lose money proportional to their share. And if the CEO really is the problem, shareholders will be very unhappy and he won't last long and may even get sued.
It's interesting that if you commit crimes or harm, whether intentional or not, but in the aggregate, at scale, etc. that you can get away with it or just be fined. Be a single employee that accidentally or intentionally leaks information, particularly company or government information, and you'll be sued to oblivion. Or imagine being a lower or middle class person charged with a crime or have a civil suit brought against you and all you get is a like $20 fine.
68 comments
[ 3.4 ms ] story [ 130 ms ] threadWhat I hated about Uber and why I never ended up using it was that their app wanted so much info from my phone for no discernibly good reason. And Lyft didn't seem to be much better. I just wanted a ride man, I didn't want a 500 MB app that sucked all the data out of my phone and sent it to god knows where.
So I've just ended up calling taxis.
It's not that your data won't get compromised by someone else, it's just about mitigating the exposure.
I acknowledge my tradeoffs wouldn't make sense for a frequent traveller.
Not to mention with Uber/Lyft, I know exactly where my driver is, I don’t have to flag down a taxi, I know the price before I sit in the car, etc.
And in the apple appstore it says 363MB size.
I don't know if apple calculates the unpacked and installed size or if it is the "download size" too.
It sucks for my phone number but it won't be the first hack/leak where it is shown next to my name.
Not sure about the scope of the hack so I won't be canceling my card yet.
Drivers seem to be hit with a PII breach though, and I’d have concerns if pickup and drop off locations were exposed, particularly for those where that information might be sensitive (e.g. journalists in some jurisdictions).
https://theguardian.com/technology/2022/sep/15/uber-computer...
So, some people just accept whatever pushes they get.
I only paid for their services using Apple Pay. Even if that number was compromised, the CVV would no longer be valid. I think most banks would automatically re-issue the account number (not the physical card number) if they detect fraudulent use.
The only time I saved a card to Uber was before the NFC era (pre-2015/2016). Those cards have long been removed from the account and have expired.
I am not too worried. Worst case scenario, they have my address and name. Which are both publicly available anyways.
Although maybe I shouldn’t be too complacent. If the data is sold, then it will make me more vulnerable to social engineering attacks. Albeit knowing Uber has been hacked I will be much more aware.
So yeah not great, but also too much effort to pre-emptively revoke anything so I'll just hope that the fallout isn't too bad.
Previous jihads against hardcoded credentials (use Vault or equivalent).
Next target after this will probably be Slack.
1 - https://slack.com/help/articles/360019110974-Slack-Enterpris...
Is my credit card information compromised in a way that allows attackers stealing my money?
Canceling cards preemptively is a nuclear option.
Uber is infamous for not following the law¹. There is at least one other known case of them not disclosing a data leak²:
> In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.
¹ https://www.theguardian.com/news/2022/jul/10/uber-files-leak...
² https://www.nytimes.com/2022/09/15/technology/uber-hacking-b...
Unless and until CEOs are held personally responsible for such security breaches there will be no solution to the problem. A Chief Security Officer job looks more and more as a designated scape-goat for hire.
You have to realize that a CEO is just an employee. An important employee, but like any other employee, he is paid to do a job, and can be fired if his employers are not satisfied with his work.
If we want to punish the people who have the ultimate responsibility, that would be the shareholders. And it may include you if you have stock in that company. The CEO could also be punished as a shareholder (CEOs usually are), but not as a CEO unless he commit fraud against the shareholders.
We could imagine prison sentences for the most important shareholders, but really, financial sanctions are the most fair. Shareholders will lose money proportional to their share. And if the CEO really is the problem, shareholders will be very unhappy and he won't last long and may even get sued.