Hacker News new | comments | ask | show | jobs | submit login
Uber ignores security bug that makes its two-factor authentication useless (zdnet.com)
22 points by smacktoward on Jan 21, 2018 | hide | past | web | favorite | 5 comments

Linkbait. To save you a click, the article, after spending more than half talking about past stuff, then states:

> We also independently reproduced and verified the bug, albeit with mixed results. In some cases the bug would work, and in others the bug would fail, with nothing obvious to determine why.

The state of the attention economy is truly depressing.

It also has the line "by sending a code by text message to your phone, for example, which only you would have access to." when talking about what 2FA is. It's true that that's used in practice, but it's utterly false that "only you would have access" to text messages sent to your phone number. Or that a text sent to your phone number must go to your phone (SS7 vulnerabilities, porting attacks, etc.) There are many good reasons NIST recommends not using SMS for authentication.

"Uber only uses two-factor "when certain requests are deemed suspicious," and it is "not an account-wide setting used on every device," Fletcher told Saini in the bug report.

Ensign said the company uses "machine learning to enforce risk-based authentication by default for all rider and driver accounts." The company uses hundreds of signals -- first revealed by Gizmodo in 2016 -- to detect potentially suspicious behavior, like unauthorized logins and fraudulent rides."

Looks like machine learning is being used to find the optimal balance between security and usability. I've read that they also use machine learning to optimize and automate customer service and automate solutions. Between looking at the login fraud score, nature of trip taken by the user (or other actions taken in the app) and any subsequent contacts with customer service can all be used as signals to automate a solution that is satisfactory to the user.

If true, this makes sense because a legitimate login that is hampered by 2fa turned on every time for basic actions that generate revenue costs the company money. So long as customers' happiness and usage frequency keeps going up and to the right quickly, this is a non-story of a company trying to engineer an optimal solution to authentication.

I'm pretty sure similar machine learning solutions are used at Google, Facebook and Amazon, since I can only intermittently trigger 2fa with all these other companies as well. Only certain actions like managing security settings always require 2fa.

Is this intermittency supposed to make it less scary?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact