Über's Bastard Supply Chain Security


A year ago, Mad Max was scammed by someone that had obviously hacked the Über database. I was taking an Über ride in Phoenix and got a TEXT notification from AmEx that credit card was frozen due to some suspicious activity. I quickly determined that the AmEx TEXT was bogus. Smart phishing, however, since I was in the middle of an Über ride may well have clicked on the link, fearing that AmEx wouldn't honor my card. Cool hack, really.

I later notified Über about the incident, and was given some mealy mouthed assurances that the problem had been corrected. Bastards!

The hackers/phishers (1) knew my cellphone number,  (2) knew my payment method was AmEx, and (3) knew is was in the middle of a ride at the moment!  That's a SERIOUS hack, right?

This week, the U.K. Register (read the story here) reported that two hackers got private access keys to "…an Über backend database hosted by Amazon Web Services…" and extorted $100,000 from Über. Well, Mad Max was one of the 57 million customer and drier personal records, Rather than call the police, Über paid the extortion money after getting the hackers to sign non-disclosure agreements. Oh, yeah: Über hid the database intrusion from the FTC.

I hope Über gets their ass sued off. And the class action plaintiffs should also name Amazon in the suit, since Amazon is NOT protected against impersonation attacks. Even though Über has adequate DMARC protection, their system security is only as good as the weakest link in their supplier chain.

Mad Max
Jailhouse Lawyer

#über #aws #dmarc #ftc

Comments

Popular Posts