News Site

Uber’s security breach shows how much we trust companies with our data

Smartphones are the center of a lot of our lives — and with good reason. Several studies have proposed that smartphones themselves are an extension of a human at this point, and that’s why privacy violations are so egregious. If you think about it, it makes sense. We message loved ones, plan our days, and interact with the real world using our smartphones as the primary medium. That’s one pretty big reason why the Uber security breach is such a big deal.

If you’ve ever used a ride-hailing service like Uber, step back and think about what kind of data you have entered into the app. You’ve definitely entered addresses, and you may have even entered your home address more than once. How did you pay? With your credit card? And you obviously had to link your phone number and email too, right? What about your full name? If any individual piece of information was shared online, you’d probably be fine. However, all of that, in one place, at the same time? That’s bad and is a recipe for identity theft, credit card fraud, or, at worst, real-world ramifications like stalking or assault. In 2017, the American credit bureau Equifax was hacked and offered affected users settlement funds and free credit monitoring for life. Up to 147.9 million Americans were at risk of having their identities stolen, as information like SSNs, full names, birth dates, and more were taken in the breach.

There can be real-world ramifications such as stalking or assault

Currently, the scope of the Uber security breach hasn’t been confirmed. Reports suggest that the hacker gained access to pretty much every vertical within the company, including financial data, app source code, and databases containing user information. They’re said to have essentially retrieved the keys to the castle, and a report from The New York Times purports to have interviewed the hacker. The kicker? According to that interview, the hacker is merely 18 years old. There’s obviously a world where they may be lying about their age (and other information in that interview, too) but there have been plenty of young people involved in mass-scale attacks like these in the past.

The data we share defines us

If someone were to steal your smartphone and gain access to it, they could probably find out everything about you. They would discover your interests, your habits, where you live, and more, but that’s not all. They could find out all kinds of personal information, they could discover your health records, and they could probably stalk you based on your location history and your frequented places if they wanted to. If you have a pet, presumably your pet’s name is somewhere on your phone, too. One in three Americans, according to research analyst Aura, have used their pet’s name as a password. If you’re that one in three, that person who stole your phone might now be able to access your online accounts, too.

We put a lot of trust into companies with our data. Some security breaches can ruin lives if the data falls into the wrong hands, and if I had an Uber account that I had used more than once, I’d be worried about what information may now be out there on the internet. There’s no telling what was stolen, as treasure troves of data like that can be sold for a lot of money on the underground market. Even if your smartphone is secure with a password, you’re putting a lot of trust in your phone’s security systems. Only recently was a vulnerability in the Titan M security chip (found in Google Pixel phones) fixed in an Android security patch update, and it allowed for escalation of privilege with “user interaction not needed for exploitation”. Researchers were then able to extract cryptographic keys that should never leave the device.

Uber’s breach should be a call to re-evaluate the companies that you trust

In other words, Uber’s breach should be a call to re-evaluate the companies that you trust, and with what data. While we don’t fully know the scope of that breach just yet, it was only a matter of time before a company had a breach of this potential scale. While companies are expected to follow best practices in storing user data (including hashing and salting user passwords, credit cards, and more), you’re putting a lot of trust in companies to have followed those best practices. Even if a company claims to have encrypted those passwords, that doesn’t mean you’re safe forever if that data leaks.

As an example, take Riot Games’ League of Legends. In 2012, the company was hacked, with various personally identifying attributes and “encrypted” passwords being leaked online. In 2018, a subset of that data leaked online with plain text passwords likely cracked from those “encrypted” passwords six years prior. Ten years is a long time and security standards have evolved since then, but the point is that you never know what’s happening to your data at any given time once it’s out there.

If you have an Uber account, it’s definitely worth keeping an eye on the news to see what data was leaked, if any. Even if it turns out to be the case that nothing was shared online, the company has still confirmed the breach and it’s alarming to think about what access someone may have to your personal life.

The post Uber’s security breach shows how much we trust companies with our data appeared first on XDA.

This post has been read 17 times!

Like Love Haha Wow Sad Angry