London's Transport for London (TfL) is the entity that manages public transportation and public carriage licenses. In November 2019, TfL stated it would not renew Uber’s Private Hire Vehicle Operator License.
In a whopping 62-page letter, TfL laid out a number of safety concerns and operational issues. These included insurance issues, or the registered driver not being the actual driver.
However, what is most interesting is that there are a number of cybersecurity issues that were highlighted in the letter. For this audience, it’s worth us examining these issues in some detail.
- Application Security
The first thing noted that jumps out is the apparent lack of application security, which allowed drivers to install an unauthorized patch on iPhones. This allowed them to see passenger destinations and select them on that basis.
Flaws also allowed drivers to manipulate or tamper with location settings, create duplicate accounts, and had a lack of checks on drivers. - Protective controls
Another area highlighted was the lack of effective protective or preventative controls. The letter states the company rolled out an anti-brute force tool to prevent accounts from being accessed. However, this did not seem to function properly. - Change management and operational maturity
This led to questions being raised about the quality of operational security and rigor around change management. TfL assigned an independent company, Cognizant, to conduct a review on the IT service management capabilities, which did not paint a rosy picture. - Phishing attacks
The final point of note was that Uber notified TfL of a global phishing scam targeting drivers using the Uber app. This scam allowed criminals to create fictitious journeys for which the passenger is then charged. TfL believed that Uber was not doing enough to prevent this and used it as an example for how easy it is for fraudsters to be able to manipulate the Uber app.
To clarify, these are from the TfL letter and their findings, and not mine. So, I have no direct visibility into the controls that Uber may or may not have in place.
However, it’s worthwhile for organizations to look at these broad points and ask themselves if they were put under similar scrutiny, how would they fare? This is particularly true for mid-sized organizations, which have grown organically over the years and have perhaps flown under the radar of regulatory requirements.
Application security was and continues to remain an important topic. It’s effectively the front door, the trading floor, and the operations of many businesses today. Many businesses may not have physical space for customers and employees to go to, but they will nearly always have an app or website of some nature which facilitates interaction.
Getting security right is not easy, so it’s important that in addition to secure development practices, independent testers are engaged in finding any vulnerabilities, logic flaws, or other weaknesses.
Q: Do you know all the apps and websites within your organization? Are they tested on a regular basis? Do you know the last time they were tested?
In Uber’s case, an anti-brute force tool was deployed, but it didn’t work as intended. This is far more common an occurrence than one may think. There are many security tools which are purchased and go on to deliver little, if any, of the initial-promised value.
Having an assurance process in place to validate that controls are working as required is essential in this regard. This could be technical assessments, regular metrics, or some other means. The point here is that without some way of measuring the effectiveness of a security purchase, organizations don’t have a way of knowing whether the security tool in place is effective or merely a placebo.
Q: Does your organization have an assurance program in place to ensure security is working as it should?
The final nail in the proverbial coffin was around phishing attacks against Uber drivers. Phishing is the most popular attack vector used by criminals and impacts organizations of all sizes and verticals.
Organizations can’t completely stop inbound phishing emails with technology alone and some will inevitably make it through to the user’s inbox. In such cases, it’s important to have users who have been given security awareness training so they can identify phishing attempts and report them. Other measures can include implementing 2FA so that if the password is stolen, criminals still can’t log onto an account.
Q: Does your organization provide security awareness training to its employees so they can identify and report phishing emails?
While this isn’t an exhaustive list of all the issues raised in the letter by TfL, nor is it an exhaustive list of all the security issues many organizations face. It serves as a good starting point for discussions and to get a measure as to how mature your organizations security posture is.
Here's how it works:
