Updated: Aug 9, 2018
A newly disclosed breach that stole password data and private messages is teaching Reddit a lesson that security professionals have known for years - two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.
Early this month, Reddit.com disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. In a post to its blog, the social news aggregation platform said it learned on June 19 that between June 14 to June 18 an attacker had compromised several employee accounts at its cloud and source code hosting providers.
The exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
The breach is raising alarm bells amongst the IT security community because the attacker did so by breaking into employee accounts that were supposedly protected by two-factor authentication (2FA). These accounts were configured to have a combination of a password upon login and also a special one-time passcode that would've been sent over the employee's smartphone via SMS messaging (OTP).
“Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit wrote. “We point this out to encourage everyone here to move to token-based 2FA.”
So how did this happen?
Indeed, while 2FA is a vital security tool, it does have its weak points.
In the past, cybercriminals have assumed a victim's identity to trick cellular providers into essentially giving them access to the person's phone number. This is known as a “SIM swap” or a "port out scam" - where a hacker can call your telco carrier, impersonate as you and convince the carrier to redirect the incoming texts to an entirely different SIM card or port a number from one telco carrier to another. Then, it’s only a matter of time before they can reset your passwords and “takeover” your online persona.
Hackers with more technical expertise and the right hardware can also tamper with cellular technologies to collect nearby SMS messages or temporarily spoof someone's phone number. Dedicated hackers can also intercept codes sent via SMS by exploiting a flaw in what is known as the Signalling System 7 protocol (SS7), or simply phish the code.
Although the average man-in-the-street may not have heard about the dangers of using SMS in two-factor authentication, the tech community has known about the risk for a few years. As far back in 2016, the U.S. National Institute of Standards and Technology (NIST) had proposed the abandonment of SMS-based two-factor authentication in its DRAFT NIST Special Publication 800-63B.
Looks like somehow, Reddit missed the memo.
Whatever the case may be, Reddit is using the security incident to encourage the public to switch over to non-SMS-based two-factor authentication. This involves your smartphone generating the special one-time passcode over an app. Another solution is to use a hardware-based security key, which is what Google has done to stop phishing on company employee accounts or our very own two-factor authentication app TheGRID Beacon which does not rely on SMS messaging nor generates a one-time passcode on the app - rather it communicates securely with a hosted server to authenticate the user via a simple ON - OFF action on the app.
The upshot of all of this is that SMS-based 2FA is better than no 2FA at all, but only minimally so. If you don't yet have two-factor authentication (2FA), it is a good idea to use it on your most important accounts, like your GMail or your social media accounts, which can usually be activated in the settings page. Even the SMS-based authentication is better than simply protecting your account with a password.
On the other hand, the most superior forms of 2FA that are viable now include either physical tokens with no use of OTPs or, if that’s considered too difficult for users, OTPs generated solely by apps.
Better still, if it does not need to generate any OTPs at all which a solution like TheGRID Beacon provides.
To find out more about our GRID Beacon Smart 2FA, contact us: firstname.lastname@example.org