Thought leadership. threat analysis, news and alerts.
Reddit Data Breach Highlights Weaknesses of SMS-Based 2-Factor Authentication
Reddit recently announced that it succumbed to a cyberattack, an attack that was born out of the weaknesses inherent to SMS-based 2-factor authentication (2FA).
Reddit, in a statement, said that an attacker managed to access the company’s complete copy of a database backup containing user data starting from the site’s launch in 2005 up to May 2007. The data accessed during this period include passwords of users and public and private messages.
The company added that email address of current users, source code, internal logs, configuration files and other employee workspace files have also been accessed by the attacker.
While acknowledging that the recent cyberattack was a serious attack, according to Reddit, the attacker didn’t do much damage to the site itself as the attacker only gained read-only access, not write access to Reddit systems.
Reddit said that the attacker entered the company’s systems as a result of the weaknesses inherent to SMS-based 2FA. “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said.
What Is Two-Factor Authentication (2FA)?
Two-Factor Authentication, also known as 2FA, is an added layer of protection that’s meant to ensure that security of online accounts goes further than a username and a password.
Here are the 3 most common types of 2FA or security keys for securing your online accounts:
1. SMS-Based 2FA
In SMS-based 2FA, whenever you log-in to your online account, after entering your username and password, a verification code will be sent in a form of an SMS message to your mobile phone. Once the correct verification code is entered after entering the correct username and password, you’ll then gain access to your online account.
In the case of the Reddit cyberattack, it wasn’t disclosed how the attacker carried out the "SMS intercept".
The publicly known scenario for SMS intercept is via SIM swapping, also known as SIM hijacking. In SIM swapping, an attacker calls a cell phone carrier’s tech support pretending to be the target victim and claims that the target’s SIM card is lost. The attacker then requests that the phone number of the target be transferred (also known as ported) to a new SIM card that the attacker already owns.
The attacker in this scam convinces the phone carrier’s tech support to make the necessary transfer of phone number to a new SIM card by providing the target’s personally identifiable information, including Social Security Number or home address, details that are available online after many data breaches from other companies in the past.
Once an attacker convinces the phone carrier’s tech support for the SIM-swap, it’s game over for the target. The immediate effect is that the target loses phone service and any 2FA verification code delivered via SMS is sent to the new SIM card that the attacker controls.
2. App-Based 2FA
In app-based 2FA, you need to download an app, such as Google Authenticatoror Authy, to your mobile phone or PC. Once installed and configured, you can get the verification code, after entering your correct username and password, through your device.
Unlike the SMS-based 2FA, you can still get the verification code when your phone service gets shut off. The downside of app-based 2FA is that the verification code needs to be entered into the same login page on a website along with the username and password. This allows cyberattackers to subvert the username, password and verification code by cyberattacks such as phishing and man-in-the-middle.
In a phishing attack, a user is duped into revealing sensitive data, including username and password. In man-in-the-middle attack, the attacker positions himself in a conversation between a user and an application, making it appear as if a normal exchange of information is conducted.
3. Hardware-Based 2FA
Hardware-based 2FA, also known as physical security key, comes in the form of a USB device. Login process can be completed by inserting the USB device to the USB port and by pressing a button in the USB device, eliminating the need for retyping verification codes. This is also meant to verify that you’re not a remote malicious hacker.
Unlike the SMS-based 2FA and app-based 2FA, in hardware-based 2FA, you don’t need your mobile phone to access your online accounts.
Yubico, the most popular maker of hardware-based security keys, sells its basic model for only $20. Last month, Googleannounced that its own hardware-based security keys called “Titan Security Keys” are available to Google Cloud customers and will soon be available for anyone to purchase on the Google Store.
Last month also, Google told cybersecurity journalist Brian Krebsthat since early 2017, more than 85,000 of its employees have been using physical security keys. Since then, the tech giant said that 85,000+ of its employees haven’t fallen prey to phishing attacks on their work-related accounts.
Google said that Titan Security Keys enhanced protection against phishing as the “2-step verification with a security key uses cryptography to provide two-way verification: it makes sure you're logging into the service you originally registered the security key with, and the service verifies that it's the correct security key as well”.
The downside of having physical security keys is that it’s a security risk to carry these devices around as once attackers get hold of them, it’s also game over for the targets. Physical security keys, therefore, have to be kept in a safe and secure place.
When you have questions concerning your options of better protecting mission critical data, our experts are a phone call away.
Steve E. Driz, I.S.P., ITCP