The announcement today from Reddit that some of its systems were comprised even though they were protected with two-factor authentication is a warning that SMS-based authentication isn’t good enough anymore.
“The moral of this story is that SMS-based 2-factor authentication should not be considered “strong” in the face of a determined attacker,” Craig Young, computer security researcher at Tripwire’s VERT (Vulnerability and Exposure Research Team), said in a statement.
“The ability to have a physical token or to be able to use an authenticator app [for the second authentication in addition to a password] is absolutely the way to go,” Forrester Research analyst Josh Zelonis said in an interview. “There’s many ways to intercept the SMS text message that is being sent. Essentially what you’re doing is trusting the phone company to handle your two-factor authentication. (But) there’s a number of known attacks ranging from social engineering — which is probably the most likely and common — to SS7 attacks,” the signaling protocol for SMS messages.
In the case of the Reddit breach he hypothesizes that the attacker tricked a wireless carrier to change an employee’s phone number to a device controlled by the attacker, or the employee’s mobile phone may have been cloned.
A post attributed to Reddit CTO Chris Stowe said “we know the target’s phone wasn’t hacked.” In a separate string he said the company as rule had required staff with data access to use a two-factor authentication solution that included a time-based one-time password (TOTP). However, he added, “there are situations where we couldn’t fully enforce this on some of our providers since there are additional “SMS reset” channels that we can’t opt out of via account policy. We’ve since resolved this.”
Organizations have known for some time that SMS is vulnerable to penetration. In 2016 the U.S. National Institute for Standards and Technology (NIST) said in its draft guideline that SMS-based two-factor authentication is risky. (Here’s a link to the current guideline). Despite that he believes use of SMS for two-factor authentication in North America “is fairly common.”
According to Ars Technica, a German-language newspaper was told by a carrier that a January, 2017 online bank heist from a German bank was aided in part by exploiting SMS weaknesses to bypass two-factor authentication that was supposed to protect customers from unauthorized withdrawals.
Reddit said Wednesday that on June 19 it learned that between June 14 and June 18 an attacker “compromised a few of our employees’ accounts with our cloud and source code hosting providers.” Although access to its primary access points for code and infrastructure required two-factor authentication (2FA), “we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
The statement suggests that Reddit now only uses an authenticator-based mobile app (such as Google Authenticator for Android and iOS or Microsoft Authenticator) which a user has to install on a device) for sending the second-factor confirmation. That way SMS isn’t used.
Some services also offer the option of sending a voice message to a landline or mobile phone with the authentication code, that then has to be typed in to a site for confirmation.
The advantage of an authenticator app for sending/recieving the second factor of authentication, Zelonis said, is that the app synchronizes cryptographically with the web site the user wants to log into. However, the site has to offer an authentication app as an option.
What Reddit the attacker got was read-only access to some systems that contained backup data, source code and other logs. However, that included a complete copy of a database backup containing very early Reddit user data, from the site’s launch in 2005 through May 2007. That included account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages). “If you signed up for Reddit after 2007, you’re clear here,” says Reddit.
Also accessed were logs containing the email digests (“Top posts on Reddit last week”) sent to subscribers between June 3 and June 17 of this year. These logs contain the digest emails themselves and connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits users subscribe to. Users who don’t have an email address associated with their account or whose “email digests” user preference was unchecked during that period aren’t affected.
“This breach is particularly interesting because it is an example of SMS-based 2-factor authentication being used to compromise a major service provider,” said Tripwire’s Young. “While SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service.
“Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS-based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers. The most common technique is most likely use of smartphone malware, which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user, but this seems less likely in such a targeted campaign. Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol, which is at the heart of modern telephony routing, or that they simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM. An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars’ worth of equipment.”
The fact that the passwords were hashed and salted is good news for Reddit users, suggested Koby Kilimnik, security researcher at Imperva, in a statement. It would take an attacker a lot of time to crack those passwords and render them usable since they need to find and compute each individual hash and can’t use a more efficient memory CPU tradeoff solution like rainbow tables, he said. “Notwithstanding that, I would still recommend changing your reddit password, and if you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database.
“Another good idea is not to use the leaked password anywhere else. Although its hard to crack those passwords, once cracked, the chances are much greater that they will also be added to a dictionary in a future “credential stuffing attack.”