Not all 2FA is created equal
The Reddit management team has learned the hard way that the security of SMS-based authentication leaves much to be desired, after a hacker gained access to its backend systems by exploiting a loophole in the site’s login process for employees.
Issuing an alert yesterday, Reddit CTO and founding engineer Christopher Slowe said that between June 14 and June 18 an attacker compromised some employee accounts with its cloud and source code hosting providers.
While Slowe said the attacker did not gain write access to Reddit systems, they were able to view backup data, source code, and other logs.
“A complete copy of an old database backup containing very early Reddit user data – from the site’s launch in 2005 through May 2007 [was accessed],” Slowe noted.
“In this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages).”
Reddit said it will be notifying potentially impacted account holders, and will be forcing some users to change their passwords if they have not recently done so.
Data breach alerts of this nature are now an all too common sight.
However, while Reddit users are unlikely to be thrilled by the news that their personal details and private messages have been accessed by a third party, it’s interesting to note that the incident is being taken by the social media service as a sign it’s time to upgrade from an SMS-based employee authentication system.
Although certainly preferable to nothing at all, SMS-based two-factor authentication (2FA) leaves users vulnerable to SIM-swapping attacks, in which an attacker uses social engineering against a telco representative to obtain a SIM card linked to someone else’s phone account.
This might seem far-fetched, but SIM-swapping is an increasingly lucrative enterprise. Just last month, authorities in California arrested a college student suspected of being part of a group of criminals who hacked dozens of phones to steal more than $5 million in cryptocurrency.
“The Reddit breach underscores how the application of best practices, like use of MFA [multi-factor authentication], also need to be revisited over time as new attack techniques come to light,” said Travis Biehn, technical strategist at Synopsys.
“You can look at the timeline for SMS hijacking techniques – the first practical attacks were presented a few years ago – and now these are being increasingly commoditised for a wide array of attackers.”
Perhaps in acknowledgement of the inherent weaknesses of SMS-based 2FA, social media giant Instagram was last month reported to be working on a new authentication solution for its users.
While the inner workings of Reddit’s SMS-based 2FA for employees is not known, Slowe said Reddit will be migrating to a token-based system following this most recent incident.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” he said. “We point this out to encourage everyone here to move to token-based 2FA.”