Last week Reddit confirmed that an attacker breached their network via compromised employee accounts and was able to gain access to both internal resources and customer records.
But what caught my eye was the method by which the employee credentials were compromised.
Reddit’s vulnerability: SMS-based authentication
According to Founding Engineer at Reddit, Christopher Slowe (u/KeyserSosa), “…the main attack was via SMS intercept.”
What Slowe is referring to is SMS Second-Factor-Authentication (MFA) - that 6-digit code that is sometimes texted to your phone when you need a secondary authentication factor to log into an account.
Reddit’s standard security practice allowed for employees to authenticate using this method.
Reddit is not alone. SMS based authentication is still prominently used by many organizations today.
However, the data security landscape is constantly changing, and technologies that were sufficient at one point may become less effective over time. That’s exactly what happened to SMS-based MFA.
The problem with SMS MFA
Today it is widely accepted by the security community that SMS MFA is vulnerable to exploit by hackers.
In the summer of 2017, the National Institute of Standards and Technology (NIST) published their NIST SP 800-63B recommendations, a list of guidelines intended to help government agencies and other organizations keep their data and processes secure. In this document, NIST labeled SMS messages for MFA as “RESTRICTED.”
“The use of a RESTRICTED authenticator requires that the implementing organization assess, understand, and accept the risks associated with that RESTRICTED authenticator and acknowledge that risk will likely increase over time.” - NIST Special Publication 800-63B
Approaches to compromising SMS communication can range from phone redirects to leveraging old mobile OS vulnerabilities in the SMS app, to luring users to install malicious apps that have access to the messaging APIs.
One of the most common practices is social engineering. A common example of this is when an attacker impersonates a phone owner and calls the mobile operators’ support center. The attacker can then trick the support reps into providing him with a replacement SIM of the original phone.
So why is SMS MFA so prevalent?
The challenge with SMS MFA is that for the general public, it still feels safe, and thus perpetuates a false sense of confidence and security. The scary reality is that SMS is still used for authentication by many organizations around the world, including banking and government institutions.
Reddit acknowledged this after the incident, noting that “…we learned that SMS-based authentication is not nearly as secure as we would hope.” And even stated that they “…encourage everyone here to move to token-based 2FA.”
Embracing more secure alternatives
There are plenty of more secure and user-friendly ways to leverage mobile phones as a strong secondary authentication factor.
Token-Based Authentication is an alternative mobile phone based authentication method that is recommended by Reddit admins. This form of authentication requires the use of an MFA app that continually generates one-time password codes. The user can type in one of these codes after being prompted for a second authentication factor and gain access to their account. Because these OTP’s are displayed in a secure mobile app instead of being delivered via an SMS message, they are a lot less likely to be compromised by attackers.
Push Authentication is another more secure option that also offers a great user experience. When a user attempts to log in and is prompted for a second factor, they will receive an alert on their mobile device that gives them the option to Accept or Deny that login attempt with a single tap. No SMS messages to intercept here!
Thanks for reading and stay secure!