What we can learn from last week’s Reddit breach

August 8th, 2018   |     |  security and compliance, smarter identity

Last week Reddit confirmed that an attacker breached their network via compromised employee accounts and was able to gain access to both internal resources and customer records.

The Reddit team was prompt to respond, alerted authorities, conducted what seemed to be a thorough investigation, and notified the public of the event.

But what caught my eye was the method by which the employee credentials were compromised.

Reddit’s vulnerability: SMS-based authentication

According to Founding Engineer at Reddit, Christopher Slowe (u/KeyserSosa), “…the main attack was via SMS intercept.”

What Slowe is referring to is SMS Second-Factor-Authentication (MFA) - that 6-digit code that is sometimes texted to your phone when you need a secondary authentication factor to log into an account.

Reddit’s standard security practice allowed for employees to authenticate using this method.

Reddit is not alone. SMS based authentication is still prominently used by many organizations today.

However, the data security landscape is constantly changing, and technologies that were sufficient at one point may become less effective over time. That’s exactly what happened to SMS-based MFA.

The problem with SMS MFA

Today it is widely accepted by the security community that SMS MFA is vulnerable to exploit by hackers.

In the summer of 2017, the National Institute of Standards and Technology (NIST) published their NIST SP 800-63B recommendations, a list of guidelines intended to help government agencies and other organizations keep their data and processes secure. In this document, NIST labeled SMS messages for MFA as “RESTRICTED.”

“The use of a RESTRICTED authenticator requires that the implementing organization assess, understand, and accept the risks associated with that RESTRICTED authenticator and acknowledge that risk will likely increase over time.” - NIST Special Publication 800-63B

Approaches to compromising SMS communication can range from phone redirects to leveraging old mobile OS vulnerabilities in the SMS app, to luring users to install malicious apps that have access to the messaging APIs.

One of the most common practices is social engineering. A common example of this is when an attacker impersonates a phone owner and calls the mobile operators’ support center. The attacker can then trick the support reps into providing him with a replacement SIM of the original phone.

So why is SMS MFA so prevalent?

The challenge with SMS MFA is that for the general public, it still feels safe, and thus perpetuates a false sense of confidence and security. The scary reality is that SMS is still used for authentication by many organizations around the world, including banking and government institutions.

Reddit acknowledged this after the incident, noting that “…we learned that SMS-based authentication is not nearly as secure as we would hope.” And even stated that they “…encourage everyone here to move to token-based 2FA.”

Embracing more secure alternatives

There are plenty of more secure and user-friendly ways to leverage mobile phones as a strong secondary authentication factor.

Token-Based Authentication is an alternative mobile phone based authentication method that is recommended by Reddit admins. This form of authentication requires the use of an MFA app that continually generates one-time password codes. The user can type in one of these codes after being prompted for a second authentication factor and gain access to their account. Because these OTP’s are displayed in a secure mobile app instead of being delivered via an SMS message, they are a lot less likely to be compromised by attackers.

Push Authentication is another more secure option that also offers a great user experience. When a user attempts to log in and is prompted for a second factor, they will receive an alert on their mobile device that gives them the option to Accept or Deny that login attempt with a single tap. No SMS messages to intercept here!

The latest version of OneLogin’s mobile authenticator, OneLogin Protect, supports both of these functionalities. Consider downloading it for yourself and letting us know what you think.

Thanks for reading and stay secure!

About the Author

Ehud Amiri is a Senior Director for Product Management at OneLogin. Ehud is passionate about making the world safer by embracing new ways to trust people, devices & applications so that security becomes both effective and frictionless. Prior to joining OneLogin, Ehud served in various product management and engineering roles at CA Technologies, Netegrity, and Business Layers.

View all posts by Ehud Amiri

Secure All Your Apps, Users, and Devices