[BreachExchange] Reddit breach shows limits of SMS-based two-factor authentication

[Destry Winant]

https://www.itworldcanada.com/article/reddit-breach-shows-limits-of-sms-based-two-factor-authentication/407695

The announcement today from Reddit that some of its systems were
comprised even though they were protected with two-factor
authentication is a warning that SMS-based authentication isn’t good
enough anymore.

“The moral of this story is that SMS-based 2-factor authentication
should not be considered “strong” in the face of a determined
attacker,” Craig Young, computer security researcher at Tripwire’s
VERT (Vulnerability and Exposure Research Team), said in a statement.

“The ability to have a physical token or to be able to use an
authenticator app [for the second authentication in addition to a
password] is absolutely the way to go,” Forrester Research analyst
Josh Zelonis said in an interview. “There’s many ways to intercept the
SMS text message that is being sent. Essentially what you’re doing is
trusting the phone company to handle your two-factor authentication.
(But) there’s a number of known attacks ranging from social
engineering — which is probably the most likely and common — to SS7
attacks,” the signaling protocol for SMS messages.

In the case of the Reddit breach he hypothesizes that the attacker
tricked a wireless carrier to change an employee’s phone number to a
device controlled by the attacker, or the employee’s mobile phone may
have been cloned.

A post attributed to Reddit CTO Chris Stowe said “we know the target’s
phone wasn’t hacked.” In a separate string he said the company as rule
had required staff with data access to use a two-factor authentication
solution that included a time-based one-time password (TOTP). However,
he added, “there are situations where we couldn’t fully enforce this
on some of our providers since there are additional “SMS reset”
channels that we can’t opt out of via account policy. We’ve since
resolved this.”

Organizations have known for some time that SMS is vulnerable to
penetration. In 2016 the U.S. National Institute for Standards and
Technology (NIST) said in its draft guideline that SMS-based
two-factor authentication is risky. (Here’s a link to the current
guideline). Despite that he believes use of SMS for two-factor
authentication in North America “is fairly common.”

According to Ars Technica, a German-language newspaper was told by a
carrier that a January, 2017 online bank heist from a German bank was
aided in part by exploiting SMS weaknesses to bypass two-factor
authentication that was supposed to protect customers from
unauthorized withdrawals.

Reddit said Wednesday that on June 19 it learned that between June 14
and June 18 an attacker “compromised a few of our employees’ accounts
with our cloud and source code hosting providers.” Although access to
its primary access points for code and infrastructure required
two-factor authentication (2FA), “we learned that SMS-based
authentication is not nearly as secure as we would hope, and the main
attack was via SMS intercept. We point this out to encourage everyone
here to move to token-based 2FA.”

The statement suggests that Reddit now only uses an
authenticator-based mobile app (such as Google Authenticator for
Android and iOS or Microsoft Authenticator) which a user has to
install on a device) for sending the second-factor confirmation. That
way SMS isn’t used.

Some services also offer the option of sending a voice message to a
landline or mobile phone with the authentication code, that then has
to be typed in to a site for confirmation.

The advantage of an authenticator app for sending/recieving the second
factor of authentication, Zelonis said, is that the app synchronizes
cryptographically with the web site the user wants to log into.
However, the site has to offer an authentication app as an option.

What Reddit the attacker got was read-only access to some systems that
contained backup data, source code and other logs. However,  that
included a complete copy of a database backup containing very early
Reddit user data, from the site’s launch in 2005 through May 2007.
That included account credentials (username + salted hashed
passwords), email addresses, and all content (mostly public, but also
private messages). “If you signed up for Reddit after 2007, you’re
clear here,” says Reddit.

Also accessed were logs containing the email digests (“Top posts on
Reddit last week”) sent to subscribers between June 3 and June 17 of
this year. These logs contain the digest emails themselves and connect
a username to the associated email address and contain suggested posts
from select popular and safe-for-work subreddits users subscribe to.
Users who don’t have an email address associated with their account or
whose “email digests” user preference was unchecked during that period
aren’t affected.

“This breach is particularly interesting because it is an example of
SMS-based 2-factor authentication being used to compromise a major
service provider,” said Tripwire’s Young. “While SMS interception has
been a common trick in opportunistic financial fraud, it is far less
common to hear about this method being used in this type of targeted
attack of a public service.

“Although any form of multi-factor authentication is a considerable
improvement on simple password models, SMS-based verification tokens
can be stolen with a variety of well-known techniques, including
social engineering, mobile malware, or by directly intercepting and
decrypting signals from cell towers. The most common technique is most
likely use of smartphone malware, which automates the process of
stealing passwords and obtaining verification codes while obfuscating
the activity from the end-user, but this seems less likely in such a
targeted campaign. Another possibility is that the attackers exploited
well-known weaknesses in the Signaling System No 7 (SS7) protocol,
which is at the heart of modern telephony routing, or that they simply
called up the victim’s cellular provider and convinced them to
transfer the phone number to a new SIM.  An attacker within the same
cellular coverage area as the victim could even intercept and decrypt
SMS out of the air with just a couple hundred dollars’ worth of
equipment.”

The fact that the passwords were hashed and salted is good news for
Reddit users, suggested Koby Kilimnik, security researcher at Imperva,
in a statement. It would take an attacker a lot of time to crack those
passwords and render them usable since they need to find and compute
each individual hash and can’t use a more efficient memory CPU
tradeoff solution like rainbow tables, he said. “Notwithstanding that,
I would still recommend changing your reddit password, and if you
don’t like spam emails, you might also want to start using a different
email account, since those leaked emails will probably find their way
into some spammer’s database.

“Another good idea is not to use the leaked password anywhere else.
Although its hard to crack those passwords, once cracked, the chances
are much greater that they will also be added to a dictionary in a
future “credential stuffing attack.”