Using two-factor authentication with one-time passwords sent via SMS has come under question again after a Reddit breach was blamed on the faulty 2FA method.
Reddit admitted its systems were breached after an attacker was able to compromise the short message service two-factor authentication used by employees.
According to Christopher Slowe, CTO and founding engineer at Reddit, the main attack leading to the Reddit breach involved a threat actor intercepting SMS-based 2FA codes.
"On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees' accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," Slowe wrote in a post on the social news site. "We point this out to encourage everyone here to move to token-based 2FA."
Slowe wrote that the attacker accessed user data, including some current email addresses, as well as "account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages)" from 2007. The attacker was apparently limited to read-only access on Reddit systems, and Reddit has since rotated all production secrets and API keys and took steps to harden access management security with "enhanced logging, more encryption and requiring token-based 2FA to gain entry since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident."
SMS 2FA security
Because the Reddit breach was blamed on the security limitations inherent to SMS-based 2FA, experts have begun to debate whether or not it's worth using it as an authentication method.
What can be taken from this attack is that, while SMS authentication can be used to boost security, two-factor authentication that involves standalone hardware token generators is needed to mitigate the risk of such attacks.
Leigh-Anne Gallowaycybersecurity resilience lead, Positive Technologies
Even back in 2016, when NIST advised organizations to stop using SMS-based 2FA, experts said the recommendation was overdue because of known techniques to intercept one-time codes sent via SMS either via malware on smartphones, exploiting the SS7 protocol, or by cloning a victim's SIM card.
Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team, noted that "while SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service."
"Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS-based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers," Young wrote via email. "An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars' worth of equipment. The moral of this story is that SMS-based two-factor authentication should not be considered 'strong' in the face of a determined attacker."
However, there was no clear consensus among experts about SMS-based 2FA. Many acknowledged the flaws in the system, but noted it was still better than not using 2FA at all.
Pravin Kothari, CEO of CipherCloud, said it is still far too common for users to not use any 2FA.
"Today, use of two-factor authentication is a best practice still not used by most authenticating systems. Even when two-factor is offered, for example, in Google's Gmail, over 90% of the Gmail users don't opt to use it," Kothari wrote via email. "Given that two-factor authentication is still a best practice the likely move by financial institutions will be to utilize token-based SMS systems, instead of mobile phone-based systems. In any case two-factor authentication, even with a mobile phone, is still much better than not using two-factor."
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, said the Reddit breach is an example of businesses placing "unwarranted faith in two-factor authentication."
"While lots of organizations think 2FA is a silver bullet for authentication, it actually isn't, thanks to weaknesses in mobile networks which allow SMS [messages] to be intercepted," Galloway wrote via email. "What can be taken from this attack is that, while SMS authentication can be used to boost security, two-factor authentication that involves standalone hardware token generators is needed to mitigate the risk of such attacks. SMS alone is not enough to constitute adequate defense of customer and employee data."
Ilia Kolochenko, CEO of High-Tech Bridge, said he would "refrain from blaming 2FA SMS -- in many cases it's still better than nothing."
"Moreover, when most of business critical applications have serious vulnerabilities varying from injections to [remote code execution], 2FA hardening is definitely not the most important task to take care of," Kolochenko wrote via email, adding that there may be more to the Reddit breach story. "I would equally be cautiously optimistic about the size of the disclosed data breach and thoroughly ascertain that no other systems or user accounts were compromised. Often large-scale attacks are conducted in parallel by several interconnected cybercrime groups aimed to distract, confuse and scare security teams. While attack vectors of the first group are being mitigated, others are actively exploited, often not without success."
