There Are Significant Differences Between Each 2FA Method, and the Risks it Poses
On August 1st, US-based social news aggregation, web content, and discussion website, Reddit.com disclosed a data breach whose full impact has yet to be determined. Reddit said the breach was discovered on June 19th ― four days after the hacker(s) compromised several employee accounts at its cloud and source code hosting providers.
It’s common practice for cyber adversaries to camouflage their attacks by leveraging compromised credentials and in that regard, the Reddit hack was no exception. However, the fact that the cyber-attackers were able to bypass the SMS-based two-factor authentication Reddit leveraged to protect their employees’ accounts, was a wake-up call for many in the industry.
Reddit is the fifth-most visited website in the US and among the top 20 worldwide. One of the reasons it has become the world’s leading message board is it allows users to remain anonymous to freely discuss controversial topics and post questionable images. As a result, Reddit is often used to spread conspiracy theories and disinformation campaigns, including those tied to the Russian-based social media influencer operations in the 2016 Presidential elections.
Causing Impact Beyond the Core Data
According to Reddit, the attack exposed some internal data (e.g., source code, logs, configuration, and other employee workspace files), as well as email addresses, salted hashed passwords, and content belonging to Reddit users who registered accounts prior to May 2007. In addition, email addresses of some users who had signed up to receive daily email digests of specific discussion threats were exposed.
All email addresses connected to Reddit user names could be used to link anonymous accounts to people’s identities, causing potentially serious consequences and allowing for blackmail. A similar data breach at Ashley Madison in 2015 exposed the email addresses and usernames of more than 33 million users seeking extramarital affairs. The Ashley Madison hack and subsequent leak of user information resulted in divorces and reportedly two suicides.
Reddit and Ashley Madison are not the first online service providers to be compromised. The long list includes breaches at Equifax, AdultFriendFinder, and Yahoo! which exposed personal data of billions of accounts. The common thread linking these breaches was bad actors targeting the weakest link in the security chain, compromising end user or administrator credentials. In many cases hackers are now shifting their focus and compromising accounts belonging to individuals in the target company’s supply chain to subsequently make lateral movements and extract data.
However, what stood out in the Reddit case was the fact that the compromised employee accounts were protected by SMS-based two-factor authentication (2FA), immediately raising questions about the validity of this security method.
No 2FA vs. 2FA
Two-factor authentication or two-step verification, is an additional layer of security that requires not only a password and username, but also something that only the user has (e.g., a device) or something the user represents (e.g., fingerprint). Obviously, in today’s world of increasing online crime and fraud, 2FA is meant to prevent hackers from leveraging compromised user credentials, as they cannot log into the user account unless they also possess the second factor. This explains why more and more online services are making 2FA a default feature.
However, there are significant differences between each 2FA method, and the risks it poses. By Reddit’s own admission, “we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”
It’s well documented that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception (e.g., SIM-swap or mobile number port-out scams). That’s why the National Institute of Standards and Technologies (NIST) in its Special Publication 800-63 Guidelines recommends restricting the use of SMS for an OTP and advises to completely remove OTP via email. Instead, NIST is propagating the use of either application-enabled or hardware-based security keys that are leveraging the FIDO standard.
For example, Google has apparently eliminated phishing by giving security keys to all of its 85,000 employees. The hardware-based security key is used by the user to complete the login process simply by inserting a USB device.
The Reddit data breach is the latest reminder that security professionals need to keep pace with technology advancements to counter bad actors’ innovations in attack methodologies. While SMS-based two-factor authentication was sufficient a decade ago, it is no longer foolproof.
In addition to using advanced two-factor authentication methods, organizations should consider risk-based authentication powered by machine learning to detect abnormal user behavior. This approach can enforce appropriate responses when risky behavior is detected such as automatically blocking access or challenging the user with a step-up authentication request.
Ultimately, the Reddit data breach illustrates the importance of rolling out a Zero Trust Security approach designed to verify the user, validate their device, limit access and privilege, and learn and adapt to new risks.