Password breach teaches Reddit that, yes, phone-based 2FA is that bad

August 2, 2018 at 12:03AM Ars Technica Password breach teaches Reddit that, yes, phone-based 2FA is that bad

< !DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.

In a post published Wednesday, Reddit said an attacker breached several employee accounts in mid-June. The attacker then accessed a complete copy of backup data spanning from the site’s launch in 2005 to May 2007. The data included cryptographically salted and hashed password data from that period, along with corresponding user names, email addresses, and all user content, including private messages. The attacker also obtained email digests that were sent between June 3 and June 17 of this year. Those digests included usernames and their associated email address, along with Reddit-suggested posts from safe-for-work subreddits users were subscribed to.

Wednesday’s post said that the breached employee accounts were protected by 2FA, which typically requires people to take an extra step beyond entering a password when accessing an account from a new computer. In most cases, the extra step is the entering of a one-time password (OTP) that’s sent to or generated by a mobile phone. More secure yet, the 2FA is in the form of a cryptographic token sent by a security key attached to a device logging in. The 2FA protecting the Reddit accounts, however, relied on OTPs sent through SMS messages, despite reports over the years (such as this one) that make it amply clear they are susceptible to interception.

School of hard knocks

“Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2fa), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit officials wrote. “We point this out to encourage everyone here to move to token-based 2fa.”

SMS-transmitted OTPs are susceptible to a variety of attacks. One is by obtaining control of a target’s cell phone number, often by calling the cellular provider or going into a retail store of the provider and impersonating the subscriber. In 2016, the chief technology officer of the US Federal Trade Commission had her number hijacked this way. In other cases, the interception is the result of compromising the mobile account because it’s protected by a password the subscriber used on a different site that was breached. Still other interceptions are the result of exploiting decade-old weaknesses in the SS7 routing protocol that carriers around the world use to ensure their networks interoperate. OTPs are also vulnerable to phishing and social engineering attacks, as long as the attackers enter the codes quickly after obtaining them.

Over the past several years, SMS-based 2FA has fallen out of favor as more people have adopted mobile apps, such as Google Authenticator or Duo, which generate OTPs. This form of 2FA is better than SMS, but it’s still potentially flawed because OTPs can be phished or obtained through social engineering. In more targeted and sophisticated attacks, the mobile phone might also be infected with malware.

A far more robust mechanism for providing 2FA is the use of physical security keys that connect directly to the computer being used to log in. After a user enters the correct password, sites that are configured to support security tokens will require the person to tap a button on the device. A cryptographic key embedded in the device then sends a code that provides the second form of authentication. This form of authentication is far superior to SMS- and even app-enabled 2FA because the secret can’t be phished, divulged, or intercepted. (An attack disclosed in March that used a Chrome feature to trick users into divulging the secret material on their physical keys no longer works.)

The upshot of all of this is that SMS-based 2FA is better than no 2FA at all, but only minimally so. Sites that allow stronger forms of 2FA but offer SMS- or call-based 2FA as a fallback should take notice. An intermediate improvement is to use phone-based apps with no fallback to SMS. The most superior forms of 2FA that are viable now include physical tokens with no use of OTPs or, if that’s considered too difficult for users, OTPs generated solely by apps. Security practitioners have been preaching this gospel for years. Reddit’s post demonstrates that people who should know better aren’t always heeding this advice.