Reddit.com yesterday disclosed that it suffered a data breach, which appears to have exposed proprietary data such as the social system’s source code, as well user email addresses, and, in the case of some of its longtime users, old, salted-and-hashed passwords (i.e., representations of users’ passwords from which the passwords cannot be easily extrapolated).
While a data breach limited to such materials seems relatively minor, Reddit’s clarification that the criminals behind the breach undermined multi-factor authentication should raise alarms. To breach the system, hackers had to provide not only an administrator’s password, but also a one-time-code that was sent to the administrator via text message (i.e., via SMS).
Reddit has not disclosed details as to how the one-time-code was captured by the criminals involved, other than stating that “the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
SMS one time codes can be intercepted in a number of ways: As I have discussed previously, criminals sometimes social engineer mobile-service providers into transferring to them other peoples’ cellphone numbers, an act which obviously lets the crooks receive one-time passwords intended for others. There are also technologically-sophisticated ways of cloning the theoretically unique identifiers that allow mobile providers to correlate phones with their respective accounts, as well as other ways of physically intercepting the wirelessly-transmitted codes. Of course, malware on a victim’s phone can often also capture such codes, as can phishing sites that request from users one-time-codes along with passwords, and relay them in real time to legitimate sites being impersonated.
As such, and contrary to the advice offered by some “experts” over the past 24 hours, replacing SMS-sent one-time-codes with codes generated by apps such as Authy and Google Authenticator that run on one’s mobile device (for full disclosure: I use both) will not mitigate many of the risks that SMS-based codes present. These apps may offer better security than SMS, but such security is still inadequate in highly sensitive situations. Furthermore, the inconvenience presented by authenticator apps when migrating to a new cellphone – users often must individually reset authentication configurations on each and every site protected by codes generated by the app – is, for many folks, an incentive not to migrate from SMS to apps.
Using multiple, invisible forms of authentication – looking for unique attributes of people using devices, their patterns of usage, and the devices themselves, may prove to be a better approach, as might the use of security tokens that must be attached to devices in order to authenticate when accessing systems from the devices. The former approach offers far greater convenience during regular usage, while the latter offers easier upgrading to new devices; combined, however, they might offer the best of both worlds. Additionally, these approaches are better implementations of true multi-factor authentication – as one-time-codes are, technically speaking, second passwords (i.e., something that only the legitimate party ostensibly knows), not a second form of authentication (such as something the legitimate party possesses or physically is).
Ironically, the present discussion is not new – similar conversations about the vulnerabilities of using one-time passwords to authenticate over the Internet, and the benefits of authenticating via invisible fingerprints and hardware-based authentication were quite common nearly a decade and a half ago. Tokens and identification methods have advanced by many generations since then, but, at the same time, it seems that the more things change, the more they also remain the same.