Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Reddit Discloses Data Breach Due to Intercept of SMS 2FA

    By
    SEAN MICHAEL KERNER
    -
    August 2, 2018
    Share
    Facebook
    Twitter
    Linkedin
      SMS Texting Tools

      Social networking site Reddit announced on Aug. 1 that it was the victim of a data breach.

      While the data breach that Reddit publicly disclosed was new, the data that attackers stole was not. After managing to bypass the two-factor authentication (2FA) credential of a Reddit administrator, attackers were able to steal an 11-year-old database backup from 2007 that included all user passwords from the time of the site’s launch in 2005 through May 2007.

      “A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords,” Reddit wrote in an advisory. “Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”

      Reddit discovered the breach on June 19, with the initial investigation revealing attackers were able to compromise several employee accounts between June 14 and June 15. The employee accounts that were breached were at source code and cloud hosting providers used by Reddit.

      The user passwords that were in the stolen data were all salted and hashed, meaning they were not stored in clear text and will be difficult for an attacker to use. The stolen data also included usernames and email addresses that were not encrypted. Reddit is now in the process of warning users who have not updated their passwords in the past 11 years to reset their credentials.

      2FA Bypass

      Of particular note in Reddit’s disclosure is how the attackers were able to get access to the employee accounts.

      “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit disclosed.

      With 2FA, a second factor, or token, beyond just a simple password is needed to get access to a service. With SMS-based 2FA, a one-time password is sent to the user via SMS text message to gain access. The use of SMS for 2FA represents some known risks, as SMS can be intercepted, which is apparently what happened in the Reddit incident. Back in July 2016, the U.S. National Institute of Standards and Technology (NIST) updated its Digital Authentication Guidelines (DAG) warning that SMS-based 2FA was not secure and should not be trusted.

      There are a number of options besides SMS-based 2FA, including software-based authenticators that generate one-time passwords. For the consumer-facing side of 2FA, Twitter notably moved beyond SMS-based 2FA in July 2017, adding support for token-based systems including Duo and Authy.

      There are also approaches for enabling 2FA via hardware-based mechanisms, such as using a secure key. Google began implementing secure key technology back in October 2014 as a way to provide hardware-based security for its employee accounts. In 2016, Google researchers published an exhaustive study providing evidence of the strong protection that the secure key technology approach provides.

      Why 2FA Matters

      Although Reddit is assigning blame for its data breach on an SMS bypass of 2FA, it’s important to understand why having any form of 2FA is still better than not using 2FA at all.

      In the event of a data breach, where usernames and passwords are stolen, without 2FA an attacker can potentially get access to a victim’s account without an additional challenge. With 2FA of any sort in place, an attacker has to work harder and needs to respond to the 2FA challenge to get access.

      While SMS is not as secure as other 2FA approaches, it still makes attacks more challenging, as not every attacker will have the time or resources to intercept SMS messages. That said, implementing token-based systems for 2FA is becoming increasingly easier, with the availability of third-party technologies and the emerging WebAuthn standard. With WebAuthn, which was announced on April 12, there is a set of standards for defining strong (non-SMS) based authentication that can be integrated into security keys, as well as other devices, and will be supported via major web browsers.

      So SMS-based 2FA is better than nothing, hopefully in the aftermath of the Reddit disclosure, more organizations will choose to move to more secure forms of 2FA.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×