In mid-June, an attacker broke into a few of Reddit’s systems and managed to access some user data using compromised employee accounts. It could be another data breach, but it’s not. Why? The compromised accounts were protected by SMS-based two-factor authentication. So, is basic 2FA no longer enough?
The incident
Last week, Reddit warned their users via a blog post that the company suffered a data breach compromising data’s user including passwords and email addresses (of groups of users that had accounts between 2004 and 2007), as well as company data, such as source code. Interestingly enough, the breach was carried out due to attackers were able to intercept SMS-based one-time-passcodes (OTP).
On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.
The attack happened despite that Reddit used two-factor authentication, which relied on a traditional password plus a unique code delivered via an SMS text message. In this case, the SMS messages were intercepted, according to the company statement. No further information about this interception was disclosed in the blog post but it really sounds like Reddit employees got SIM hijacked.
Nowadays, SIM hijacking, real-time phishing, and other attacks are quickly becoming a common threat. In these circumstances, it’s time to rethink 2FA and move on… For now, the incident forced Reddit to move to “stronger” token-based authentication.
Using 2FA alone is no longer enough
There are dozens of different varieties of two-factor authentication methods. OTP is probably the most common group in use today. This is due to its “easy” implementation and “acceptable” user experience. Some of these methods send one-time codes during the login process over SMS text or phone call, while others use email or more hardened verification apps like Duo recently acquired by Cisco for $2.5 Billion.
But, it’s not all a bed of roses. Some of these mechanisms aren’t technically two-factor at all. The idea of 2FA is to verify someone’s identity based on something they know and something they have (or something they are). However, sometimes the OTP is transformed into something that is sent to you. This transmission could be intercepted and the second barrier could disappear.
At this point, SMS and phone call interception are a tangible threat. In recent times, the security community has been paying attention to security weaknesses in the Signaling System No. 7 (SS7), the protocol that allows carrier networks to communicate with each other. SS7 has been designed with little security in mind1 and hackers can exploit it in order to intercept targeted users calls or text messages and therefore obtain their OTPs2.
By adding social engineering to the equation, we find another attack vector against basic 2FA: <strong>SIM hijacking</strong> or phone number porting (the attack involved in the Reddit incident). In this instance, an attacker uses social engineering to obtain users personal details and convince a cellular company’s representative into issuing the attacker with a new SIM card, or moving the victims’ phone number to a SIM card that the attacker already has3.
If we talk about social engineering, we cannot forget to mention: real-time phishing. A type of attack that involves interaction between the victim and the attacker in real-time. We’ve talked about this technique when we tested the FireEye tool ReelPhish.
Attacks against basic 2fA are a long-standing issue. In 2016, NIST started the process of deprecating the use of SMS/voice call out-of-band authentication. Finally, in 2017, the organization wrote in its Special Publication 800-63B that the likelihood of interception makes this method unreliable.
Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators.
Adding a layer of two-factor verification for login process is better than relying on a password alone, but it’s no longer enough.
Next Chess Move
As mentioned above, the variety and sophistication of attackers’ techniques are increasing. In this context, relying on basic 2FA to secure a business is definitely a bad choice. Instead, organizations need to move away from static authentication and focus on a better identity security by using adaptive and context-aware control capabilities.
Adaptive authentication is a method for selecting the right authentication factors depending on the user’s risk profile and tendencies in order to adapt the type of authentication to the situation and preserve the user experience.
This mechanism brings context (such as geolocation, user behavior or device profile) and identity data into a mix identifying the associated risk scores and selecting the appropriate levels of authentication in real-world scenarios.
Unlike standard “one size fits all” adaptive authentication allows understanding the risk with different workflows and circumstances. This approach avoids making low-risk activities inappropriately exhausting or high-risk activities too simple.
In a world in which end users are attacked so aggressively by scammers, adaptive authentication is essential. It’s time to move beyond
Footnotes
1. The problem is that SS7 is based on trust. Any request a telecom receives is considered legitimate. SANS Paper.
2. Researchers show how attackers can exploit SS7 exploits to drain Coinbase accounts. SCMAGAZINE.
3. Sim hijacking stories. Motherboard Article.