The risk of relying on SMS text messages as a second factor in user authentication is becoming more apparent as Reddit, the sixth most popular website in the world, revealed that hackers had intercepted SMS messages to steal data about users. Reddit’s announcement stated:
On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
Reddit played down the significance of the breach itself. Most of the personal data compromised was from an old backup, including all the usernames, salted hashed passwords and email addresses of Reddit users between 2005 and 2007. Some current email addresses and usernames were also compromised.
Emphasis was placed on transitioning to a more secure token-based authentication system.
[We] took measures to guarantee that additional points of privileged access to Reddit’s systems are more secure (e.g., enhanced logging, more encryption and requiring token-based 2FA to gain entry since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident.)
Coincidentally, Reddit had already begun to beef up their security team.
In other news, we hired our very first Head of Security, and he started 2.5 months ago. I’m not going to out him in this thread for obvious reason, and he has been put through his paces in his first few months. So far he hasn’t quit.
On a related note, if you’d like to help out here and have a security background, we actually have a couple of open security roles right now.
Reddit averages around 1.5 billion monthly users. The self-styled ‘front page of the internet’ has a relaxed policy towards free speech that occasionally attracts the attention of mainstream news or prudish governments but there are relatively few reasons to hack a website where commercial activity is minimal. The likely goals of these hackers were either to harvest usernames and passwords to see if the same combinations are being used for other online accounts, or else to dox the real-life identities of Reddit’s many pseudonymous users.
Two factor authentication using SMS has an increasingly bad reputation. It motivates SIM swapping and SMS interception has been used for bank heists. Some businesses mistakenly talk about two factor authentication when they are actually relying on SMS to send one time passwords that are a single, standalone authentication factor. Ultimately the vulnerabilities when using SMS for authentication are a stopgap solution to a more fundamental problem: the overreliance on passwords in an ecosystem that refused to make the investments needed to secure that data.
Too many are satisfied with a patch-up-and-make-do philosophy for security, where we are supposed to accept methods of authentication that we know will be compromised because it is cheaper in the short term to suffer those losses than to implement robust security. However, the long term cost is high and keeps rising. First we made it reckless to rely solely on passwords, now we are inviting criminals to attack vulnerable second factors. There are already instances of biometric data being fraudulently compromised as well. Every time we spoil an additional method of authentication we increase the burden created by the next method we will have to put in its place. And if we continue down this path, we may run out of new and affordable ways to remotely verify the identity of the people we are doing business with.