Reddit was hacked.
The attackers managed to extract logins, e-mail addresses, passwords (salted and hashed, fortunately), and even a complete list of private messages from users who joined the site before 2007.
The hackers were also able to access the e-mail addresses and logins of all users who received the site’s newsletter in June 2018.
The SMS authentication failed. The attackers were able to intercept SMS messages containing one-time passwords, gaining access to the accounts of several Reddit employees.
Let’s take a closer look:
- What exactly happened, and what is Reddit doing to minimize the consequences of the attack?
- Who were the victims of the Reddit attack, and how can you tell if you’re one of them?
- Why did the SMS-based two-factor authentication fail, and what can you replace SMS messages with if you’re still using them?
Reddit just disclosed a breach, says it’s still investigating severity. Of particular note was that the intruders managed to bypass SMS-based two-factor authentication in the compromise. https://t.co/LCu6XAVn34 This is why physical 2-factor or at least app-based 2FA is superior.
— briankrebs (@briankrebs) August 1, 2018
How Reddit was hacked
On June 19, 2018, the Reddit team realized that there had been a data leak. The attack itself happened sometime between June 14 and 18. The attackers managed to compromise the accounts of several Reddit employees who had access to cloud storage and source code.
Access to the employees’ accounts was protected by two-factor authentication, but through the traditional, old-fashioned method of delivering one-time passwords in SMS messages. The attackers intercepted the SMS messages containing one-time passwords and were able to bypass two-factor authentication. If all of Reddit’s staff had been using hardware tokens, the hackers wouldn’t have had even a chance at succeeding.
Despite the seriousness of the attack, the attackers weren’t able to make any changes to the system. They had only read access. Nonetheless, they were able to view source code, configuration files, and internal logs. They were also able to download backups.
Thus, all data regarding users and the operation of the forum, from its founding until 2007, fell into the hackers’ hands. The attackers also downloaded a database of e-mail addresses belonging to users who received e-mail newsletters in June 2018.
What Reddit has done
First of all, Reddit’s administrators strengthened the security of the logging, encryption, and monitoring systems. They also discontinued SMS authentication, in favor of software and hardware OTP tokens.
They reported the incident to law enforcement agencies, and an investigation was launched.
Reddit users who may have been affected were sent messages with information about the incident, encouraging them to look after the security of their accounts — change passwords, enable two-factor authentication. Detailed instructions on how to activate two-factor authentication for Reddit are available here.
So is Reddit actually emailing people who had their addresses and usernames exposed? The way this reads, it doesn’t sound like it and they’re relying on people to check if they’ve been receiving email digests and draw a conclusion from that, right? https://t.co/s2pFDAD9NN
— Troy Hunt (@troyhunt) August 1, 2018
Who was affected by the Reddit attack
Reddit’s team is not disclosing the number of affected users. All the same, we’re talking about millions of people.
The affected users can be divided into 2 groups:
- Everyone who registered for the site through May 2007. The hackers obtained a backup dated May 2007, containing all data stored in Reddit’s databases from its founding (in 2005) through May 2007. This includes usernames and passwords, e-mail addresses, and all content posted by users on the site, as well as private messages. The passwords were salted and hashed, which is good. How do I know if I’m affected? Reddit users in this group will receive messages with a request to change their passwords and instructions on how to do so.
- Everyone signed up for Reddit e-mail newsletters who received one from June 3–17, 2018. The hackers obtained data regarding e-mail newsletters generated from June 3 to June 17, 2018. This includes the actual newsletter templates, as well as the database of e-mail addresses and associated Reddit usernames. How do I know if I’m affected? Check to see if you received a message from the address [email protected] between June 3 and June 17, 2018.
| Read also: Man In The Middle Attack Prevention And Detection
Why the SMS-based two-factor authentication failed
“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.” – Reddit
SMS authentication is still very popular. It’s convenient for companies to send out SMS messages instead of purchasing separate hardware tokens and handing them out to users, or asking users to install an extra application on their smartphones.
And of course, SMS authentication is better than a simple login and password. However, there are a number of reasons why the use of SMS messages for two-factor authentication is considered insecure.
- Risk of SIM card replacement. An attacker requests a replacement SIM card with the telephone number of the victim. That’s it. The one-time passwords land straight in the hacker’s hands! In most cases, not much information is required to obtain a replacement SIM card — a few phone numbers the subscriber has recently called, an address, and the last four digits of their Social Security number for mobile phone companies in the United States, or sometimes a credit card number.This kind of data is often sold on the dark web, and some of it can easily be overheard, viewed illicitly, scouted out by social engineering, found on social networks, or faked.Sometimes, gaining the pity of the call center staff is all it takes or making friends with them.
- Cellular network vulnerabilities. The security of SMS authentication relies completely on the security of the cellular networks over which the messages containing one-time passwords are sent. Hacking attacks against cellular networks over the SS7 protocol aren’t uncommon, so it would be foolish to depend on SMS messages being unable to be intercepted. By default, SMS messages are not encrypted, which similarly plays right into the hackers’ hands. After intercepting an SMS message containing a one-time password, it can be used immediately for fraudulent purposes.What’s more, SMS messages are stored on SMS center servers in plain text, in an unencrypted form, until they are successfully delivered to subscribers. Any employee of an SMS center with the requisite access can view or even alter a message. There are also equivalent pieces of spyware, capable of automatically reading, writing, and forwarding SMS messages to an attacker.
- Smartphone viruses. Viruses are written for mobile devices just as they are for computers. And accidentally infecting your smartphone with a virus is as easy as 1-2-3. Many Trojans, such as Zeus, Zitmo, Citadel, and Perkele make use of open access to SMS messages on smartphones specifically in order to intercept one-time passwords. Some viruses allow their creators to track all SMS messages, including those containing one-time passwords. Other viruses can redirect voice calls to a number controlled by the hacker, assist the hacker in creating a duplicate SIM card, or acquire the information required to request a replacement SIM card for the victim.All this makes it easy to talk about the vulnerabilities of SMS authentication, and to recommend abandoning this method of one-time password delivery. Reddit’s employees have made it clear that this is far from just empty talk or horror stories, but a reality that anybody could be faced with.
| Read also: Dutch Scientists: SMS Verification Is Vulnerable
There’s a way out: OTP tokens
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” – Reddit
SMS authentication needs to be discontinued immediately; that’s for sure. But what can we replace it with? What alternatives are there?
So far, there are only three:
- Software OTP tokens, in the form of an Android or iOS application. Generating one-time passwords directly on a smartphone solves two of the three problems described above. The one-time passwords cannot be intercepted. A replacement SIM card is worth nothing to a hacker. However, a smartphone is still vulnerable to viruses.Inconvenient situations can also come up if a smartphone is lost or stolen, or if a user accidentally deletes the app or restores the phone to its factory default state. In such a situation, restoring access to every site with two-factor authentication enabled requires a lot of time and effort. To avoid landing in one of these situations, read this article.The most well-known one-time password generator app is Google Authenticator. But there are also other, more advanced options available. Recently, we prepared an overview of the most popular authenticator apps on Google Play. Be sure to take a look if you intend to start using an OTP app.
- Hardware OTP tokens. These are separate devices, in the form of key fobs, USB flash drives, or plastic cards. These devices have just a single purpose: generating one-time passwords. Hardware tokens are isolated from any and all networks, and work entirely on their own. That excludes the possibility of a one-time password being intercepted, or of the device being infected by viruses.The most modern hardware token is the reprogrammable Protectimus Slim NFC. It’s designed to replace software tokens where doing so wasn’t possible previously. Out of all the available hardware tokens, only the Protectimus Slim NFC can be connected to Reddit. You can read how to do so here.
- Messaging service chatbots. A new innovation that allows companies to save considerable amounts of money involves simply replacing SMS with chatbots on Telegram, Viber, Messenger, and other messaging services.Messages on these messaging services are transmitted in an encrypted form. Even intercepting one of these messages is useless to a hacker.Generally, access to messaging services can be additionally protected using a password and two-factor authentication. That way, even if someone forges a replacement SIM card for the user, they won’t have any access to the messaging service. And in any case, the user will receive a notification about any access attempts from unrecognized devices.Granted, chatbots aren’t safe from viruses. They also aren’t protected from users’ own shortsightedness, as users may leave messaging services open on some devices. This is, however, each user’s own responsibility.
For your convenience, we’ve prepared a table comparing all the current one-time password delivery and generation options. As you can see, each method has its pros and cons, but OTP tokens can be considered the most reliable option.
|Cellular network connection not necessary||no||yes||yes||yes|
|OTP cannot be intercepted during delivery||no||yes||yes||yes|
|Token cannot be compromised by SIM card forgery||no||yes||yes||yes1|
|Internet not required||yes||yes||yes||no|
|Not vulnerable to virus infections||no||no||yes||no|
|Token availability independent of phone battery life||no||no||yes||yes2|
|Token available free of charge for individual users and businesses alike||no||yes||no||yes3|
|No end-user action required for issuing||yes||no4||no5||no6|
- ↑It is important to set up a password, and preferably two-factor authentication, for accessing the messaging services you will be using. Most messaging services can send notifications about access attempts from unrecognized devices; check to see if your messaging service offers this function.
- ↑Most messaging services also have web and desktop versions. You can use these if your phone’s battery runs out.
- ↑Besides one-time passwords, other kinds of notifications can be delivered through messaging services for free. The cost of sending and receiving SMS messages can quickly add up. The Protectimus Bot chatbots help our clients achieve significant savings in this regard.
- ↑The user must install an app and issue a token linked to a concrete resource.
- ↑Hardware tokens must be distributed to users in some manner (sent by mail, or delivered in person by hand). Users must also link their tokens to their accounts.
- ↑Users must find the corresponding chatbot for the messaging platform of their choice, receive a unique chat ID, and link their tokens to their accounts using this ID.
Reddit is one of the top 10 sites in the world; every month, it receives more than 524 million visitors. The number of registered users is estimated to be in the hundreds of millions.
The security of these people’s personal data was put at risk because Reddit’s management and IT security team did not follow recommendations from NIST (the US National Institute of Standards and Technology) and leading cybersecurity experts. They were too late in discontinuing the use of SMS authentication in favor of software and hardware OTP tokens.
Don’t be like Reddit. Switch to tokens now!
Some companies have already listened. For example, a few weeks ago, it was announced that Instagram users will have the opportunity to connect two-factor authentication apps in the near future. Once this option becomes available, you’ll also be able to use Protectimus Slim NFC hardware tokens for two-factor authentication on Instagram.
- How to Protect Your Privacy on Facebook
- Mobile Authentication Pros and Cons
- Hardware or Software Token – Which One to Choose?
- The Evolution of Two-Step Authentication
- 10 Basic BYOD Security Rules
- Ransomware – to Pay or Not to Pay
- The Most Common Ways of Credit Card Fraud
- Top 7 Tips How to Protect Yourself from Phishing Scams
- Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing?
Main image source: suwalls.com