In June 2018, Reddit announced it experienced a breach after two-factor authentication was bypassed by attackers...
using deprecated SMS protocols. How were attackers able to bypass 2FA and are there any other ways that attackers can do this? How can other sites avoid a repeat of the Reddit breach?
Attackers used deprecated SMS protocols to bypass two-factor authentication (2FA) on the social news discussion website in order to access read-only system files. The Reddit breach occurred after the attacker located logs showing emails sent between June 3-17, 2018; this was one day before the online community was breached on June 18, 2018.
During this time, the attacker was able to read old text-based database backups that contained account credentials and email addresses used between 2005 and 2007. Internal data that was not encrypted, such as source code, configuration files and other employee workspace files, are other sources that that attacker had access to.
Reddit noted that mobile device malware can capture text-based SMS messages, such as those used to send one-time use PINs for password recovery. SMS messages are vulnerable to unauthorized access via the Signaling System 7 (SS7) telecommunication protocol that defines how telecommunication network devices connect to one another.
An attacker could use SS7 to steal a user's phone number and transfer it to a different SIM card in order to more effectively socially engineer the victim. When an attacker has the victim's phone number, such social engineering attempts are more likely to succeed.
In addition, the attacker could contact the victim's mobile provider for technical support and have the phone disabled, or even reset the device's password. Victims could also be socially engineered via a phishing email that requests login data.
In order to prevent future attacks similar to the Reddit breach, sites should take several precautions, starting with moving away from SMS message for 2FA. Admins should also:
- advise users to switch to token-based 2FA;
- encrypt logs, source code, configuration files, employee workspace files and database files that can only be decrypted by authorized users;
- educate users to create strong passwords and recognize phishing emails;
- require users to periodically change their passwords;
- educate tech support and users on the risks of being socially engineered by attackers; and
- harden token-based 2FA by adding biometrics, such as voice recognition or fingerprint authentication.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading