Reddit 2FA Hack Raises More Questions About SMS Security
Hackers have bypassed two-factor authentication on Reddit, accessing the site’s user account database.
Between June 14th and June 18th this year, hackers were able to comb through data in some Reddit employees’ accounts, even though the login form was secured using via one-time SMS codes.
The hackers obtained email addresses, salted, hashed passwords, old site backups, message threads, and private messages, all contained in an old database.
Fortunately, most of the data acquired is more than 10 years old, so many of the account passwords will have been changed many years ago. Reddit staff will be contacting people who are most at risk, and they’ve reminded users to change all of their ancient passwords for other accounts.
If you signed up to Reddit before 2007, your personal data may have been caught up in the incident.
How Hackers Bypassed 2FA
Reddit believes that hackers used a man-in-the-middle attack to capture the 2FA codes and gain access to the accounts. This means that the SMS codes were intercepted before they even reached the employees’ phones.
It sounds technical, but it’s actually pretty simple. There are examples of fraudsters calling mobile networks and getting SMS messages diverted to another number.
There’s no phone malware involved, and no hack on the device itself. Often, the person who sets up the fake divert will call the real user first to trick them into giving up their security information.
More technical attacks involve changing the Signaling System 7 (or SS7) protocol, which is the software on a mobile phone that controls its communication with the network. Right now, SS7 has no security at all, so a hacker can spoof a command to redirect messages. This is a much more complex type of hack, but a potentially serious one.
Nobody knows how the hackers got in to Reddit’s employee accounts on this occasion. But Reddit issued a warning about SMS-based authentication, and urged companies to opt for token-based authentication instead.
That doesn’t necessarily mean you need to carry a token; Reddit is using authentication apps, and it suggests that other companies do the same thing.
Is 2FA Really All It’s Cracked Up to Be?
Having some form of two-factor authentication is better than having none. If you have the option, turn it on, even if it uses SMS codes.
However, moves to use SMS authentication with Visa transactions do cause a few alarm bells to ring, and the Reddit hack proves why. The higher the transaction value, the more likely it is that hackers will invest time and effort into hacking the transmission.
So if you’re able to use an authentication app like Authy, it’s always a safer option. That’s because the code is generated on your device and doesn’t need to be transmitted over a network.