r/announcements – We had a security incident. Here’s what you need to know.
68,541 votes and 7,588 comments so far on Reddit
Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team):
“This breach is particularly interesting because it is an example of SMS-based 2-factor authentication being used to compromise a major service provider. While SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service.
“Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS-based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers. The most common technique is most likely use of smartphone malware, which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user, but this seems less likely in such a targeted campaign. Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol, which is at the heart of modern telephony routing, or that they simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM. An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars’ worth of equipment.
“The moral of this story is that SMS-based 2-factor authentication should not be considered “strong” in the face of a determined attacker.”
Koby Kilimnik, security researcher at Imperva:
“If all the passwords leaked were indeed hashed and also salted. it would take an attacker a lot more time to crack those passwords and render them usable since they need to find and compute each individual hash and can’t use a more efficient memory CPU tradeoff solution like rainbow tables. Notwithstanding that, I would still recommend changing your reddit password, and if you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database.
“Another good idea is not to use the leaked password anywhere else. Although its hard to crack those passwords, once cracked, the chances are much greater that they will also be added to a dictionary in a future “credential stuffing attack.”
CipherCloud CEO Pravin Kothari:
“Cyberattackers have substantially stepped up their game in a hack targeting some of Reddit’s systems. Per a Reddit posting, it appears the hackers accessed some user email addresses and an old 2007 database backup including older passwords. The big surprise is that they took a huge step up in their cyber threat tactics. The hackers apparently intercepted text messages containing two-factor authentication sent to an administrator’s mobile device. This attack was likely targeted to specific individuals so that they could enter both the password, which they had acquired, and the SMS text code which was sent to his or her mobile phone.
In these scenarios it is also possible that the mobile device was “cloned” whereby a second device used the same SIM card such that it could receive authentication data sent to the legitimate device. It is important for the community at large to understand as much about the use of this relatively new attack vector as Reddit can share.
Today, use of two-factor authentication is a best practice still not used by most authenticating systems. Even when two-factor is offered, for example, in Google’s Gmail, over 90 percent of the Gmail users don’t opt to use it. The Reddit attack shows us that the techniques, tactics and procedures of this highly sophisticated attacker now include interception of this SMS traffic to the targeted individual mobile phone. Consider how many financial systems use a cellphone SMS authentication to validate account sign-on?
How do you solve this problem? Given that 2-factor authentication is still a best practice the likely move by financial institutions will be to utilize token-based SMS systems, instead of mobile phone based systems. In any case 2-factor authentication, even with a mobile phone, is still much better than not using 2-factor.
Consider the serious nature of this expanded threat. The perpetrators behind this are likely committing multiple felonies in one fell swoop. The first felony is to access your account through fraudulent means. The second felony is that they are running a device similar to a Harris Sting-Ray. The use of a Sting-Ray device by private citizens is absolutely unlawful. The Sting-Ray and other similar are used by law enforcement to emulate a cellphone tower and intercept communications during a court authorized investigation. Organized crime obviously has access to this technology, and clearly used it, or something like it, to access the Reddit administrator authentication streams.
The good news? Not so well known to organized crime, is that these false cell towers used for SMS interception can also be detected by law enforcement. So if one is in suspected operation, law enforcement can find it, observe and document criminal activity, and then follow the trail back to far likely worse crimes committed by the same parties.”
Robert Capps, Vice President of Business Development, NuData Security, a Mastercard company:
“Fortunately, this Reddit breach doesn’t include credit card information. However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked. From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities; as little as an email address can go a long way in the hands of a bad actor.
“Reddit is doing the right thing by immediately informing its global community of the extent of the damage, advising of the steps Reddit is taking and letting its community know what they should watch for and do.
“However, continued reliance on static information to authenticate a user will continue to expose companies to those breaches carried out through admin accounts. This is why many customer-facing organizations that transact online are adopting multi-layered technology solutions that incorporate passive biometrics and behavioral analytics technology. This technology helps make stolen data valueless by verifying users based on their inherent behavior instead of relying on their data.”
Hed Kovetz Co-Founder & CEO of Silverfort
“Implementing multi-factor authentication (MFA) on servers and applications is currently a difficult and resource-consuming task. As a result, many servers and applications continue to rely on basic authentication methods (such as passwords) or legacy MFA methods that were implemented in the past, even if they are now known to be vulnerable. This is the case with SMS-based MFA, which was proven unsafe because the SMS message can be easily intercepted by attackers, along with the one-time code. Mobile MFA apps are much more secure, because they communicate over TLS. They also provide a better user experience.
“In addition, Organizations should look for MFA solutions that can be easily upgraded whenever a superior MFA method is introduced into the market, without having to re-integrate with each individual application.”