Reddit has been in the news, following an incident where users’ log in details were compromised. IT security experts commented below.
Frederik Mennes, Senior Manager Market & Security Strategy, Security Competence Center at OneSpan:
“In order to effectively deal with today’s cyber security threats, organizations should protect their accounts with strong, multi-factor authentication. Reddit did so, but unfortunately opted for a two-factor authentication technique with known security weaknesses, namely delivery of one-time codes via SMS. While it is not clear how the SMS codes were intercepted in case of Reddit, earlier cases have shown that interception is usually performed using malware on the mobile phone, or by exploiting weaknesses in the SS7 networking protocol. Organizations should select sound multi-factor authentication techniques whereby one-time codes are generated by the client-side device, such as a mobile phone or hardware token. We applaud Reddit’s effort to encourage customers to use token-based two-factor authentication.”
Will LaSala, Director Security Solutions, Security Evangelist at OneSpan:
“SMS continues to plague enterprises that are solely reliant on the technology to solve their authentication needs. Even when combined with static passwords and PINs, SMS still offers a very low level of security.
“Being able to perform a wide-scale SMS attack is hard, but if you are able to identify key individuals with privileged access, then these accounts become prime targets for attack.
“In the wake of these privacy breaches, users should see the writing on the wall. They should move off of their SMS-based authentication systems and move on to more secure push-based or app-based mobile authentication technology. Enabling systems to understand the context of a login, and offering the correct form of authentication when it is needed, is an important objective to ensure users leverage more secure authentication technologies. If a context-aware orchestrated authentication system had been in place, perhaps the system would have noticed anomalies in the hackers’ login and could have correctly pushed for a stronger form of authentication in response to the strange logins. Correct authentication for the correct risk and fraud situation.”
Allen Scott, Consumer EMEA Director at McAfee:
“With over 330 million users, hackers had the potential to access a treasure trove of data and Reddit members have a right to want answers about if they are one of many whose data has been compromised. But with what seems like a constant stream of attacks on big brands this year, it is crucial for consumers themselves to take steps to secure their personal security NOW. We can’t rely on businesses do it all for us, especially considering some of the high profile, reputable companies that have become yet another victim of these sophisticated cyber criminals this year.
“We cannot rely on single-factor authentication for our passwords to protect our digital lives. In this instance, even Reddit’s two-factor authentication couldn’t keep the criminals at bay. I’m sure many people have the same password linked across their social media accounts. In fact, recent McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up to and this needs to change immediately.
“A cybercriminal only needs to get their hands on one password to potentially gain access to private and even financial information across a number of accounts and apps. We understand it’s hard to remember all your passwords but there are tools such as password generators and managers that can help solve this problem and ensure you don’t become vulnerable to today’s digitally advanced criminals.”
Change up your password.If you joined Reddit in 2007 or before, you should change up your password immediately. When changing your password, make sure the next one you create is a strong password that is hard for cybercriminals to crack. Include numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the more difficult it will be to crack. Avoid common and easy to crack passwords like “12345” or “password.”
- Keep an eye out for sketchy emails and messages. If you received an email from a Reddit digest in June, then there’s a chance the hacker has your email address. Cybercriminals can leverage this stolen information for phishing emails and social engineering scams. So, if you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email or message entirely.
- Don’t solely rely on SMS two-factor authentication (2FA).If anything, we can all learn a lesson from this Reddit breach – we can’t solely rely on SMS two-factor authentication anymore to secure our data. In fact, SMS is one of the weakest forms of 2FA. If you wish to lock down your data on your devices, it’s best to use app-based two-factor authentication, such as Google Authenticator.
David Emm, Principal Security Researcher at Kaspersky Lab:
“Passwords are here to stay in the short term, so it’s important that we get them right. It’s easier within a corporate context, where an organisation can set rules around setting these, like length and character type, but harder as a consumer, as we are faced with numerous online providers that might (and do) have their own rules and where there is therefore no consistency. Unique, complex passwords can be created by using a rule and some simple steps to create variability. Another option is to use a password manager for accounts that are less critical and have no financial information (i.e. credit card) linked to the account. In addition, it’s important to see this problem in context. Passwords shouldn’t be the only thing we use to authenticate.
“It’s good to see that Reddit have now put in place token-based two-factor authentication (2FA) for access to sensitive systems. This makes things much harder for an attacker. However, there are situations where the second factor isn’t really a second factor: for example, a one-time passcode sent to a mobile phone, for an account that is being accessed from the same device, offers no protection if the device has been stolen.
“It’s important to remember that we use a password to confirm our identity. So often today our e-mail address is the identity itself (i.e. our username). Many people have just one e-mail address and it’s often easy to guess, which compounds the problem. This is especially true if we use the same password across multiple sites: if our username and password are stolen in a security breach at an online provider’s site, they can also be recycled by an attacker – who can try them on many different sites in the hope that the same identity and authentication (username and password) have been used across the board. There’s a growing move towards the use of biometrics – fingerprints, iris scans, etc. – as a replacement for passwords, but in my view, they should rather be used to confirm our identity, with a password (or other mechanism – or ideally more than one) used to confirm that identity. If I choose a poor password and it is compromised, I can change it: if my fingerprint is compromised, there’s nothing I can do about it.”
Kaspersky Lab recommends the following advice to customers when choosing a new password:
- Make every password at least 15 characters long – but the longer the better.
- Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name, etc. can be found online – maybe even on your Facebook wall.
- Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
- Combine letters (including uppercase letters), numbers and symbols.
- Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
- Use a different password for each account to prevent all of your accounts becoming vulnerable. If you find it hard to remember unique complex passwords, use a password manager to help you create, store and remember your passwords securely.
- Make use of two-factor authentication where available, as it adds an extra layer of security.
- If you suspect your password has been compromised, change it immediately.”
Jake Moore, Security Specialist at ESET:
“Reddit is one of the world’s biggest website so a hack of any data at this level is quite a feat. The top websites around the world should always require further protection due to the scale and size of their databases however this will always attract attention to hackers and kudos should their attack pay off.
It seems that the hackers here have obtained access to a database containing personally identifiable information of their users who joined the service between 2005 and 2007. Luckily these hacked passwords have been hashed and salted meaning the passwords taken are not the ones actually users by the users. Salting a password is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed. However, to be sure, it’s always best to change your password and activate two-factor authentication when a breach of any scale occurs.”
Richard Walters, CTO at CensorNet:
“The issue of two-factor authentication and how to implement it securely is not a new one, but this breach is likely to open up the conversation again. The initial idea of sending One Time Passcodes (OTPs) via SMS was a good one as, at the time, end-to-end encryption was mandated within the mobile network standards. However, that is no longer the case with 4G / LTE and sending simple OTPs via SMS is now pretty outdated. Authentication has moved on, as this breach at Reddit has shown.
“Reddit has said that two-factor authentication wasn’t as secure as it might have hoped, and others should take note of its admission. That isn’t, however, to say that adding layers of authentication isn’t worthwhile, but in a modern environment just using SMS codes won’t cut it. Instead, there needs to be additional context – such as day and time, IP address, geo-location and device fingerprint – to make sure someone really is who they say they are. Adding this context means that passcodes can be delivered by SMS, email, voicemail or via push notifications in encrypted apps without concern that they might be intercepted.”
Rashmi Knowles, Field CTO EMEA at RSA Security:
“Security has evolved since SMS authentication and organisations need to do the same. SMS is not true multi-factor authentication, as it is sent from a network to the phone, giving hackers an opportunity to intercept this message and hijack the user account. Instead, it is vital that true multi-factor authentication is mandatory in a company’s security strategy. For example, proximity-based solutions or biometrics can provide a simple way for users to prove who they are, while also reducing the risk of a breach. By putting another wall of defence up that can’t be mimicked, organisations can effectively manage their digital risk and keep user data secure.”
Emmanuel Schalit, CEO at Dashlane:
“Reddit, the front page of the internet, has fallen victim to one of the internet’s oldest issues: hacking. Late yesterday evening, Redditdisclosed that a hacker had broken into a “few of Reddit’s systems and managed to access some user data”. This included some current email addresses, and a 2007 database containing old salted and hashed passwords.
“We applaud Reddit for being so transparent. It’s not often that you see a company come out and give thorough details of a hack or breach event that has recently been discovered, however if you’ve ever signed up for a Reddit account, we recommend changing your password now.
“We are using more and more online accounts in our everyday lives, and that number doubles every 5 years. Managing passwords for all these accounts has become incredibly hard. Most of us react to this problem with indifference and tend to use the same password everywhere, which is incredibly poor cyber hygiene. We bury our heads in the sand and think that everything is fine; until we receive an email from Reddit saying our account details have been compromised.
“The majority of notable breaches stem from password hacks, and all users should take this opportunity also make sure all of their passwords are strong across all of their accounts, not just Reddit. It’s always important to remember that the best way to protect your accounts is to use unique, complex passwords for every account.
“Still, with continued hacks, breaches, and data abuses, the fight to protect your personal data rages on—we will hopefully soon be in a world where private data remains private. Until then, make sure that all of your passwords are unique and complex, and that you change compromised passwords (and associated passwords) as soon as possible. This is made easy by using a password manager with Password Changer capability that can instantly generate and change your passwords in a single-click is critical to ensure proper, regular cyber hygiene. That means no more password re-use.”
Robert Capps, Vice President at NuData Security:
“Fortunately, thisReddit breach doesn’t include credit card information. However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked. From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities; as little as an email address can go a long way in the hands of a bad actor.
Reddit is doing the right thing by immediately informing its global community of the extent of the damage, advising of the stepsReddit is taking and letting its community know what they should watch for and do.
However, continued reliance on static information to authenticate a user will continue to expose companies to those breaches carried out through admin accounts. This is why many customer-facing organisations that transact online are adopting multi-layered technology solutions that incorporate passive biometrics and behavioural analytics technology. This technology helps make stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data.”
Tyler Moffit, Senior Threat Research Analyst at Webroot:
“While Reddit’s use of SMS-based authentication is popular and much more secure than password alone, it’s widely known to be vulnerable to cybercriminals who have hacked many celebrities using this method.
In this type of attack, the phone number is the weakest link. Cybercriminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication. For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number. This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax.
While it seems that the cybercriminals only have read-access to this data, I’m glad that Reddit is now moving to a token-based two-factor authentication model, which provides a greater layer of security.”
Keith Graham, CTO at SecureAuth + Core Security:
“It’s clear that with identity and credentials accounting for the majority of data breaches, more awareness and focus needs to be put on comprehensive authentication techniques to shore up organisations’ defences and prevent cyberattacks in the future.
Organisations need to go further than just two-factor authentication, utilising Identity platforms that join silos of data together to create comprehensive Identity controls. Part of those controls should be to Implement adaptive authentication that combine techniques such as geographic location analysis, device recognition, IP reputation based threat services, and phone fraud prevention to address the threats at the identity level efficiently.”
Pravin Kothari, CEO at CipherCloud:
“Cyberattackers have substantially stepped up their game in a hack targeting some of Reddit’s systems. Per a Reddit posting, it appears the hackers accessed some user email addresses and an old 2007 database backup including older passwords. The big surprise is that they took a huge step up in their cyber threat tactics. The hackers apparently intercepted text messages containing two-factor authentication sent to an administrator’s mobile device. This attack was likely targeted to specific individuals so that they could enter both the password, which they had acquired, and the SMS text code which was sent to his or her mobile phone.
In these scenarios it is also possible that the mobile device was “cloned” whereby a second device used the same SIM card such that it could receive authentication data sent to the legitimate device. It is important for the community at large to understand as much about the use of this relatively new attack vector as Reddit can share.
Today, use of two-factor authentication is a best practice still not used by most authenticating systems. Even when two-factor is offered, for example, in Google’s Gmail, over 90 percent of the Gmail users don’t opt to use it. The Reddit attack shows us that the techniques, tactics and procedures of this highly sophisticated attacker now include interception of this SMS traffic to the targeted individual mobile phone. Consider how many financial systems use a cellphone SMS authentication to validate account sign-on?
How do you solve this problem? Given that 2-factor authentication is still a best practice the likely move by financial institutions will be to utilize token-based SMS systems, instead of mobile phone based systems. In any case 2-factor authentication, even with a mobile phone, is still much better than not using 2-factor.
Consider the serious nature of this expanded threat. The perpetrators behind this are likely committing multiple felonies in one fell swoop. The first felony is to access your account through fraudulent means. The second felony is that they are running a device similar to a Harris Sting-Ray. The use of a Sting-Ray device by private citizens is absolutely unlawful. The Sting-Ray and other similar are used by law enforcement to emulate a cellphone tower and intercept communications during a court authorized investigation. Organized crime obviously has access to this technology, and clearly used it, or something like it, to access the Reddit administrator authentication streams.
The good news? Not so well known to organized crime, is that these false cell towers used for SMS interception can also be detected by law enforcement. So if one is in suspected operation, law enforcement can find it, observe and document criminal activity, and then follow the trail back to far likely worse crimes committed by the same parties.”
Travis Biehn, Technical Strategist at Synopsys:
“The Reddit breach underscores how the application of best practices, like use of MFA, also need to be revisited over time as new attack techniques come to light.
You can look at the timeline for SMS hijacking techniques—the first practical attacks were presented a few years ago—and now these are being increasingly commoditised for a wide array of attackers.
Right now, the best users can do is rely on two factor authentication, which raises the cost for attackers, and use a password manager to reduce the risk of password re-use.
Attackers use this information in a few ways. First up, they’ll try account name and password pairs on other websites, exchanges, banks, and so on. Even though these passwords are salted and hashed, modern password hash cracking techniques can quickly recover over 90% of original password values. In fact, around 60% of a corpus can be recovered in as little as 3 hours on less than $10,000 worth of hardware.”
Sean Sullivan, Security Advisor at F-Secure:
“I recall discussing this when Twitter originally introduced its SMS-based 2FA/MFA back in 2013.
At the time, a few notable tech pundits and experts replied me that I shouldn’t let “perfect be the enemy of good”. However, the problem with this is that SMS-based 2FA/MFA was never a good solution.
It took Twitter until late last year to finally implement a proper app-based MFA, which is four years wasted as rolling-out SMS-based MFA delayed a proper system and its value was very short-lived.
Reddit won’t be the last organisation to be breached via SMS authentication in the future. At this point, the use of SMS-based MFA for administrators should be considered negligent.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.