Reddit has been in the news, following an incident where users’ log in details were compromised. IT security experts commented below.
Frederik Mennes, Senior Manager Market & Security Strategy, Security Competence Center at OneSpan:
Will LaSala, Director Security Solutions, Security Evangelist at OneSpan:
“Being able to perform a wide-scale SMS attack is hard, but if you are able to identify key individuals with privileged access, then these accounts become prime targets for attack.
“In the wake of these privacy breaches, users should see the writing on the wall. They should move off of their SMS-based authentication systems and move on to more secure push-based or app-based mobile authentication technology. Enabling systems to understand the context of a login, and offering the correct form of authentication when it is needed, is an important objective to ensure users leverage more secure authentication technologies. If a context-aware orchestrated authentication system had been in place, perhaps the system would have noticed anomalies in the hackers’ login and could have correctly pushed for a stronger form of authentication in response to the strange logins. Correct authentication for the correct risk and fraud situation.”
Allen Scott, Consumer EMEA Director at McAfee:
“We cannot rely on single-factor authentication for our passwords to protect our digital lives. In this instance, even Reddit’s two-factor authentication couldn’t keep the criminals at bay. I’m sure many people have the same password linked across their social media accounts. In fact, recent McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up to and this needs to change immediately.
“A cybercriminal only needs to get their hands on one password to potentially gain access to private and even financial information across a number of accounts and apps. We understand it’s hard to remember all your passwords but there are tools such as password generators and managers that can help solve this problem and ensure you don’t become vulnerable to today’s digitally advanced criminals.”
Change up your password.If you joined Reddit in 2007 or before, you should change up your password immediately. When changing your password, make sure the next one you create is a strong password that is hard for cybercriminals to crack. Include numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the more difficult it will be to crack. Avoid common and easy to crack passwords like “12345” or “password.”
- Keep an eye out for sketchy emails and messages. If you received an email from a Reddit digest in June, then there’s a chance the hacker has your email address. Cybercriminals can leverage this stolen information for phishing emails and social engineering scams. So, if you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email or message entirely.
- Don’t solely rely on SMS two-factor authentication (2FA).If anything, we can all learn a lesson from this Reddit breach – we can’t solely rely on SMS two-factor authentication anymore to secure our data. In fact, SMS is one of the weakest forms of 2FA. If you wish to lock down your data on your devices, it’s best to use app-based two-factor authentication, such as Google Authenticator.
David Emm, Principal Security Researcher at Kaspersky Lab:
“It’s good to see that Reddit have now put in place token-based two-factor authentication (2FA) for access to sensitive systems. This makes things much harder for an attacker. However, there are situations where the second factor isn’t really a second factor: for example, a one-time passcode sent to a mobile phone, for an account that is being accessed from the same device, offers no protection if the device has been stolen.
“It’s important to remember that we use a password to confirm our identity. So often today our e-mail address is the identity itself (i.e. our username). Many people have just one e-mail address and it’s often easy to guess, which compounds the problem. This is especially true if we use the same password across multiple sites: if our username and password are stolen in a security breach at an online provider’s site, they can also be recycled by an attacker – who can try them on many different sites in the hope that the same identity and authentication (username and password) have been used across the board. There’s a growing move towards the use of biometrics – fingerprints, iris scans, etc. – as a replacement for passwords, but in my view, they should rather be used to confirm our identity, with a password (or other mechanism – or ideally more than one) used to confirm that identity. If I choose a poor password and it is compromised, I can change it: if my fingerprint is compromised, there’s nothing I can do about it.”
Kaspersky Lab recommends the following advice to customers when choosing a new password:
- Make every password at least 15 characters long – but the longer the better.
- Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name, etc. can be found online – maybe even on your Facebook wall.
- Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
- Combine letters (including uppercase letters), numbers and symbols.
- Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
- Use a different password for each account to prevent all of your accounts becoming vulnerable. If you find it hard to remember unique complex passwords, use a password manager to help you create, store and remember your passwords securely.
- Make use of two-factor authentication where available, as it adds an extra layer of security.
- If you suspect your password has been compromised, change it immediately.”
Jake Moore, Security Specialist at ESET:
It seems that the hackers here have obtained access to a database containing personally identifiable information of their users who joined the service between 2005 and 2007. Luckily these hacked passwords have been hashed and salted meaning the passwords taken are not the ones actually users by the users. Salting a password is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed. However, to be sure, it’s always best to change your password and activate two-factor authentication when a breach of any scale occurs.”
Richard Walters, CTO at CensorNet:
“Reddit has said that two-factor authentication wasn’t as secure as it might have hoped, and others should take note of its admission. That isn’t, however, to say that adding layers of authentication isn’t worthwhile, but in a modern environment just using SMS codes won’t cut it. Instead, there needs to be additional context – such as day and time, IP address, geo-location and device fingerprint – to make sure someone really is who they say they are. Adding this context means that passcodes can be delivered by SMS, email, voicemail or via push notifications in encrypted apps without concern that they might be intercepted.”
Rashmi Knowles, Field CTO EMEA at RSA Security:
Emmanuel Schalit, CEO at Dashlane:
“We applaud Reddit for being so transparent. It’s not often that you see a company come out and give thorough details of a hack or breach event that has recently been discovered, however if you’ve ever signed up for a Reddit account, we recommend changing your password now.
“We are using more and more online accounts in our everyday lives, and that number doubles every 5 years. Managing passwords for all these accounts has become incredibly hard. Most of us react to this problem with indifference and tend to use the same password everywhere, which is incredibly poor cyber hygiene. We bury our heads in the sand and think that everything is fine; until we receive an email from Reddit saying our account details have been compromised.
“The majority of notable breaches stem from password hacks, and all users should take this opportunity also make sure all of their passwords are strong across all of their accounts, not just Reddit. It’s always important to remember that the best way to protect your accounts is to use unique, complex passwords for every account.
“Still, with continued hacks, breaches, and data abuses, the fight to protect your personal data rages on—we will hopefully soon be in a world where private data remains private. Until then, make sure that all of your passwords are unique and complex, and that you change compromised passwords (and associated passwords) as soon as possible. This is made easy by using a password manager with Password Changer capability that can instantly generate and change your passwords in a single-click is critical to ensure proper, regular cyber hygiene. That means no more password re-use.”
Robert Capps, Vice President at NuData Security:
Reddit is doing the right thing by immediately informing its global community of the extent of the damage, advising of the stepsReddit is taking and letting its community know what they should watch for and do.
However, continued reliance on static information to authenticate a user will continue to expose companies to those breaches carried out through admin accounts. This is why many customer-facing organisations that transact online are adopting multi-layered technology solutions that incorporate passive biometrics and behavioural analytics technology. This technology helps make stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data.”
Tyler Moffit, Senior Threat Research Analyst at Webroot:
In this type of attack, the phone number is the weakest link. Cybercriminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication. For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number. This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax.
While it seems that the cybercriminals only have read-access to this data, I’m glad that Reddit is now moving to a token-based two-factor authentication model, which provides a greater layer of security.”
Keith Graham, CTO at SecureAuth + Core Security:
Organisations need to go further than just two-factor authentication, utilising Identity platforms that join silos of data together to create comprehensive Identity controls. Part of those controls should be to Implement adaptive authentication that combine techniques such as geographic location analysis, device recognition, IP reputation based threat services, and phone fraud prevention to address the threats at the identity level efficiently.”
Pravin Kothari, CEO at CipherCloud:
In these scenarios it is also possible that the mobile device was “cloned” whereby a second device used the same SIM card such that it could receive authentication data sent to the legitimate device. It is important for the community at large to understand as much about the use of this relatively new attack vector as Reddit can share.
Today, use of two-factor authentication is a best practice still not used by most authenticating systems. Even when two-factor is offered, for example, in Google’s Gmail, over 90 percent of the Gmail users don’t opt to use it. The Reddit attack shows us that the techniques, tactics and procedures of this highly sophisticated attacker now include interception of this SMS traffic to the targeted individual mobile phone. Consider how many financial systems use a cellphone SMS authentication to validate account sign-on?
How do you solve this problem? Given that 2-factor authentication is still a best practice the likely move by financial institutions will be to utilize token-based SMS systems, instead of mobile phone based systems. In any case 2-factor authentication, even with a mobile phone, is still much better than not using 2-factor.
Consider the serious nature of this expanded threat. The perpetrators behind this are likely committing multiple felonies in one fell swoop. The first felony is to access your account through fraudulent means. The second felony is that they are running a device similar to a Harris Sting-Ray. The use of a Sting-Ray device by private citizens is absolutely unlawful. The Sting-Ray and other similar are used by law enforcement to emulate a cellphone tower and intercept communications during a court authorized investigation. Organized crime obviously has access to this technology, and clearly used it, or something like it, to access the Reddit administrator authentication streams.
The good news? Not so well known to organized crime, is that these false cell towers used for SMS interception can also be detected by law enforcement. So if one is in suspected operation, law enforcement can find it, observe and document criminal activity, and then follow the trail back to far likely worse crimes committed by the same parties.”
Travis Biehn, Technical Strategist at Synopsys:
You can look at the timeline for SMS hijacking techniques—the first practical attacks were presented a few years ago—and now these are being increasingly commoditised for a wide array of attackers.
Right now, the best users can do is rely on two factor authentication, which raises the cost for attackers, and use a password manager to reduce the risk of password re-use.
Attackers use this information in a few ways. First up, they’ll try account name and password pairs on other websites, exchanges, banks, and so on. Even though these passwords are salted and hashed, modern password hash cracking techniques can quickly recover over 90% of original password values. In fact, around 60% of a corpus can be recovered in as little as 3 hours on less than $10,000 worth of hardware.”
Sean Sullivan, Security Advisor at F-Secure:
At the time, a few notable tech pundits and experts replied me that I shouldn’t let “perfect be the enemy of good”. However, the problem with this is that SMS-based 2FA/MFA was never a good solution.
It took Twitter until late last year to finally implement a proper app-based MFA, which is four years wasted as rolling-out SMS-based MFA delayed a proper system and its value was very short-lived.
Reddit won’t be the last organisation to be breached via SMS authentication in the future. At this point, the use of SMS-based MFA for administrators should be considered negligent.”