back to article SMS 2FA gave us sweet FA security, says Reddit: Hackers stole database backup of user account info, posts, messages

In a Wednesday mea culpa, Reddit – the online chat board that got a little out of hand and became the sixth most-visited website on the internet – has admitted it was raided by hackers unknown. For four days, specifically June 14 to June 18, miscreants managed to break into the website's cloud hosting and source-code …

  1. JohnFen

    "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,"

    They're just learning this??

    1. Halcin

      Visa

      "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,"

      They're just learning this??

      Some companies are still blind to this issue. My bank has confirmed that Visa is implementing an "industry-wide switch" to SMS 2FA. They believe it "has proven more effective in preventing fraud attempts than the current system." Namely Verified by Visa.

      So are they painting a big target onto all Visa customers?

      1. GnuTzu

        Re: Visa -- Mandate SS7 Proxies

        There's got to be a way to prevent spoofing, and it will have to be built into the infrastructure.

        1. Charles 9

          Re: Visa -- Mandate SS7 Proxies

          "There's got to be a way to prevent spoofing, and it will have to be built into the infrastructure."

          How against a sufficiently-alike impersonator? Plus there's no real defense against insiders.

      2. Anonymous Coward
        Anonymous Coward

        'More effective in preventing fraud attempts than the current system." Namely Verified by Visa.'

        Anything is more effective than 'Verified-By-Visa'...

        But SMS? That's disappointing to downright scary!

      3. J. Cook Silver badge
        Joke

        Re: Visa

        I'm not saying that Verified by Visa sucked, but it could take the chrome off a trailer hitch. SMS as second factor is... a touch more secure than that. (to make a clothing comparison, VbV was a string bikini, and SMS2 is at least a jacket or a thick t-shirt.)

        and TBH, 2FA is a pain in the butt no matter how you slice it, but it's one of those 'how much risk can we accept' things.

      4. Anonymous Coward
        Anonymous Coward

        Re: Visa

        They are not blind. They see the costs of tokens, and believe SMS are cheaper. My company just replaced my expired hardware token with SMS. The irony is token are still issued to underlings not high enough in the chain to be issued a company phone....

        1. leexgx

          Re: Visa

          my bank is a little to trusting with that they only need Chip and pin to take out large amounts of money at the desk (even though its policy to show 2 forms of ID, they they do know who i am witch mite be why they skip it but still said chip and pin is enough at the desk)

          but 2FA for SMS is just because they believe using the authenticator app for 30 second codes is to hard for Joe public

      5. JohnFen

        Re: Visa

        Sadly, even with the problems using SMS for 2FA, your bank may be right that it's better than their current system. I know from on-the-job experience that bank IT security tends to be far worse than you would expect.

      6. JeevesMkII

        Re: Visa

        VbV was always a complete load of cobblers.

        Why can't they use the chip on the card's own signing as verification? We all have the little pin machines now that do challenge-response authentication.

        I was kind of astonished when I found out my bank was more or less unique in using the "identify" time based password mode on those things for access to online banking, and they're still not using the challenge response mode for access to telephone banking, just a PIN.

        1. Anonymous Coward
          Anonymous Coward

          Re: Visa

          "We all have the little pin machines now that do challenge-response authentication."

          I certainly don't have any such thing, and will not.

          VbV shows up doing online transactions sometimes, which usually causes me to abandon the transaction.

          And I do not use SMS, nor do I intend to convert my phone to a smartphone.

          The bad ideas just keep on coming.

        2. Michael Wojcik Silver badge

          Re: Visa

          We all have the little pin machines now that do challenge-response authentication.

          We who?

      7. Anonymous Coward
        Anonymous Coward

        Re: Visa

        My bank has confirmed that Visa is implementing an "industry-wide switch" to SMS 2FA"

        ----------------------------------------------------------------------------------------------------

        That will be interesting. I have several Visa cards... and don't do SMS.

    2. leexgx

      its for most part quite easy to do "SS7" (all SMS show on a web page)

      or they hijack the phone accounts (sim swap so they have a sim card with there number so can get the SMS codes) typically they convenience they are you and get them to do a sim swap (seen some mobile companies Reactivate a sim card after it was reported by the owner as hijacked account stolen a lot of money from someone's account)

      SMS is very insecure for someone who is targeting you

      they should be using a 2FA APP or RSA keys

      i wish Google would Let me not use a email or number for 1FA account recovery (they do have a locked down account mode where you have to use 2 U2F keys (one is U2F bluetooth/NFC push button, second one is backup and account recovery), even if i have 2FA enabled on my account,

      if i remove the recovery options i run the risk of never been able to get into my account if its locked out for some reason, as it asks for things that i don't know (my phone it self should be the ultimate trusted source but that can be Delinked from the google account)

  2. Stuart Halliday

    So they'll have offside backups right? Err right?

  3. True Thug

    from mid-2000s era

    How did they steal my thoughts from 2500?

    1. Anonymous Coward
      Anonymous Coward

      Re: from mid-2000s era

      Do not underestimate them ;-)

  4. Flakk
    FAIL

    Thirteen Years of Operation...

    ...and they just hired their first InfoSec guy.

    I'm impressed. </sarc>

    1. Mark 85

      Re: Thirteen Years of Operation...

      It does make one wonder about how many other times they've penetrated. If they hadn't hired an InfoSec guy would they even have announced this breech?

      1. Charlie Clark Silver badge

        Re: Thirteen Years of Operation...

        It does make one wonder about how many other times they've penetrated.

        That's very Zen of you! Assuming the stuff is hosted externally how would anyone know that someone else got read access?

        The aphorism is that there are two types of victims of hacking: those that know they've been hacked…

      2. Zippy's Sausage Factory

        Re: Thirteen Years of Operation...

        If they hadn't hired an InfoSec guy would they even have announced this breech?

        If they hadn't hired an InfoSec guy, would they even have known - that's a scarier question.

        And why on earth are they keeping ten year old backups anyway? That makes me suspicious.

      3. JohnFen

        Re: Thirteen Years of Operation...

        "It does make one wonder about how many other times they've penetrated"

        I would say that it approaches a certainty that there was at least one. The criminals who get caught are the ones who are stupid and/or sloppy. You almost never hear about the ones who are actually competent.

    2. DropBear
      Trollface

      Re: Thirteen Years of Operation...

      "I'm impressed."

      No need to rush that, he might still turn out to be the same guy as the sole sysadmin, in a second shift...

  5. Anonymous Coward
    Terminator

    Should have used a hardware dongle

    U2F Explained: How Google and Other Companies Are Creating a Universal Security Token”

    1. -tim

      Re: Should have used a hardware dongle

      If it can be mathematically reduced to "something you know" and every hardware token can be, it is not 2FA in the formal sense. In my case I have a list of token IDs in a database. If they get stolen, then whoever stole them can pretend to be any hardware token I've issued.

      The real problem is that any proper 2FA system needs to integrate into older hardware. Sysadmins need to log into things like switches and routers and firewalls and many of them just don't have proper hooks and many that do can be tricked with things like fake radius servers. Most 2FA solutions are windows only or support a very limited amount of hardware. The old OATH and HOTP systems could be done on just about anything but like the old RSA tokens, once you have the secret keys, it isn't anything other than an annoying one time password.

      1. MatthewSt

        Re: Should have used a hardware dongle

        If it's a private key that exists on a dongle and never leaves the dongle (some form of challenge based auth) then there's little difference. Same goes for some app-based authenticator implementations.

        1. Charles 9

          Re: Should have used a hardware dongle

          Then they'll just hack the source and reverse-engineer the implementation. Then you can clone. What man can create, man can RE-create. Isn't that what the attack on RSA was about?

          And as for the whole "something you know, etc." business, there's still no practical solution for people with such bad memories that at least "something you know" can't be relied upon. And yes, they exist. I deal with them every day, yet they're too proud to ask for help when they MUST go online to check their bank accounts, benefits, etc.

          1. Anonymous Coward
            Linux

            Re: Should have used a hardware dongle

            > Then they'll just hack the source and reverse-engineer the implementation.

            There is no source or implementation to attack, the dongle runs on a Field Programmable Gate Array (with added noise circuit to prevent side channel attacks) with any number of permutations to provide functionality. Each U2F token contains a unique key. Reverse-engineering one key provides no usable information on any other. If the token gets lost or stolen then the key is revoked.

          2. JohnFen

            Re: Should have used a hardware dongle

            "there's still no practical solution for people with such bad memories that at least "something you know" can't be relied upon"

            To this day, I can't get that annual free credit report that credit companies are legally required to provide me, because I can't remember enough details about my more distant past to be able to answer their authentication questions.

      2. DropBear

        Re: Should have used a hardware dongle

        I would really like to know what your definition of "something you have" is, or alternatively what is in your opinion "not something you know", seeing as how even a physical lock's key (or your fingerprints) are nothing but "something you know" as soon as anyone has e.g. a suitably detailed photo of either (or the manufacturer's bitting code for that key). In that respect, modern hardware tokens are far more "uncopiable" considering their secret key is supposed to be stored inside and not retrievable. I have my own issues with them, but I'm hard pressed to think of something more "something you have" than they are, for all practical purposes...

  6. Charlie Clark Silver badge

    Just add a VPN…

    Sometimes focusing on passwords and 2FA ignores other solutions (or helpers). Restrict access to known IPs or networks and make everyone who needs to access stuff use a VPN on top of their own credentials. A well-configured and maintained VPN should detect intruders before they can access any systems.

    1. Boothy

      Re: Just add a VPN…

      This is basically what we do.

      All our repo's, file/build archive, Jenkins, Kibana etc are all behind VPN, no direct access from anywhere, not even on our own LAN.

      The VPN uses client auth TLS, (so should only work from devices with the correct cert), plus to log in, you need to use a user username + password + a generated token code (from mobile app) to login (and no option to remember me, or SMS option).

      1. JohnFen

        Re: Just add a VPN…

        This is what I do in my own home network, too. Even if you're entirely behind my firewall, if you aren't connecting through my VPN then you can't access any other machines or services on my LAN. Although my reason for this is ensure that all traffic is encrypted rather than for authentication.

        I even run two different VPNs -- one for access from behind my firewall and one for access from outside my firewall.

    2. ItsFullOfScars

      Re: Just add a VPN…

      And how do you authenticate users to your VPN?

      If anything, a VPN in to your corporate network is a juicier target to an attacker than whatever else they might do with a user's credentials alone.

      1. Charles 9

        Re: Just add a VPN…

        Yeah, they'll just pwn the entry point in an "outside the envelope" attack.

  7. c1ue

    Interesting that no one has commented on the admission of sock puppet accounts to drive traffic.

    I guess this must be standard accepted practice.

    1. JohnFen

      "I guess this must be standard accepted practice."

      It's completely standard and expected practice -- I'd be willing to be there isn't a single major online social media outfit that isn't full of sockpuppets. That's one of the reasons why you can't believe any metrics about the number of users on any of these services.

      But I don't think it's "accepted" by anybody aside from the services themselves.

  8. Paul Hovnanian Silver badge

    SMS-based authentication ...

    ... has been as much about getting another one of your identifying numbers* in marketers databases as actual security.

    *Ask for a Social Security Number as a link between multiple databases and most people will balk. Ask for a phone number (when everyone lives through their phone) and 'No problem'.

  9. EnviableOne
    Facepalm

    We Know that SMS 2FA is broken as SS7 is broken

    We saw it with bank account hijack in germany

    SO Why did NIST drop the lines depreciating as a valid authenticator when SP 800-63B went from draft to published?

    1. hayzoos

      one word

      lobbyists

  10. A Dark Germ

    FIDO/FIDO2 people wake up to U2F security tokens.

    Pointless story about a failed companies with idiots in charge.

    Write one about phishing being stopped 100% with U2F security tokens with Google

    Oh it's been done, lol..

    Wake up SHEEP, been out for years.

    https://www.youtube.com/watch?v=Vja-SC791E8

    1. Anonymous Coward
      Anonymous Coward

      Re: FIDO/FIDO2 people wake up to U2F security tokens.

      Yeah, but what about direct pwning of client machines where the devices are plugged in? As I recall, even FIDO admits there's no real solution for a pwned user interface (a Man-In-The-Browser attack) unless the device has its own interface...and once it has an interface, it itself becomes a target.

      Plus, according to this WIRED article, if there is an alternate way to reach the USB stack, there can still be a way for a phishing site to trick a U2F device.

      So basically, something like U2F is another factor, but there's nothing preventing ALL the factors being targeted at the same time. And if it exists, it can probably be targeted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon