When 2FA Goes Bad
Reddit, the maverick social network, suffered a security breach in June, 2018, its management has revealed. It was a mild disaster, as such things go. But it highlights a flawed method of online authentication that you are probably using on a regular basis. Here's what you need to know…
The Dangerous Flaw in Two-Factor Authentication
Hackers got into Reddit’s internal network and gained access to the cloud-service provider's account credentials of a few Reddit employees, plus “read-only access to some systems that contained backup data, source code and other logs.” No users’ credentials were stolen. But that's the only good news in this story,
This hack spotlights a dangerously flawed two-factor authentication (2FA) technique that is all too commonly deployed by firms that store consumers’ financial, medical, and other sensitive data. Reddit’s investigation revealed the hackers intercepted SMS messages containing codes used to authenticate employees’ login attempts.
Even if you're not acquainted with the jargon, you probably are familiar with SMS-based two-factor authentication. Here's how it works:
Suppose you try to log in to your bank’s web site. If you must receive a text message and type the code it contains into a form field on the web site, that’s SMS-based 2FA. In two-factor scenarios, the first authentication factor is “something you know," which is usually your password. The second authentication factor is “something you have,” (your phone) by which you receive the text message.
But the SMS (text messaging) protocol is inherently insecure. It is, after all, the Simple Messaging Service protocol, designed from scratch with trivial messages of 140 characters or less in mind. There is no encryption; everything a text message contains can be read by anyone who intercepts the message between sender and receiver. (Just like unencrypted email.)
How Did Reddit Get Hacked?
Don't get me wrong. Two-factor authentication (when done right) is a very good thing. Google and other online services offer 2FA without the insecure SMS requirement. If you turn on this option you’ll need to enter your username/password as usual. You’ll then be prompted for an authentication code before the login can be completed. The code comes from Google Authenticator, an app for your Android or iOS device. This time-sensitive code can be generated even if you’re not online, and you can also print a list of codes for use when you don’t have your phone handy.
None the less, SMS is widespread either as a primary 2FA method or as a backup method should a user be unable to complete authentication via the primary method. Reddit, to its credit, uses a more secure “tokenized” 2FA technique as its primary 2FA method. But Reddit’s cloud service provider(s) did not. (I’ll hazard a guess one of those providers’ names rhymes with “Bamazon.”)
Hackers, partially armed with a Reddit employee’s credentials, were able to fool the cloud service provider into sending them the SMS message containing the 2FA code. With that and an authorized user’s credentials, it was as easy as logging on without any 2FA hurdles.
If you receive 2FA codes via standard email, you may be vulnerable to a similar attack. Email is as unencrypted as text messages unless your email service provider requires a secure connection to its email server. Google GMail and every other webmail service I know requires a secure connection. If you use desktop email software, your email client’s “server settings” should indicate that either TLS or SSL encryption is required.
What You Can Do
Medical practices and other small professional businesses are often not very security-savvy. Even if your doctor requires 2FA for access to his patient portal, it may be SMS-based and therefore very vulnerable. My advice is to show this article to the office manager of your medical practice and urge him/her to ensure that the security protocol used is “HIPAA compliant.”
Geeky jargon may cause the eyes to glaze over, but few things focus medical people’s attention on security like those two words.
Smaller banks and credit unions may also be using SMS 2FA and unaware of its hazards. Run this article by the president or chief information officer, and see what they say. Hopefully a few heads will swivel in your direction.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 3 Aug 2018
|For Fun: Buy Bob a Snickers.|
Are You in the 14 Percent Club?
The Top Twenty
Is Titan the KEY to Your Security?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- When 2FA Goes Bad (Posted: 3 Aug 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved