Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.
In a post to Reddit, the social news aggregation platform said it learned on June 19 that between June 14 and 18 an attacker compromised a several employee accounts at its cloud and source code hosting providers.
Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder(s) managed to intercept that second factor.
“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit disclosed. “We point this out to encourage everyone here to move to token-based 2FA.”
Reddit didn’t specify how the SMS code was stolen, although it did say the intruders did not hack Reddit employees’ phones directly. Nevertheless, there are a variety of well established ways that attackers can intercept one-time codes sent via text message.
In one common scenario, known as a SIM-swap, the attacker masquerading as the target tricks the target’s mobile provider into tying the customer’s service to a new SIM card that the bad guys control. A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.
Another typical scheme involves mobile number port-out scams, wherein the attacker impersonates a customer and requests that the customer’s mobile number be transferred to another mobile network provider. In both port-out and SIM swap schemes, the victim’s phone service gets shut off and any one-time codes delivered by SMS (or automated phone call) get sent to a device that the attackers control.
A more secure alternative to SMS involves the use of a mobile app — such as Google Authenticator or Authy — to generate the one-time code that needs to be entered in addition to a password. This method is also sometimes referred to as a “time-based one-time password,” or TOTP. It’s more secure than SMS simply because the attacker in that case would need to steal your mobile device or somehow infect it with malware in order to gain access to that one-time code. More importantly, app-based two-factor removes your mobile provider from the login process entirely.
Fundamentally, two-factor authentication involves combining something you know (the password) with either something you have (a device) or something you are (a biometric component, for example). The core idea behind 2FA is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.
Technically, 2FA via mobile apps and other TOTP-based methods are more accurately described as “two-step authentication” because the second factor is supplied via the same method as the first factor. For example, even though the second factor may be generated by a mobile-based app, that one-time code needs to be entered into the same login page on a Web site along with user’s password — meaning both the password and the one-time code can still be subverted by phishing, man-in-the-middle and credential replay attacks.
Probably the most secure form of 2FA available involves the use of hardware-based security keys. These inexpensive USB-based devices allow users to complete the login process simply by inserting the device and pressing a button. After a key is enrolled for 2FA at a particular site that supports keys, the user no longer needs to enter their password (unless they try to log in from a new device). The key works without the need for any special software drivers, and the user never has access to the code — so they can’t give it or otherwise leak it to an attacker.
The one limiting factor with security keys is that relatively few Web sites currently allow users to use them. Some of the most popular sites that do accept security keys include Dropbox, Facebook and Github, as well as Google’s various services.
Last week, KrebsOnSecurity reported that Google now requires all of its 85,000+ employees to use security keys for 2FA, and that it has had no confirmed reports of employee account takeovers since the company began requiring them at the beginning of 2017.
The most popular maker of security keys — Yubico — sells the basic model for $20, with more expensive versions that are made to work with mobile devices. The keys are available directly from Yubico, or via Amazon.com. Yubico also includes a running list of sites that currently support keys for authentication.
If you’re interested in migrating to security keys for authentication, it’s a good idea to purchase at least two of these devices. Virtually all sites that I have seen which allow authentication via security keys allow users to enroll multiple keys for authentication, in case one of the keys is lost or misplaced.
I would encourage all readers to pay a visit to twofactorauth.org, and to take full advantage of the most secure 2FA option available for any site you frequent. Unfortunately many sites do not support any kind of 2-factor authentication — let alone methods that go beyond SMS or a one-time code that gets read to you via an automated phone call. In addition, some sites that do support more robust, app- or key-based two-factor authentication still allow customers to receive SMS-based codes as a fallback method.
If the only 2FA options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password. But it’s high time that popular Web sites of all stripes start giving their users more robust authentication options like TOTP and security keys. Many companies can be nudged in that direction if enough users start demanding it, so consider using any presence and influence you may have on social media platforms to make your voice heard on this important issue.
Attackers Circumvent Two Factor Authentication Protections to Hack Reddit
Popular Community Site Reddit Breached Through Continued Use of NIST-Deprecated SMS Two Factor Authentication (2FA)
Online community site Reddit announced Wednesday that it was breached in June 2018. In a refreshingly candid advisory, it provides a basic explanation of how the incident occurred, details on the extent of the breach, details on its own response, and advice to potential victims.
The extent of the breach was limited. It was discovered on June 19, and occurred between June 14 and June 18, this year. “A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords,” announced Chris Slowe, CTO and founding engineer at Reddit.
With more than 330 million active monthly users, Reddit is home to thousands of online communities where users can share stories and host public discussions.
Apart from the limited extent, it was also limited in scope. “The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs.” This comprises a complete copy of an old database backup including account credentials and email addresses (2005 to 2007); logs containing email digests sent between June 3 and June 17, 2018; and internal data such as source code, internal logs, configuration files and other employee workspace files.
“The disclosure of email addresses and their connected Reddit usernames,” warns Jessica Ortega, a security researcher at SiteLock, “could potentially mean attackers can identify and dox users — that is, release personally identifying information — who rely on Reddit for discussing controversial topics or posting controversial images. It is recommended that all Reddit users update their passwords.”
Reddit’s response to the breach has been to report the incident to, and cooperate with, law enforcement; to contact users who may be impacted; and to strengthen its own privileged access controls with enhanced logging, more encryption and required token-based 2FA. It also advises all users to move to token-based 2FA.
This advice is because it believes the breach occurred through SMS intercept on one of its own employees. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”
This last comment has raised eyebrows. As long ago as 2016, NIST denounced SMS 2FA. “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators,” it stated in the DRAFT NIST Special Publication 800-63B.
The most common attack against SMS 2FA, explains Joseph Kucic, CSO at Cavirin, is mobile device malware designed to capture/intercept SMS messages — a major feature for use against mobile banking apps. But, he adds, “SMS messages have had other risks: SIM swap and unauthorized access from SS7 (core telco signaling environments) — these issues have been known and discussed in the security circles for years.”
While Reddit doesn’t make it clear whether the ‘intercept’ was via malware on an employee’s mobile device or via flaws in the SS7 telecommunications protocol, the latter seems the most likely. SS7 is a telephony signaling protocol initially developed in 1975, and it has become deeply embedded in mobile telephone routing. As such it is unlikely to be corrected or replaced in the immediate future — but the effect is that almost any mobile telephone conversation anywhere in the world can be intercepted by an advanced adversary.
The fact that SS7 attacks are not run-of-the-mill events makes Tom Kellermann, CSO at Carbon Black, wonder who might be behind the attack. “The Reddit breach seems to be more tradecraft-oriented,” he told SecurityWeek. “They were victimized, but by whom: more than likely a nation-state given their capacity to influence Americans. I hope that they were not used to island hop into other victims’ systems via a watering hole.” According to Carbon Black research, 36% of cyberattacks attempt to leapfrog through the victims’ systems into their customers’ systems.
He is not alone in wondering if there may be more to this breach. “I am concerned that Reddit seems to be playing down the data breach as it was only read access to sensitive data and not write. This is positive news; however, it does not reduce the severity of the data breach when it relates to sensitive data,” comments Joseph Carson, chief security scientist at Thycotic.
Of course, the attack may not have been effected via the SS7 flaws. “In this type of attack, the phone number is the weakest link,” warns Tyler Moffit, senior threat research analyst at Webroot. “Cybercriminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication. For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number. This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax.”
“When Reddit started using SMS for Two Factor Authentication in 2003 it was a best practice,” Joseph Kucic, CSO at Cavirin told SecurityWeek; adding, “The one fact about any security technology is that its effectiveness decreases over time for various reasons — and one needs to take inventory of the deployed security effectiveness at least annually.” He believes that security technologies, just like applications, have a product lifecycle, “and there is a point when an end-of-life should be declared before unauthorized individuals — hackers or nation/state actors — do it for you.”
Reddit has earned plaudits for its breach notification as well as criticism for its continued use of SMS 2FA. “The level of detail Reddit provides,” said Chris Morales, head of security analytics at Vectra, “is more than many larger organizations have provided on much more significant breaches. These details are based on an investigation and explain what happened during the breach — how the attackers infiltrated the network and what exactly they gained access to — and most importantly disclosed Reddit’s internal processes to address the breach, including the hiring of new and expanded security staff.”
Ilia Kolochenko, CEO at High-Tech Bridge, makes the point that despite Reddit’s apparent openness, we still don’t know everything about the breach. “Often, large-scale attacks are conducted in parallel by several interconnected cybercrime groups aimed to distract, confuse and scare security teams,” he comments. “While attack vectors of the first group are being mitigated, others are actively exploited, often not without success. Otherwise, the disclosure and its timeline are done quite well done by Reddit.”
He also cautions against placing too much blame on Reddit’s use of SMS 2FA. “I would refrain from blaming the 2FA SMS — in many cases it’s still better than nothing. Moreover, when most of business-critical applications have serious vulnerabilities varying from injections to RCE, 2FA hardening is definitely not the most important task to take care of.”
Nevertheless, the consensus is that Reddit should be applauded for its disclosure, but censured for its use of SMS 2FA. “Reddit won’t be the last organization to be breached via SMS authentication in the future,” comments Sean Sullivan, security advisor at F-Secure. “At this point, the use of SMS-based MFA for administrators should be considered negligent.”
Florida Man Arrested in SIM Swap Conspiracy
Police in Florida have arrested a 25-year-old man accused of being part of a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims.
On July 18, 2018, Pasco County authorities arrested Ricky Joseph Handschumacher, an employee of the city of Port Richey, Fla, charging him with grand theft and money laundering. Investigators allege Handschumacher was part of a group of at least nine individuals scattered across multiple states who for the past two years have drained bank accounts via an increasingly common scheme involving mobile phone “SIM swaps.”
A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.
But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.
In some cases, fraudulent SIM swaps succeed thanks to lax authentication procedures at mobile phone stores. In other instances, mobile store employees work directly with cyber criminals to help conduct unauthorized SIM swaps, as appears to be the case with the crime gang that allegedly included Handschumacher.
A WORRIED MOM
According to court documents, investigators first learned of the group’s activities in February 2018, when a Michigan woman called police after she overheard her son talking on the phone and pretending to be an AT&T employee. Officers responding to the report searched the residence and found multiple cell phones and SIM cards, as well as files on the kid’s computer that included “an extensive list of names and phone numbers of people from around the world.”
The following month, Michigan authorities found the same individual accessing personal consumer data via public Wi-Fi at a local library, and seized 45 SIM cards, a laptop and a Trezor wallet — a hardware device designed to store crytpocurrency account data. In April 2018, the mom again called the cops on her son — identified only as confidential source #1 (“CS1”) in the criminal complaint — saying he’d obtained yet another mobile phone.
Once again, law enforcement officers were invited to search the kid’s residence, and this time found two bags of SIM cards and numerous driver’s licenses and passports. Investigators said they used those phony documents to locate and contact several victims; two of the victims each reported losing approximately $150,000 in cryptocurrencies after their phones were cloned; the third told investigators her account was drained of $50,000.
CS1 later told investigators he routinely conducted the phone cloning and cashouts in conjunction with eight other individuals, including Handschumacher, who allegedly used the handle “coinmission” in the group’s daily chats via Discord and Telegram. Search warrants revealed that in mid-May 2018 the group worked in tandem to steal 57 bitcoins from one victim — then valued at almost $470,000 — and agreed to divide the spoils among members.
Investigators soon obtained search warrants to monitor the group’s Discord server chat conversations, and observed Handschumacher allegedly bragging in these chats about using the proceeds of his alleged crimes to purchase land, a house, a vehicle and a “quad vehicle.” Interestingly, Handschumacher’s public Facebook page remains public, and is replete with pictures that he posted of recent new vehicle aquisitions, including a pickup truck and multiple all-terrain vehicles and jet skis.
The Pasco County Sherrif’s office says their surveillance of the Discord server revealed that the group routinely paid employees at cellular phone companies to assist in their attacks, and that they even discussed a plan to hack accounts belonging to the CEO of cryptocurrency exchange Gemini Trust Company. The complaint doesn’t mention the CEO by name, but the current CEO is bitcoin billionaire Tyler Winklevoss, who co-founded the exchange along with his twin brother Cameron.
“Handschumacher and another co-conspirator talk about compromising the CEO of Gemini and posted his name, date of birth, Skype username and email address into the conversation,” the complaint reads. “Handschumacher and the co-conspirators discuss compromising the CEO’s Skype account and T-Mobile account. The co-conspirator states he will call his ‘guy’ at T-Mobile to ask about the CEO’s account.”
Court documents state that the group used Coinbase.com and multiple other cryptocurrency exchanges to launder the proceeds of their thefts in a bid to obfuscate the source of the stolen funds. Subpoenas to Coinbase revealed Handschumacher had a total of 82 bitcoins sold from or sent to his account, and that virtually all of the funds were received via outside sources (as opposed to being purchased through Coinbase).
Neither Handschumacher nor his attorney responded to requests for comment. The complaint against Handschumacher says that following his arrest he confessed to his involvement in the group, and that he admitted to using his cell phone to launder cryptocurrency in amounts greater than $100,000.
But on July 23, Handschumacher’s attorney entered a plea of “not guilty” on behalf of his client, who is now facing charges of grand larceny, money laundering, and accessing a computer or electronic device without authorization.
Handschumacher’s arrest comes on the heels of an apparent law enforcement crackdown on individuals involved in SIM swap schemes. As first reported by Motherboard.com earlier this month, on July 12, police in California arrested Joel Ortiz — a 20-year-old college student accused of being part of a group of criminals who hacked dozens of cellphone numbers to steal more than $5 million in cryptocurrency.
The Motherboard story notes that Ortiz allegedly was an active member of OGusers[dot]com, a marketplace for Twitter and Instagram usernames that SIM swapping hackers use to sell stolen accounts — usually one- to six-letter usernames. Short usernames are something of a prestige or status symbol for many youngsters, and some are willing to pay surprising sums of money for them.
Sources familiar with the investigation tell KrebsOnSecurity that Handschumacher also was a member of OGUsers, although it remains unclear how active he may have been there.
WHAT YOU CAN DO
All four major U.S. mobile phone companies allow customers to set personal identification numbers (PINs) on their accounts to help combat SIM swaps, as well as another type of phone hijacking known as a number port-out scam. But these precautions may serve as little protection against crooked insiders working at mobile phone retail locations. On May 18, KrebsOnSecurity published a story about a Boston man who had his three-letter Instagram username hijacked after attackers executed a SIM swap against his T-Mobile account. According to T-Mobile, that attack was carried out with the help of a rogue company employee.
SIM swap scams illustrate a crucial weak point of multi-factor authentication methods that rely on a one-time code sent either via text message or an automated phone call. If an online account that you value offers more robust forms of multi-factor authentication — such as one-time codes generated by an app, or better yet hardware-based security keys — please consider taking full advantage of those options.
If, however, SMS-based authentication is the only option available, this is still far better than simply relying on a username and password to protect the account. If you haven’t done so lately, head on over to twofactorauth.org, which maintains probably the most comprehensive list of which sites support multi-factor authentication, indexing each by type of site (email, gaming, finance, etc) and the type of added authentication offered (SMS, phone call, software/hardware token, etc.).