Reddit: Is SMS-Based Authentication Really Secure?

by Philip Robinson
08.07.2018   IT Security

Recently, Christopher Slowe, announced that between June 14th and June 18th, Reddit experienced a breach that affected personal data, messages, passwords, email addresses and more. Reddit typically uses two-factor authentication to secure their user accounts. One step of that authentication involves sending an SMS text message with a unique code to login with. Hackers were able to intercept these text messages, proving that SMS-based authentication isn’t as secure as perhaps many organizations thought.

We are always suggesting that two-factor authentication (2FA) is the way forward when it comes to securing accounts (whether they are customer or employee accounts). As Christopher Slowe put it, “we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

How Did This Happen?

Although it’s not known how the attackers managed to hack the SMS messages, but Reddit did highlight that their user’s phones themselves. Despite this, there are numerous ways that they could have got through to this information.

Commonly referred to as a SIM-swap, attackers have been known to contact the mobile network providers and, posing as the user, convince them to change the service to a new SIM card that the attacker has control of. They simply have to suggest that the current SIM card has been damaged, lost or is in need of replacement, and many providers will fall for it occasionally.

Another similar technique involves attackers requesting that a user’s mobile number be transferred to a new network. It works in the same way as a SIM-swap in that the victim’s phone services are shut off and any text messages, including one-off 2FA texts, are sent to a device under the attacker’s control.

What Alternatives to SMS-Based Authentication are There?

Despite this slight lapse in the security of text-based 2FA, other forms of 2FA still make it one of the best ways of securing user accounts from hackers. One popular and fairly new method of 2FA is app-based, such as Google Authenticator, which separates the password from the phone network. This means that if a hacker wanted to get their hands on this code, they would need to physically steal it or infect it with some sort of malware.

Technically this process can be called two step authentication, as 2FA involves usually a password with some other form of authentication, such as a biometric or device. As app-based authentication still revolves around two types of passwords, it is still theoretically at risk of phishing attacks and other similar cyber-security threats.

Another commonly used method of 2FA, and perhaps the most secure version, involves the use of physical keys, such as USB-based devices. These allow users to login to the systems by simply inserting the device and enrolling it for 2FA on that particular website. Once enrolled, the user will no longer have to enter the password, they can simply use the device to login. There are a few limitations to this method though, including the fact that not many sites currently accept using security keys as a method of authentication.

How Does 2FA Fit into Your Security Plan?

Whatever method of 2FA you’re using, including text based 2FA, it’s likely to far more secure than relying solely on passwords for security. However, 2FA is just the start of building a security plan that truly protects your sensitive data and systems. A comprehensive security plan involves regular IT risk assessments, security training throughout the organization, strict password policies, regular software updates and a change auditing solution to keep an eye on how your users are interacting with your data and the systems around it.

If you want help ensuring that you have a working security strategy for your data, give us a call today.

Do you like this blog post?

Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.