An interesting aspect of this: their employees’ credentials were compromised by intercepting two-factor authentication that used SMS. Security folks have been complaining about SMS-based 2FA for a while, but it’s still a common configuration on big cloud providers.
What’s especially bugging me is platforms like twitter that do provide alternatives to SMS for 2FA, but still require SMS to be enabled even if you want to use safer means. The moment you remove your phone number from twitter, all of 2FA is disabled.
The problem is that if SMS is an option, that’s going to be what an attacker uses. It doesn’t matter that I myself always use a Yubikey.
But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.
This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.
update: I just noticed that twitter has fixed this and you can now disable SMS while keeping TOTP and U2F enabled.
But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.
I get why they do this from a convenience perspective, but it bugs me to call the result 2FA. If you can change the password through the SMS recovery method, password and SMS aren’t two separate authentication factors, it’s just 1FA!
Have sites been keeping SMS given the cost of supporting locked out users? Lost phones are a frequent occurrence. I wonder if sites have thought about implementing really slow, but automated recovery processes to avoid this issue. Going through support with Google after losing your phone is painful, but smaller sites don’t have a support staff at all, so they are likely to keep allowing SMS since your mobile phone number is pretty recoverable.
In case of many accounts that are now de-facto protected by nothing but a single easily hackable SMS I’d much rather lose access to it than risk somebody else getting access.
If there was a way to tell these services and my phone company that I absolutely never want to recover my account, I would do that in a heartbeat
This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.
True. Also, if you have the target’s phone number, you can skip the social engineering, and go directly for SS7 hacks.
I don’t remember the details but there is a specific carrier (tmobile I think?) that is extremely susceptible to SMS interception and its people on their network that have been getting targeted for attacks like this.
Your mobile phone number can relatively easily be stolen (more specifically: ported out to another network by an attacker). This happened to me on T-Mobile, but I believe it is possible on other networks too. In my case my phone number was used to setup Zelle and transfer money out of my bank account.
T-Mobile sent a text message blast to all customers many months ago urging users to setup a security code on their account to prevent this. Did you do it?
Feb 1, 2018: “T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: t-mo.co/secure”
My point is, they could have been regularly infiltrated for years and they only noticed know thanks to new talent in house. There’s only so much a jack of all trades team can do while fire fighting all the needs.
I’ll add to mulander’s hypothetical that this happened in all kinds of big companies with significant investments in security. They were breached for years without knowing they were compromised. They started calling them “APT’s” as a PR move to reduce humiliation. It was often vanilla attacks or combos of those with some methods to bypass monitoring that companies either didn’t have or really under-invested in. Reddit could be one if they had little invested in security or especially intrusion detection/response.
Because reddit is not hosting financial data or (for the most part) deeply personal data that is not already out in the open, I would assume that they are not that interesting a target for hackers looking for financial gain, but more interesting for people script kiddies who are looking to DOX or harass other users.
Many subreddits host content and discussions that people don’t want to be attached to. The post even appreciates that and recommends deletion of those posts.
I find it telling that you go out of your way pushing people interested in gaining personal data in the script kiddie corner. Yes, SMS based attacks are in the range of “a script kiddie could do that”, which makes it even worse.
Criminals are using this type of information for targeted extortions and other activities. The general view that that this is mostly the realm of “script kiddies” detracts from the seriousness and provides good cover for their activities.
I made an assumption, but reading your reply and that of @skade you are right that there are lots of uses for the data from a criminal perspective, especially for a site the size of reddit.
Maybe it was a seed for a staging/testing system? It’s not uncommon for many places to flop around a data seed for developers - usually they would be anonymized but that’s not always the case in all places.
It’s not too surprising to me. When changing over to a new system, it’s fairly common to dump the old pile of spaghetti into an archive labeled Someone Sort This Mess Out Later, if you aren’t 100% sure that it doesn’t still have something important in it that needs to be ported over to the new system. Naturally, nobody ever gets around to sorting through it.
An interesting aspect of this: their employees’ credentials were compromised by intercepting two-factor authentication that used SMS. Security folks have been complaining about SMS-based 2FA for a while, but it’s still a common configuration on big cloud providers.
What’s especially bugging me is platforms like twitter that do provide alternatives to SMS for 2FA, but still require SMS to be enabled even if you want to use safer means. The moment you remove your phone number from twitter, all of 2FA is disabled.
The problem is that if SMS is an option, that’s going to be what an attacker uses. It doesn’t matter that I myself always use a Yubikey.
But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.
This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.
update: I just noticed that twitter has fixed this and you can now disable SMS while keeping TOTP and U2F enabled.
I get why they do this from a convenience perspective, but it bugs me to call the result 2FA. If you can change the password through the SMS recovery method, password and SMS aren’t two separate authentication factors, it’s just 1FA!
Have sites been keeping SMS given the cost of supporting locked out users? Lost phones are a frequent occurrence. I wonder if sites have thought about implementing really slow, but automated recovery processes to avoid this issue. Going through support with Google after losing your phone is painful, but smaller sites don’t have a support staff at all, so they are likely to keep allowing SMS since your mobile phone number is pretty recoverable.
In case of many accounts that are now de-facto protected by nothing but a single easily hackable SMS I’d much rather lose access to it than risk somebody else getting access.
If there was a way to tell these services and my phone company that I absolutely never want to recover my account, I would do that in a heartbeat
True. Also, if you have the target’s phone number, you can skip the social engineering, and go directly for SS7 hacks.
I don’t remember the details but there is a specific carrier (tmobile I think?) that is extremely susceptible to SMS interception and its people on their network that have been getting targeted for attacks like this.
Your mobile phone number can relatively easily be stolen (more specifically: ported out to another network by an attacker). This happened to me on T-Mobile, but I believe it is possible on other networks too. In my case my phone number was used to setup Zelle and transfer money out of my bank account.
This article actually provides more detail on the method attackers have used to port your number: https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
T-Mobile sent a text message blast to all customers many months ago urging users to setup a security code on their account to prevent this. Did you do it?
Feb 1, 2018: “T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: t-mo.co/secure”
Yeah I did after recovering my number. Sadly this action was taken in response to myself and others having been attacked already :)
Kinda surprised that reddit - a site which hosts rougher parts of the internet - has not had a Head of Security until 2.5 months ago?
Their headcount has always been kinda small I think? You need to hit a certain size before carving out a specific position.
“Kinda small” is ~250 people. They have data of 330 Million users.
I wouldn’t attach the headcount to the position directly, the question is how much a security need you have.
They seemed to have done pretty well for a long time without having one though.
Did they? How do you know there weren’t previous leaks/breaches that simply went undetected?
That’s probably not a good way to measure it, but maybe the number of posts like this? But that’s true.
My point is, they could have been regularly infiltrated for years and they only noticed know thanks to new talent in house. There’s only so much a jack of all trades team can do while fire fighting all the needs.
I’ll add to mulander’s hypothetical that this happened in all kinds of big companies with significant investments in security. They were breached for years without knowing they were compromised. They started calling them “APT’s” as a PR move to reduce humiliation. It was often vanilla attacks or combos of those with some methods to bypass monitoring that companies either didn’t have or really under-invested in. Reddit could be one if they had little invested in security or especially intrusion detection/response.
Because reddit is not hosting financial data or (for the most part) deeply personal data that is not already out in the open, I would assume that they are not that interesting a target for hackers looking for financial gain, but more interesting for
peoplescript kiddies who are looking to DOX or harass other users.Many subreddits host content and discussions that people don’t want to be attached to. The post even appreciates that and recommends deletion of those posts.
I find it telling that you go out of your way pushing people interested in gaining personal data in the script kiddie corner. Yes, SMS based attacks are in the range of “a script kiddie could do that”, which makes it even worse.
Criminals are using this type of information for targeted extortions and other activities. The general view that that this is mostly the realm of “script kiddies” detracts from the seriousness and provides good cover for their activities.
I made an assumption, but reading your reply and that of @skade you are right that there are lots of uses for the data from a criminal perspective, especially for a site the size of reddit.
Why do they even still have backups from 2007 in this post-GDPR world? They have no authority to retain that data, surely.
I was thinking exactly this when I read about the breach. Backups from 2017 maybe, but almost ten year old backups are useless right?
Maybe it was a seed for a staging/testing system? It’s not uncommon for many places to flop around a data seed for developers - usually they would be anonymized but that’s not always the case in all places.
It’s not too surprising to me. When changing over to a new system, it’s fairly common to dump the old pile of spaghetti into an archive labeled Someone Sort This Mess Out Later, if you aren’t 100% sure that it doesn’t still have something important in it that needs to be ported over to the new system. Naturally, nobody ever gets around to sorting through it.