Two-factor Becomes Hack-factor In Reddit Attack
The last few years have seen a number of high profile hacks, each growing in complexity and affecting masses of people. Strains of ransomware have begun using different codes such as ‘worms’ to increase effectiveness and in some cases, strains are able to choose what kind of infection will be most profitable (ransomware or crypto-mining) to cyber-criminals. As hacks, ransomware attacks and other cyber-crimes are becoming more prevalent, what are organizations doing to try and protect themselves?
The latest high-profile victim to come under attack is internet giant, website and social platform Reddit. Unlike some other organizations Reddit reported the attack/hack just four days after it took place, having compiled an investigation into what had occurred and what data was likely to have been accessed.
Organisations have historically been encouraged to report breaches as soon as they are discovered but often this has not been the case. In Europe the GDPR, which came into place in 2018, ensures organizations must report breaches within 72-hours.
Reddit uses two-factor authentication as a security measure to assist with protecting systems and user’s information and accounts.
Two-factor Authentication (2FA) is a security process in which systems require two factors of authentication for an account to be accessed. This is usually comprised of a password and a secondary pin or one-time-passcode often shared by text or utilizing an app.
Reddit systems shared the secondary aspect of their 2FA via SMS message. Hackers were able to compromise employee accounts by utilising an SMS intercept; information needed to exploit this sort of attack would likely include, an SMS number, an active address and credit card details – all information that can be found on the dark web following major data breaches such as those that happened at Yahoo and Equifax.
After employee accounts were compromised, hackers were able to access two systems. The first was a database backup from 2007 which contained passwords, email addresses and private posts from 2007 and previous years. The second system accessed was Reddit ‘digest’ emails sent to users in June 2018 – these emails would have linked an email and a username.
Speaking on the situation Reddit CTO Christopher Slowe said:
“If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password… Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today… If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want to be associated back to that address.”
How 2FA got beaten
2-factor authentication is designed to improve the security of platforms so the idea that it was beaten with a relatively simple technique of accessing a mobile SIM card is alien. SMS systems have been in mass use for over two decades so there is clearly a need for improvement in the security systems surrounding them. Once hackers have sufficient amounts of personal information they are able to access or copy a SIM and access an SMS account. Personal information could be collected via a phishing scam or in some cases purchased on the dark web.
What Reddit are doing to improve security
Following the hack, Reddit has promptly responded, launched an investigation and established steps to improve their security processes, they have also contacted users who may have been affected to assist with improving account security and updating passwords. What steps are being taken?
- The breach has been investigated internally to understand how systems were accessed and what data was accessed.
- The breach has been reported to law enforcement who are carrying out their own investigation.
- Messages have been sent to users to update their account security if they are potentially at risk of unauthorized access.
- Adding additional security measures and improving 2FA
Ransomware is a threat to all organizations and has been prevalent for a number of years. Although recent reports suggest that organizations are no... read more
Earlier this year high street electronics firm Dixons Carphone revealed that a data breach had occurred the previous year, effecting over 1 million... read more