Reddit's chief technology officer Christopher Slowe disclosed yesterday (Reddit announcement post by KeyserSosa) that the company had experienced a security incident in mid-June. An attacker bypassed Reddit's SMS-based two-factor authentication on a small number of employee accounts, and used those compromised accounts to access historical Reddit data — including a 2007 database backup containing usernames, salted-and-hashed passwords (with the hash algorithm being from 2007 and therefore weaker than current standards), email addresses, and in some cases all public and private posts and messages from the relevant period. Email digests sent to current users in June 3 to June 17 were also accessed.
The technical mechanism — and this is the part that needs writing about — was SMS interception. Reddit's two-factor authentication implementation was based on SMS one-time codes, and the attacker, by means that Reddit has not specified in detail, intercepted those SMS codes for the affected employee accounts. SMS interception in 2018 is achievable through several routes: SIM-swap social engineering against the carrier, SS7 protocol exploitation against the cellular network, SMS-message routing manipulation through the SMS aggregation infrastructure, or insider access at a carrier. The specific route in Reddit's case has not been publicly identified. The category — SMS as a second factor is structurally insecure — has been understood for years. NIST's Special Publication 800-63B in June 2017 (NIST SP 800-63B Digital Identity Guidelines) restricted SMS-based second factor for federal use and recommended app-based authenticators and hardware tokens as the preferred path. The recommendation has been industry-known. The Reddit incident is the operational demonstration of why.
The customer briefings this week are focused on the second-factor question. Most of the customer-organisation MFA rollouts I have been writing about for two years have used SMS as the default second factor, on the operational grounds that SMS works on every phone and requires no app installation or hardware-token distribution. The post-Reddit, post-NIST conversation needs to revisit that default. Time-based one-time-password apps (Google Authenticator, Authy, the various enterprise-managed equivalents) are operationally only marginally more difficult than SMS for users and are substantially more secure against the SMS-interception attack class. Hardware tokens — YubiKey, Titan, the various FIDO2 implementations — are more secure again and are now operationally tractable for the privileged-access populations within customer organisations. The conversation I am having with each customer this week is about migrating the second-factor implementation off SMS for the highest-risk populations (administrative users, finance, HR) on a fast cycle, and off SMS for the wider population on a slower cycle.
The Browne Jacobson estate is mostly on TOTP for the administrative population already; the partner population is still on SMS and is being migrated. Towry is on TOTP for the trading-platform-operator population; the wider firm is split. Northcott uses Duo Mobile push-based authentication, which is structurally more secure than SMS and is being kept. The manufacturer is on SMS at scale and is the largest piece of work — the migration to TOTP across approximately seven thousand users will run through Q4 and into 2019. The new financial-services client (added in September 2016) is on hardware tokens for the privileged population and TOTP for the wider population; clean. The retailer (added October 2017) is in TOTP migration that is on schedule.
For the wider strategic point, the Reddit incident is one of a small but growing set of cases that demonstrate the SMS-second-factor weakness in operational use. Coinbase, Twitter, several of the cryptocurrency exchanges, and various individual high-profile targets have all had SMS-second-factor bypass attacks reported in 2017 and 2018. The category is well-understood; the operational deployment of stronger alternatives is the bottleneck. Customer-organisation conversations about this have, in the past year, been more receptive than I would have predicted three years ago. The industry-direction signal is clear and the cost-benefit calculation is increasingly in favour of the stronger options.
For the EmilyAI work — I want to note for the project's records — the Reddit incident has produced an interesting analyst-decision pattern across the customer fleet. The post-Reddit alert volume on credential-stuffing-against-customer-authentication-endpoints has been elevated since the disclosure, and the analyst classifications have correspondingly shifted; the model is adapting on its weekly retraining cycle. The kind of operational drift that happens around major industry disclosures is one of the things the model continuously absorbs, and the rate at which the model adapts has been one of the unexpected operational benefits. I will write more on this in the autumn research piece.
The customer briefings continue. The patching, in this case the second-factor migrations, continues.