SMS Authentication and the Reddit Hack
Recently, Reddit, the 6th most popular website on the planet, was hacked. From 14 June to 18 June, 2018, bad guys were able to break in to Reddit employee cloud hosting and code repository accounts, despite the fact that these accounts were secured by SMS Two Factor Authentication.
2FA – What is it?
You have probably seen corporate or web authentication schemes where text, or SMS messages, are used to authenticate the user. This is a form of Two Factor Authentication, also known as Multi Factor Authentication, or MFA. Basically, it is a combination of something you know, such as a password, with something you have, such as a security token which gives you a code number to input or your mobile phone which can be sent an SMS message with an authentication code. 2FA/MFA should, in theory, considerably increase the security of your system.
SMS 2FA – Better than Nothing
The challenge is that while hugely tempting and incredibly convenient, security weaknesses render SMS 2FA something other than the best choice for real security. Sure, it may be better than nothing, but if you are rolling out SMS 2FA, you should be thinking “good enough” rather than “bulletproof.”
What’s the problem with SMS Authentication?
The problem is with SS7, Signaling System 7, the standard that defines how most of the world’s PSTN (phone) systems work. If the SS7 system your mobile provider (or the network you are roaming on) has been compromised, it is relatively trivial to seamlessly capture plain text SMS. While you might imagine that compromising national SS7 systems would require the resources of a nation-state hacker organization, there are services on the darknet offering such access for as little as $500.
Another vulnerability is the “port out scam” where with a bit of social engineering, a bad guy gets control of a mobile number and a SIM he/she can use, which creates a real problem when you have your mobile phone as a backup method of authentication for lost passwords. The New York Times provides the story of one victim of such a scam who lost $150k in virtual currency. Femtocells also offer another area for potential exploit.
In conclusion, the billions of devices in use today make SMS MFA a tempting move. Security organizations can be seen to be doing something to enhance security, and this something will be visible to every user as he/she tries to authenticate. That said, this approach has a number of limitations and shortcomings with well understood technical and social engineer methods for compromising SS7 networks in play in the wild. Organizations using SMS 2FA probably have other, larger and more pressing security challenges to deal with right now, but those running SMS 2FA should at least consider moving to other methods of authentication.