Updated: August 3, 2018
Two-factor authentication (2FA) by now is one of the most reliable ways to keep your data safe as it adds an extra security layer to your accounts. With 2FA you have to prove your identity twice: with something you know and something you have. However, not all 2FA setups are equally secure. A recent Reddit hack proves that you shouldn’t use SMS in two-factor authentication.
By intercepting 2FA SMS verification codes, attackers managed to gain access to Reddit’s source code, internal files and the worst of all – “all Reddit data from 2007 and before including account credentials and email addresses”. As Reddit said in a blog post, “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” So the breach likely could have been avoided if Reddit employees’ were using other 2FA authentication method than texts, for example, an authenticator app.
2FA is becoming more popular because of ever-growing concerns over cyber-attacks. It is now available on many account-based services, including Apple’s iCloud, Google Drive, Facebook, PayPal, etc. However, despite the fact that using your password together with a piece of information that only you know makes it harder for hackers to gain access to your personal data, 2FA authentication isn’t as safe as you would like it to be.
As mentioned above, 2FA is used to add one more security layer to your account, meaning that cyber-criminals won’t be able to intercept any of your data even if they discover your carefully created password.
To access an account protected with two-factor authentication, you need two different elements: something you know (it’s usually your password) and something you have (e.g., your fingerprint, smartphone). With this feature enabled, every time you want to log in to your account, you will be asked to enter that password (as usual) and a unique one-time code that is sent to your mobile phone via a text message. So if anyone ever tries to snoop into your account, they will need to pull off two types of theft: steal your password and read your messages. Unfortunately, experts say that this one is pretty easy to achieve even without actually stealing the physical device.
The major problem with two-factor authentication is that it typically relies on text messages, which apparently can be easily hijacked. Although such vulnerability of text messages has been known and discussed for a long time, security experts at Positive Technologies have recently shown what it actually looks like.
The video below (first published by Forbes) demonstrates how researchers managed to intercept text messages and use 2FA to get access to a user’s Gmail account. From there it took them a few moments to reset the password from Coinbase and take control of a bitcoin wallet. Apparently, your name, surname and phone number is all hackers need to break two-factor security if you use to claim your identity via SMS.
While you may blame Coinbase for not putting enough effort to secure their services, the actual weakness lies in the phone system itself. Using their own research tool, researchers were able to exploit known flaws in the Signaling System No. 7 (SS7) that is used by nearly every telecom in the world to manage calls and text messages. “This is a vulnerability in mobile networks, which ultimately means it is an issue for everyone, especially services relying on the mobile network to send security codes,” said Dmitry Kurbatov who is a researcher at Positive Technologies.
While telecom companies are restricted from accessing users’ communications traveling through this network, hijacking services are pretty popular on criminal marketplaces. However, there’s no need for hackers to spend money on hijacking services as they can breach the network directly: “It’s much easier and cheaper to get direct access to the SS7 interconnection network and then craft specific SS7 messages, instead of trying to find a ready-to-use SS7 hijack service.”
As you can see, it’s pretty easy for cyber-criminals to attack the phone network and intercept your communications. If a hacker manages to breach the network, they can use 2FA codes sent to you via text messages and log in to any account he needs. According to Dmitry Kurbatov, “this hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery.”
Even hijackable, text-based 2FA is better than no digital protection. However, if you care about your data security, you may want to consider choosing an alternative authentication method, such as Google’s Authenticator app.
Experts also suggest getting a separate phone number for digital services through, for example, Google Voice. For secure 2FA, you can also use security keys or download the Google Prompt that doesn’t rely on the vulnerable SMS protocol.
Another important step privacy-concerned users should take is to demand that all account services provide non-SMS-based 2FA options to help their customers securely log in to their accounts without the fear of being hacked.