View profile

We Regret to Inform You That Two-Factor Authentication is Not Invincible [Collision Course #6]

We Regret to Inform You That Two-Factor Authentication is Not Invincible [Collision Course #6]
By Tommy Collison • Issue #6 • View online
Hello and welcome to the 6th issue of Collision Course, a newsletter about tech policy, consumer privacy, and the future. Click here to read previous issues of the newsletter.
Today, big news from Reddit, and why two-factor authentication isn’t as secure as you think.

Once more unto the breach, dear friends.
Reddit, the popular social networking site, announced today that they’d been hacked and that attackers had gotten access to users’ personal information:
All Reddit data from 2007 and before including account credentials and email addresses.
What was accessed: A complete copy of an old database backup containing very early Reddit user data – from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
It’s bad news for Reddit, but what’s most interesting is that, per their blogpost, the hacker seems to have obtained access to user data by circumventing Reddit’s two-factor authentication, intercepting SMS messages with one-time login codes.
Two-factor wha’?
It sounds techy, but if you’ve ever used an ATM, you’re familiar with two-factor authentication (also called 2FA). To access your account or withdraw money, ATMs require something you have (your bank card) and something you know (your four-digit PIN).
The same thinking is behind 2FA for email, Twitter, Facebook, and many other web services.
If you’re like over 90 percent of Gmail users, you don’t use 2FA. You type something you know (your password), and you’re on your way.
2FA adds another step — the something you have. After you type in your password, you receive a six-digit code in a text message that you have to type into your web browser.
Here’s 2FA in action:
"You're @tommycollison? Prove it."
"You're @tommycollison? Prove it."
Since your phone is something you have, and by entering the code you’re proving that you’re the account owner and should be granted access.
While 2FA useful for something like Gmail or Twitter (so attackers can’t impersonate you), it’s absolutely necessary for something like online banking, since attackers can wire money out in minutes if they gain access to your account.
If you have 2FA enabled, even if you’re tricked into entering your password on a fake website, or if your password is posted online as part of a data breach, your account is still safe. The attacker doesn’t have something you have.
So wait, what happened to Reddit?
Their blogpost makes it sound like Reddit engineers had 2FA enabled. So, how did they get hacked?
The truth is that 2FA isn’t bullet-proof, and the reason why is something called “SMS hijacking.” Here’s how the con works:

  1. The attacker calls your service provider, AT&T or Vodafone or whoever, and pretends to be the account owner. “Oh, my phone was stolen” or “Oh, I forgot my SIM code.”
  2. Whatever the excuse, customer care agents don’t always do their due diligence checking that the account actually belongs to the caller. Maybe the attacker already knows some of your personal information, like the address on file.
  3. The account gets moved over to a new SIM card that the attacker owns, and now the attacker owns your phone account and your 2FA is useless.
(This actually happens.)
2FA’s Still Good!
Traditional 2FA (through text message) isn’t useless just because it’s susceptible to the attack that probably snagged the Reddit engineers. That sort of attack is hyper-targeted, and most of us aren’t important or interesting enough for an attacker to go to the trouble of impersonating us to our service provider.
2FA still protects you from phishing, and from your password being used after an attacker finds it in a database breach. For instructions on how to enable two-factor authentication on various internet accounts, check out https://twofactorauth.org.
Bonus Round: Beyond 2FA
Making a more secure 2FA essentially means making a slightly different something-you-have. Cellphones are still pretty good things to choose, since they often come everywhere with us. Google has an authenticator app that provides the same sort of six-digit code, but since it’s an app rather than an SMS, it’s harder to hack. A Yubikey is also a good way to go: it’s a physical device that plugs into your computer’s USB port and authenticates you to various internet services.
As always, I welcome your feedback, and I’d love to hear your suggestions for what you’d like to see covered in this newsletter. I’m @tommycollison on Twitter, or you can email tommy@collison.ie. Please get in touch! 📩📬



Did you enjoy this issue?
Tommy Collison

A newsletter about tech policy, consumer privacy, and the future.

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Seattle, WA