Reddit’s hack highlights flaws in SMS-based 2FA

Yi Hong Poo
Sep 2, 2018 · 5 min read

Two Factor Authentication (2FA) is a two-step authentication process which provides an additional layer of security. It usually requires something that only the user has on top of the usual username and password. 2FA is not a new concept but has become more prevalent in the digital age. One of the methods of 2FA is a mobile phone two-step authentication. Typically a six or eight digit code is sent to the user’s phone via SMS and the users are required to key the code in as a second layer of verification. SMS-based 2FA is still commonly used with many applications as users do not need to bring around an additional token. However, Reddit’s recent security breached has shown that perhaps the age of SMS-based 2FA might be over.

Reddit security hack

On 2nd August 2018, a hacker broke into a few of Reddit’s systems and managed to access some user data. The data includes some current email address and a 2007 database backup containing old salted and hashed passwords. The hacker also compromised a few of Reddit’s employees’ accounts with their cloud and source code hosting providers. Since Reddit is one of the biggest sites on the internet, a hack of this magnitude is no mean feat.

How did it happen?

We currently do not know how the hackers stole the SMS code but Reddit has said that the hackers did not get access to the employees’ phones.

Nonetheless, there are a few ways hackers can intercept the SMS code — namely SIM-swap and mobile number porting.

First, in SIM-swapping, the hacker tricks the mobile provider into tying the target’s service to a new SIM card that the hackers control. Customers of mobile providers can request for a SIM swap when their existing SIM card has been damaged or when they require a SIM card of a different size when they are switching phones.

Second, the hackers can impersonate a customer and request for the mobile number used for the 2FA to be switched to another device or number that the hacker controls.

Both scenarios are easily achieved because the hacker will only need to give the wireless provider an address, some form of identification numbers like the last 4 digits of a Social Security Number, or even a credit card details to transfer a phone number. While this information should have remained secured, the dark web easily contains a treasure trove of such information after numerous recent hacks such as the Equifax where 146 million customers’ names, date of birth, Social Security Number, home address, and even drivers’ license numbers have been exposed.

What did they steal?

According to Reddit, the hackers made off with data containing current email addresses and old salted and hashed passwords.

We will digress a little to understand some background behind hashing and salting of passwords.

Essentially, hashing is a one-way function which turns the plain text input for example password123 into an output which is a scrambled representation of itself. This function is always deterministic so the same input will always generate the same output. Small changes to the input will always generate a completely different hash value.

+-------------+------------------------------------------+
| Password | SHA-1 hash value (password) |
+-------------+------------------------------------------+
| password123 | CBFDAC6008F9CAB4083784CBD1874F76618D2A97 |
| Password123 | B2E98AD6F6EB8508DD6A14CFA704BAD7F05F6FB1 |
+-------------+------------------------------------------+

Finding the plain-text input from the hash value is computationally infeasible (not impossible) but the danger comes from a user uses a common password such as password123. If the hacker knows the hashing method and they might able to guess what the plain-text password is if they see the hash value.

There is a lot behind the scenes in cryptography and cybersecurity but the above example is just to give you an idea of what the hackers stole and what they can use with it.

In order to strengthen the hashed value, some systems add a little salt and pepper to the password. Salt refers to the addition of a unique and random string of characters known only to the system to make hackers less effective at guessing passwords from seeing the hash value. We will reuse the example above again.

if anyone knows how to insert wrap columns in ascii tables, please let me know.

Salting the passwords makes the process of pre-computing the hashes more difficult.

For a better explanation of hashing and salting, please refer here and here:

What are the implications?

First, if you have a common password like password123 or if you have used the same password for multiple websites, you should consider changing your password. Reddit is one of the biggest websites around and they were hacked. You should not expect other smaller websites or companies to treat the security of your passwords like how the tech giants do.

Second, the SMS-based 2FA is no longer the gold standard for 2FA and we should expect to see a shift towards app-based or token based authentication methods. Apps such as Google Authenticator or Authy are able to generate a one-time code for you to authenticate your log-in. They are more secure than SMS-based authentication as hackers would need to steal your mobile device or infect your phone with malware before they are able to gain access to it. Instagram has already launched an app-based 2FA and move away from SMS-based authentication. If you are a politician, businessman, journalist, or someone who has access to sensitive information, you should start to consider more secure means of authentication other than SMS-based 2FA. This also means your phone is now even more important than ever before.

The most secure form of 2FA available is still hardware-based security keys. Google has required their employees to use hardware-based authentication tokens which have helped them ward off attacks similar to Reddit’s.

Third, the long term danger for Reddit still remains. The hacker has gotten access to Reddit source code, internal logs, configuration files, and other sensitive information which can give them deep insight into Reddit’s fundamental design structure and architecture. While this does not mean that you should stop using Reddit forever but you should probably consider changing your passwords more frequently.

For Singaporeans using SingPass, you should expect that Govtech rolls out an app-based authentication soon or consider using OneKey Token instead.

Yi Hong Poo

Written by

I write about technology. Views are my own.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade