Q&A: Reddit breach shows use of ‘SMS 2FA’ won’t stop privileged access pillaging


The recent hack of social media giant Reddit underscores the reality that all too many organizations — even high-visibility ones that ought to know better —  are failing to adequately lock down their privileged accounts.

Related: 6 best practices for cloud computing

An excerpt from Reddit’s mea culpa says it all:  “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

It’s safe to assume that Reddit has poured a small fortune into security, including requiring employees to use SMS-delivered one-time passcodes in order to access sensitive company assets.

But here’s the rub: Reddit overlooked the fact that SMS 2FA systems are useful only up to a point. It turns out they can be subverted with just a modicum of effort. SIM card hijacking, for instance, is a scam in which a threat actor persuades the phone company to divert data to a new address. And then there’s SS7 hacking, which leverages known flaws in the global SMS infrastructure to intercept data in transit — including passcodes.

In fact, SMS attacks are being refined and improved daily. This is because they are useful in targeting big companies. This summer alone, in the wake of the Reddit hack, British mobile phone retailer Carphone Warehouse, ticketing giant Ticketmaster, telecom company T-Mobile and British Airways disclosed huge data compromises of similar scale and methodology. And just last week, online retailer Newegg was hit by the same gang that nicked British Airways.

I interviewed Tal Guest, Principal Product Manager at Bomgar, an Atlanta-based supplier of identity and access management systems to supply some wider context. We spoke at Black Hat USA 2018. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and length:

LW: Can reliance on SMS two-factor authentication give companies a false sense of security?

Guest: There still are risks. Studies have come out showing that SMS is not the best method for two factor, from a security standpoint. There are different attacks, specific to SMS,  that make it easy to get the pass code.

That’s what happened here. The attackers were able to use one of those methods of getting access to their text messages. They were able to authenticate themselves and get into Reddit’s environment.

LW: Why have privileged accounts become so heavily targeted?

Guest: Privileged credentials are the way to get access to sensitive data. These attackers are using automated ways of going in and trying to infiltrate your network using a brute force attack,  or a rainbow table attack, or just buying credentials off of the Dark Web.

And then once they get that foothold, the next step is to be able to move laterally. And the way you do that is with privileged credentials, you need some additional authentication, in order to maneuver around the network.

LW: So threat actors are looking for that access path?

Guest:  Absolutely. Everything today has a privileged account. It’s critical for companies to have visibility into these accounts, know what they are and how to find them. And it is important to then come up with a strategy to remediate breaches when they happen, and minimize your losses.

LW: Are companies paying enough attention to this?

Guest: They’ve come to the realization that they don’t really have a good grasp of where all these privileged credentials are, who has access to them and what kind of policy may be governing them.

We see organizations that are struggling to figure out how to gain that visibility; and for the organizations that do have that visibility, they’re  struggling with how to manage all of this.

LW: So is it a matter of imposing the correct policies?

Guest: Well, first of all, it is actually knowing what it is that you’re trying to put a policy around. And then how do you execute on that policy. Is it just a business rule that you put in place? Or do you actually have technical controls and software that helps you accomplish the task of enforcing your policies?

LW: How do you avoid slowing down productivity?

Guest: There’s always a constant struggle to balance productivity with security. You’ve  got a business to run. You’ve got customers to support, and products to get out. Automation can be a key to balancing that. A manual process is not going to keep up with the speed of business needs.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: Last Watchdog has supplied consulting services to Bomgar.)


Q&A: Reddit breach shows use of ‘SMS 2FA’ won’t stop privileged access pillaging