Reddit – Where CISOs Go to Get Hacked

Shimrit Tzur-David | August 14, 2018

Yet another major enterprise has fallen victim to insecure identity protocols.

The social network giant Reddit reported earlier this month that hackers had succeeded in breaching the company’s databases, exposing both usernames and passwords.

Although cybercriminals were not able to alter any of Reddit’s information or source code, the companies Chief Technology Officer Christopher Slowe, admitted the hack was a serious one.  According to Reddit, in addition to login credentials, the unknown perpetrators also managed to gain access to some of its systems that contained backup data, source code, internal logs, and other sensitive files.

So how did the attackers pull it off?

According to reports, the breach was accomplished by intercepting SMS messages that were meant to reach Reddit employees with one-time passcodes. This allowed the hackers to simply circumvent the two-factor authentication (2FA) Reddit had in place to prevent such attacks.

Another One Bites the Dust

After years of industry analysis warning against SMS as a second authentication factor, the trend of high profile companies and individuals falling victim to hackers defeating this method is still going strong.

Some of the biggest voices in IT security from The Hacker News to Brian Kerbs, have been railing against SMS and reporting on instances of its failure for a long time. Already in 2015, cyber analyst Francis Bea penned an article warning about the various loopholes hackers could use to overcome SMS as a second factor. All of this evidence has led to standards and regulatory institutes such as the American NIST to also warn users on the dangers of SMS.

What is amazing about the most recent hack is that the victim is Reddit, a company that has gathered so many InfoSec specialists. One would expect someone in the company to have objected to this flimsy form of identity security.

It’s not a problem ‘til it’s a problem

The reasons why SMS authentication is insecure have been discussed at length. Here on the Octopus Blog as well, we’ve gone over the issues in detail.

Long after the vulnerabilities of SMS have been exposed, we are passed the awareness stage. Unfortunately, the pattern of behavior when it comes to cybersecurity (like so many other areas of corporate management), has produced a situation in which executives only start looking for a solution after a problem manifests.

What is behind this culture?

The truth is information security execs have it rough when it comes to making changes in protocols. They are almost always met with serious organizational challenges if they want to alter anything, especially when it comes to identity and access.

For IT departments and their managers, there are three things typically standing in the way of change for the better.

Cost – Maintaining passwords is an expensive solution for IT (dealing with constant resets, managing policies etc.). To add another factor to the password (U2F, biometric readers) will only add to that cost. If hardware tokens are being considered, convincing a company to spend $30-$60 per device on each user is a hard sell.

Work – Enrollment of hardware tokens is basically running a warehouse through the company IT department. All users are assigned a device that now becomes critical for their ability to work. Employees must sign on a device and take responsibility for keeping them secure and in reach at all times.  Someone will also have to pay for lost or damaged tokens, which means either an extra expense for the company, or users paying out of pocket–not likely to be a popular plan for employees. Additionally, regardless of replacement policies, the time it takes for tokens to be replaced will ultimately end up hurting workflow.

It’s a job no IT person wants to take, so most settle for the weak option of SMS or a “strong password policy” demanding complex character / number combinations that everyone in the company hates.

User Experience – Hardware tokens means another thing employees have to carry around. No one wants to be the person making everyone keep another device, one that if they lose or forget at home, they can’t work. Similarly, adding any second factor like SMS or OTP also hurts the user experience by slowing down the authentication process.

If only there was a cryptographic device that everyone is already carrying and could give users enterprise level security infrastructure while removing passwords and all the other cumbersome details from the equation.

Oh wait there is, I’m acutely using it right now.

This device utilizes the highest level of security, leveraging enterprise level encryption that most of the industry is already trusting and using. It upgrades automatically. It’s impossible to clone and everyone knows how to use it.

Ladies and gentleman, I’m proud to introduce “Your phone” and its incredible authentication system, harnessed through the simple platform of push notifications.

It is an authentication method proven more secure and cost-efficient than any other solution currently on the market.

Gartner, the leading technology analysis firm, claims that push “is more secure than one-time passwords (OTPs)” because there is no passcode to steal. The technology is “more user-friendly than OTPs because the user is freed from typing in long passcodes” In terms of monetary investment, “Mobile push’s total cost of ownership (TCO) can be up to 70% lower than that of other MFA solutions.”

Understanding the real costs and benefits of adopting new authentication standards is key for any IT department wanting to push through improvements to their protocols. The bring-your-own-device (BYOD) approach, implementing the simple and safe technology of push, addresses all the issues that stand in the way bring identity management to the next level.

It’s time to let go of SMS/OTP and move on to a better form of authentication. No more excuses.