Computer security journalist Brian Krebs has posted in his blog that Reddit, a well-known social news aggravation site, has announced that an attacker compromised a several employee accounts at its cloud and source code hosting providers. The way in turned out to be Reddit's reliance on mobile text messages (SMS) in an imitation of two-factor authentication (2FA). Mobile application-based keys are an option. Hardware tokens would have also been reasonably secure instead but few sites do more than partially support them.
Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
Specific details of how the SMS messages were intercepted have not yet been made public.
Earlier on SN:
Google Defeats Employee Phishing With Physical Security Keys (2018)
SIM Hijacking as a Second Factor (2018)
Authentication Today: Moving Beyond Passwords (2018)
(Score: 2) by darkfeline on Friday August 03 2018, @08:01PM (1 child)
I don't remember if I trumpeted this particular annoyance yet, but it sounds like an opportunity for another security PSA.
SMS is not 2FA. "2FA" services like Authy are also not 2FA.
Get a physical 2FA key. Barring that, use a trusted authenticator app.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Sunday August 05 2018, @12:19AM
The summary says they were using SMS as "an imitation of two-factor authentication."