Stories
Slash Boxes
Comments

SoylentNews is people

Reddit Breached Via Intercepted SMS Message(s)

posted by chromas on Friday August 03 2018, @02:41PM   Printer-friendly
from the who-knew-sms-was-still-a-thing? dept.

canopic jug writes:

Computer security journalist Brian Krebs has posted in his blog that Reddit, a well-known social news aggravation site, has announced that an attacker compromised a several employee accounts at its cloud and source code hosting providers. The way in turned out to be Reddit's reliance on mobile text messages (SMS) in an imitation of two-factor authentication (2FA). Mobile application-based keys are an option. Hardware tokens would have also been reasonably secure instead but few sites do more than partially support them.

Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.

Specific details of how the SMS messages were intercepted have not yet been made public.

Earlier on SN:
Google Defeats Employee Phishing With Physical Security Keys (2018)
SIM Hijacking as a Second Factor (2018)
Authentication Today: Moving Beyond Passwords (2018)

Original Submission

 
This discussion has been archived. No new comments can be posted.
Reddit Breached Via Intercepted SMS Message(s) | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by bob_super on Friday August 03 2018, @08:39PM (2 children)

    by bob_super (1357) on Friday August 03 2018, @08:39PM (#716967)

    > from the who-knew-sms-was-still-a-thing? dept.

    SMS are usually free, and compatible across just about every cellphone on the planet. They are regulated for privacy, unless someone has enough interest in you to get a judge to agree.
    Did i miss a specific reason why I shouldn't be using SMS ? (don't care about encrypting messages about milk or ETAs)
    What should I use instead, which would work seamlessly with all my friends/family/customers ?

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 1, Informative) by Anonymous Coward on Saturday August 04 2018, @02:43AM (1 child)

    by Anonymous Coward on Saturday August 04 2018, @02:43AM (#717086)

    In the context of this article, SMS is tied to a phone number, not an actual phone. Something you have is the phone, the number itself? Notsoumuch. That's more something you know rather than something you have. The number can be separated from a physical phone by a small amount of social engineering. Thus it is not acceptable for 2FA by itself.

    See
    SIM Hijacking as a Second Factor [soylentnews.org] for starters and then if you wish you can find many similar articles.