Stories
Slash Boxes
Comments

SoylentNews is people

Database Leak Exposes Millions of Two-factor Codes and Reset Links Sent by SMS

posted by mrpg on Thursday November 22 2018, @08:20PM   Printer-friendly
from the thanksgiving-for-hackers dept.

upstart writes:

Submitted via IRC for SoyCow1984

Database leak exposes millions of two-factor codes and reset links sent by SMS

Millions of SMS text messages—many containing one-time passcodes, password reset links, and plaintext passwords—were exposed in an Internet-accessible database that could be read or monitored by anyone who knew where to look, TechCrunch has reported.Password breach teaches Reddit that, yes, phone-based 2FA is that bad

The discovery comes after years of rebukes from security practitioners that text messages are a woefully unsuitable medium for transmitting two-factor authentication (2FA) data. Despite those rebukes, SMS-based 2FA continues to be offered by banks such as Bank of America, cellular carriers such as T-Mobile, and a host of other businesses.

The leaky database belonged to Voxox, a service that claims to process billions of calls and text messages monthly. TechCrunch said that Berlin-based researcher Sébastien Kaul used the Shodan search engine for publicly available devices and databases to find the messages. The database stored texts that were sent through a gateway Voxox provided to businesses that wanted an automated way to send data for password resets and other types of account management by SMS. The database provided a portal that showed two-factor codes and resent links being sent in near real-time, making it potentially possible for attackers who accessed the server to obtain data that would help them hijack other people's accounts.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Database Leak Exposes Millions of Two-factor Codes and Reset Links Sent by SMS | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Friday November 23 2018, @04:20AM (3 children)

    by Anonymous Coward on Friday November 23 2018, @04:20AM (#765437)

    You don't say what country you are in. In USA, I'd certainly try something simple--go to the Bursar's office and request a paper check.

  • (Score: 0) by Anonymous Coward on Friday November 23 2018, @06:11AM (1 child)

    by Anonymous Coward on Friday November 23 2018, @06:11AM (#765464)

    Yes, and several of my colleagues have explicitly requested such. But the problem is that many of us "modern" faculty post grades, or even post things like announcements and assignments, online these days, and if I can only log in to the University's system when I have a secondary verification, like my office landline, that means I cannot enter grades without having to actually come in to my office. Yes, First World Problem. But as I said, after they sold out our email to the corporation that "formerly" would not be evil, well, I have to wonder. And I am on the "do not let my boss call" list.

    • (Score: 1, Interesting) by Anonymous Coward on Friday November 23 2018, @05:17PM

      by Anonymous Coward on Friday November 23 2018, @05:17PM (#765596)

      What's the chance you can set your office landline* to forward to your cell phone? A slight pain to punch in some numbers before you leave the office, but much easier than a separate trip to the office. At least this way, Google doesn't have your cell number.

      * It's probably not a traditional landline with dumb switching/exchange, more likely it goes to a computer switch somewhere near campus.

  • (Score: 0) by Anonymous Coward on Friday November 23 2018, @09:16AM

    by Anonymous Coward on Friday November 23 2018, @09:16AM (#765483)

    You don't say what country you are in.

    I believe "Title IX" identifies the OP as being in the US.