Computer security journalist Brian Krebs has posted in his blog that Reddit, a well-known social news aggravation site, has announced that an attacker compromised a several employee accounts at its cloud and source code hosting providers. The way in turned out to be Reddit's reliance on mobile text messages (SMS) in an imitation of two-factor authentication (2FA). Mobile application-based keys are an option. Hardware tokens would have also been reasonably secure instead but few sites do more than partially support them.
Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
Specific details of how the SMS messages were intercepted have not yet been made public.
Earlier on SN:
Google Defeats Employee Phishing With Physical Security Keys (2018)
SIM Hijacking as a Second Factor (2018)
Authentication Today: Moving Beyond Passwords (2018)
Related Stories
Submitted via IRC for TheMightyBuzzard
A global study from IBM Security examining consumer perspectives around digital identity and authentication today, found that people now prioritize security over convenience when logging into applications and devices.
Generational differences also emerged showing that younger adults are putting less care into traditional password hygiene, yet are more likely to use biometrics, multifactor authentication and password managers to improve their personal security.
With millennials quickly becoming the largest generation in today's workforce, these trends may impact how employers and technology companies provide access to devices and applications in the near future. Overall, respondents recognized the benefits of biometric technologies like fingerprint readers, facial scans and voice recognition, as threats to their digital identity continue to mount.
Source: https://www.helpnetsecurity.com/2018/01/29/authentication-today/
A lot of companies, some quite big and prominent, fool people into thinking that a phone is a second authentication factor. Due to the transferability of the phone number associated with a random SIM card and the ease with which social engineering and even conspirators inside the carrier itself can be used to gain control of that number, it is not and can never be "something you have". That does not stop companies from pretending nor marks from playing along. Motherboard has an article about how the weaknesses around the SIM cards are becoming all the more frequently exploited to perpetrate massive fraud.
First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.
From Motherboard : The SIM Hijackers
Google: Security Keys Neutralized Employee Phishing
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.
Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).
A Google spokesperson said Security Keys now form the basis of all account access at Google.
"We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."
(Score: 5, Funny) by RS3 on Friday August 03 2018, @02:53PM
It's "aggregation" in the article, but "aggravation" is much funnier. Was that a typo or satire?
(Score: 3, Interesting) by Appalbarry on Friday August 03 2018, @03:20PM
Was I the only person who chuckled when I heard this story?
It could only be funnier if it was 4chan
(Score: 0) by Anonymous Coward on Friday August 03 2018, @03:59PM
There was an SMS message and ... someone reddit? They used it to access a server, and when they found a database they ... reddit?
(Score: 2) by darkfeline on Friday August 03 2018, @08:01PM (1 child)
I don't remember if I trumpeted this particular annoyance yet, but it sounds like an opportunity for another security PSA.
SMS is not 2FA. "2FA" services like Authy are also not 2FA.
Get a physical 2FA key. Barring that, use a trusted authenticator app.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Sunday August 05 2018, @12:19AM
The summary says they were using SMS as "an imitation of two-factor authentication."
(Score: 3, Interesting) by bob_super on Friday August 03 2018, @08:39PM (2 children)
> from the who-knew-sms-was-still-a-thing? dept.
SMS are usually free, and compatible across just about every cellphone on the planet. They are regulated for privacy, unless someone has enough interest in you to get a judge to agree.
Did i miss a specific reason why I shouldn't be using SMS ? (don't care about encrypting messages about milk or ETAs)
What should I use instead, which would work seamlessly with all my friends/family/customers ?
(Score: 1, Informative) by Anonymous Coward on Saturday August 04 2018, @02:43AM (1 child)
In the context of this article, SMS is tied to a phone number, not an actual phone. Something you have is the phone, the number itself? Notsoumuch. That's more something you know rather than something you have. The number can be separated from a physical phone by a small amount of social engineering. Thus it is not acceptable for 2FA by itself.
See
SIM Hijacking as a Second Factor [soylentnews.org] for starters and then if you wish you can find many similar articles.
(Score: 0) by Anonymous Coward on Sunday August 05 2018, @12:25AM
This is how hackers hack you using simple social engineering [youtube.com]
(Score: 0) by Anonymous Coward on Sunday August 05 2018, @12:44PM
It's been around for a couple of years. With older phones it isn't that hard.
Two factor with mobile SMS is obsolete. Move on.