SMS-based 2FA the Culprit in Reddit’s Data Breach
Another day, another data breach, as social news aggregation platform Reddit just announced it was breached. With the GDPR regulations in effect, more organizations are quickly reporting breaches and investigating their causes to avoid stiff penalties. The latest breach affecting Reddit demonstrates the dangers of using SMS for two-factor authentication.
Reported in Krebs on Security, Reddit said it learned on June 19 that between June 14 and 18 an attacker compromised several employee accounts at its cloud and source code hosting providers by intercepting SMS-based two-factor authentication. Reddit said the exposed data included internal source code as well as email addresses and concealed passwords for all Reddit users who registered accounts on the site prior to May 2007.
The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
The National Institute of Standards and Technology (NIST) has warned about using SMS as a form of two-factor authentication because of vulnerabilities as an out-of-band factor in multi-factor authentication environments. There’s a better way to authenticate users and it starts with virtual and physical smart cards or keys that use cryptographic keys either stored on the card or in the Trusted Platform Module (TPM).
And, large organizations, including Google, are taking notice. Our last blog noted a Google spokesperson confirmed that since the Internet giant began using smart keys in early 2017, none of its 85,000 employees have succumbed to a phishing attack. Phishing attacks are those in which the perpetrator attempts to lure someone into providing information that makes it easier for the hacker to get into that user’s system – such as a password or other log-in details. When users also must have a secondary means of egress into the system, such as a one-time code, physical security card or smart key, hackers have a much more difficult time.
It’s clear that not all two-factor authentication methods are created equal and the need to eliminate SMS for two-factor authentication has been well noted. Versasec supports the most two-factor authentication cards and keys in the industry. For more information about our partners and how we manage their smart cards and keys, visit https://versasec.com/smart-cards.php. It’s time to use more secure methods than SMS to protect your organizations’ and customers’ data.
By Joakim Thorén, CEO Versasec