SMS-based 2FA the Culprit in Reddit's Data Breach

Date: 2018-08-06
Author: Joakim Thorén, CEO

SMS-based 2FA the Culprit in Reddit's Data Breach

Another day, another data breach, as social news aggregation platform Reddit just announced it was breached. With the GDPR regulations in effect, more organizations are quickly reporting breaches and investigating their causes to avoid stiff penalties. The latest breach affecting Reddit demonstrates the dangers of using SMS for two-factor authentication.

Reported in Krebs on Security, Reddit said it learned on June 19 that between June 14 and 18 an attacker compromised several employee accounts at its cloud and source code hosting providers by intercepting SMS-based two-factor authentication. Reddit said the exposed data included internal source code as well as email addresses and concealed passwords for all Reddit users who registered accounts on the site prior to May 2007.

The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.

The National Institute of Standards and Technology (NIST) has warned about using SMS as a form of two-factor authentication because of vulnerabilities as an out-of-band factor in multi-factor authentication environments. There’s a better way to authenticate users and it starts with virtual and physical smart cards or keys that use cryptographic keys either stored on the card or in the Trusted Platform Module (TPM).

And, large organizations, including Google, are taking notice. Our last blog noted a Google spokesperson confirmed that since the Internet giant began using smart keys in early 2017, none of its 85,000 employees have succumbed to a phishing attack. Phishing attacks are those in which the perpetrator attempts to lure someone into providing information that makes it easier for the hacker to get into that user’s system – such as a password or other log-in details. When users also must have a secondary means of egress into the system, such as a one-time code, physical security card or smart key, hackers have a much more difficult time.

It’s clear that not all two-factor authentication methods are created equal and the need to eliminate SMS for two-factor authentication has been well noted. Versasec supports the most two-factor authentication cards and keys in the industry. For more information about our partners and how we manage their smart cards and keys, visit Virtual Smart Cards. It’s time to use more secure methods than SMS to protect your organizations’ and customers’ data.

vSEC:CMS

Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

Versasec Support

Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.

Contact Support

Company Blog

Our blog addresses the latest security trends and stories. The posts discuss how identity and access management are playing a larger role in keeping corporate data safe as well as brand reputations intact.

Visit our Blog
Share this article