Reddit Urges Users To Switch To Token-Based Authentication

The CyberPrivacy Brief:

  • The security incident disclosed Wednesday by social media network Reddit verifies how attackers can intercept text messages or SMS-based two-factor authentication that delivers unique code to compromise accounts. 
  • Impacted user data includes email addresses and a 2007 database backup that had old salted and hashed passwords.
  • Attackers also had read access to storage systems, including Reddit source code, internal logs, configuration files and other employee workspace files.

“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said in its announcement.  “We point this out to encourage everyone here to move to token-based [two-factor authentication].”

For years, security researchers have said that phone authentication apps or hardware tokens that generate One-Time Password (OTP) in addition to the traditional credentials may be the more secure method of authentication than SMS-based authentication, which can be highjacked providing attackers access to accounts.

Read more

Further Reading:

Side-Channel Attacks on the Yubikey 2 One-Time Password Generator

Please leave us a comment

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s