Earlier this month Reddit, the Internet’s forum of forums and which is the 18th most popular site world-wide, let it be known that it was comprehensively hacked in mid-June this year.
The attackers were able to gain access to several Reddit employee accounts even though they were locked down using two factor authentication (2FA). The 2FA system in this case was based on using an SMS token
We’ve never recommended using SMS as a token mechanism, preferring either hard tokens or more recently software-based tokens such as Gemalto’s MobilePASS.
It’s not yet clear how the system in Reddit’s case was compromised but the likelihood seems to be a MITM (Man In The Middle) attack. I’ve written before of other vulnerabilities to the SMS system, specifically about SIM/Account take over using social engineering on the carrier or airtime provider. There are now many other attack strategies being used as attackers become more capable, these include even straightforward eavesdropping and browser-based attacks.