Earlier this month Reddit, the Internet’s forum of forums and which is the 18th most popular site world-wide, let it be known that it was comprehensively hacked in mid-June this year.

The attackers were able to gain access to several Reddit employee accounts even though they were locked down using two factor authentication (2FA). The 2FA system in this case was based on using an SMS token

We’ve never recommended using SMS as a token mechanism, preferring either hard tokens or more recently software-based tokens such as Gemalto’s MobilePASS.

It’s not yet clear how the system in Reddit’s case was compromised but the likelihood seems to be a MITM (Man In The Middle) attack. I’ve written before of other vulnerabilities to the SMS system, specifically about SIM/Account take over using social engineering on the carrier or airtime provider. There are now many other attack strategies being used as attackers become more capable, these include even straightforward eavesdropping and browser-based attacks.

Multi Factor Authentication

Multi Factor authentication is increasingly the only thing that will seriously ensure that only your authorized users get access to your data. We have many years experience in designing and implementing authentication systems for SMEs and large scale enterprises. We can provide advice and guidance for you to select and implement the best solution for multi-factor authentication for your business. Please don’t hesitate to get in touch. if you are considering a new 2FA solution or in the process of reviewing or expanding your existing system.