How often do you use Reddit to check the weirdest and most wonderful news on the web?
Last week the vast message-boarding and news aggregation site reported a data breach on user and employee passwords, exposing the weaknesses of two-factor authentication (2FA) based on text messages.
Reddit admitted its systems were breached, despite using the fail-safe two-factor authentication, with a spokesperson saying: “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs.”
The site recommended moving to a token-based 2FA, encouraging all users and other websites to do the same and avoid further breaches of this kind occurring.
While many security firms advocate 2FA to protect your systems, the SMS authentication certainly needs further investigation if it is to be continued as a method attached to secure log-ins.
But let’s get the facts straight first:
Two-factor authentication is a two-step verification process and is an extra layer of security that requires not only a password and username but also something that only that user has access to – usually things like an email address, unique password, the answer to a personal question or a mobile phone number.
Two-factor authentication, in any form, is much better than just single factor. However, of the various forms of authentication available, SMS is the most vulnerable to breach and exploit.
Many large companies, including multi-billion pound corporations and banks, still use SMS as a form of 2FA, as not everyone has access to a smart phone.
Unfortunately, there’s no real “fix” to the problem of SMS authentication as it’s not a weakness in the code per se – the message was intercepted as it sent.
When sending out secure data, UKFast does support SMS 2FA. However, we encourage people to use token-based authentication using an application like Google Authenticator. This is an option you can select in the Security section of MyUKFast.
For an added layer of security, we also allow users to restrict access to their MyUKFast account by IP address.
Looking at the Reddit breach in a more positive light, the hacked passwords were hashed and salted, which meant that hackers had quite a challenge on their hands and were unlikely to decrypt them. However, it would be wise for all users to change their passwords with urgency.
Both UKFast and Reddit recommend using strong passwords or phrases in order to halt hackers in their tracks. Read our top passphrase tips to prevent a breach to your security measures.
Speak to a UKFast security expert about your solution at UKFast today.