Welcome to episode 65 of This Week Online Today, where I will be talking to you about the big online news that has been happening this week today to make sure that you are ahead of the game when it comes to running your online brand successfully.
And if you have already subscribed to the newsletter, you will also receive an exclusive bonus tip of the week to help you further about this topic.
If you haven’t, don’t miss out and make sure you subscribe to the newsletter to stay ahead of your competition.
In this episode of This Week Online Today, I talk about the following:
- the news about Reddit being hacked because of “insecure 2FA” (two-factor authentication)
- how the attacker accessed the database by intercepting SMS
- what you should think about when using SMS 2FA vs app-based 2FA
- why 2FA is still important and you should use it
- Official statement from Reddit about the hack
- What is 2-factor authentication and why it is important
- How to make your WordPress site more secure and beat the hackers
Welcome to This Week Online Today podcast is your host, Ahmed Khalifa. What I will be talking about is the biggest online news that has happened this week, and why you should be aware of it. And don’t forget, if you subscribe to the newsletter, you’ll also receive a bonus tip of the week of what you should do about it, and you’ll find that link in the show note. In the meantime, let’s get straight onto this show.
That’s right, everyone. Welcome to This Week Online Today, episode 65, with your host, Ahmed Khalifa. Yet another cyber security story. It’s always happening, and it just shows that nobody is immune from it, because this time it’s the ever-popular Reddit. They have been hacked, and it just shows again, it doesn’t matter who you are. You can have the best security in place. It’s just always a problem for everyone out there, even those who have got millions of traffic every single month. Reddit had been hacked.
So it seems that it is because of an insecure two-factor authentication, and it happened back in June 2018, and the attacker has compromised some of the employees’ accounts using this so-called insecure two-factor authentication. And now you might be thinking, “What? Insecure? I thought two-factor authentication — or 2FA also known as — I thought it’s supposed to be secure. I thought you have recommended it and it should be used all the time.”
Well, for me, yes. It’s still useful. I still recommend it, but this is a story that’s a little bit different to the other kind of hacking story we’ve been hearing. And just so you’re aware, before I get any further, I still recommend it, and I come to that near to the end of the podcast, on why you should use it.
But anyway, the story that an attacker has compromised a few of Reddit’s accounts and they’ve been intercepting the SMS 2FA verification codes. It’s a bit of a mouthful, I know. So when you are looking for these 2FA codes, you can do it with an app, you can do it with SMS, and the hackers were able to kind of spoof the phone numbers so that they can receive a text themselves which contained the verification code when you log in online.
Then they broke into the database and the data from 2007 and before, that was exposed. So if you were using the platform now, you should change your password anyway, but even more so if you were using the platform, Reddit, from back in 2007 and before. You should really change your password because your email and username, password may have been exposed.
But even though the passwords tend to be protected and they tend to be encrypted using a method called cryptographic salting and hashing … it’s a way of kind of encrypting passwords. So even though that happened, it is still advised that you change your password. Now, 2FA is a good thing, but the SMS version of 2FA, where you receive the verification code on your phone via text message, it tends to be frowned upon by the security experts out there.
Compared to when you get the codes … you know, a one-time code using apps like Google Authenticator or another one called Authy — I don’t know how you pronounce it — they’re the one that give you what is called a Time-based One-Time password. The short way of saying it is TOTP because it’s time-based one-time password, and that tend to be recommended most of the time, whereas using SMS for the verification code is kind of, as they say by Reddit and everyone else … it’s kind of an insecure way of doing it because there have been a growing number of attacks using these kind of methods where there’s a thing called SIM swapping.
It’s a fraud technique that hackers have used over the years, and the problem is that … what they do is, the attackers, they call up your phone network and they pretend to be you and somehow, along the way, they manage to convince the staff to transfer the control of the victim’s phone number to the hacker. So that means, if you are using the SMS 2FA all the time, then you’re going to be passing on all the details to the hackers, who receive it on their phone.
So that’s the thing, it’s like, it has a bit of a negative reputation. It’s still used today and it’s still … you know, companies use it, which, I prefer they don’t use it. So if you have an option of choosing either the SMS or an app, I would use an app. It’s a more secure way of doing it, and whatever app you’re using, make sure you protect that on top of it, so you open the phone with a lock, protect that app as well, and make sure you open that app with a lock as well. It’s just another way to level up your security.
So the company, Reddit, they’ve released a statement, and you can read it. I put the link in the show note, but the main sentence that they have said is that, “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.” And that’s it. It’s just the way it was, and it seemed like the staff members, they’ve had their SMS intercepted somehow. Who knows?
So, because of that, the hackers got access to a lot of things, including the source codes and all the internal logs of the website and the configuration files, and even the documents and files on the website as well. So it’s all these sensitive data, and it’s because of something that you thought is a good thing, but you know what? Maybe it’s not the best way to protect your account.
So, as I said earlier, I still recommend it, using 2FA. You don’t give up on 2FA just because of this news. It’s the same story that I hear all the time. For example, when you hear the Tesla car or any of these kind of automated driving cars, if it has been involved in a crash, it’s a small, small percentage compared to how many miles they have tested. Yet you have all these car crashes happen all the time from human beings, and they’re the one who have caused a lot of problem, but people still do it.
Yet, when people see that automatic car has crashed maybe once out of God knows how much, then people will jump up and say, “Oh my God! It’s not safe. You should ban it.” I don’t think that’s the case, and it’s the same thing with 2FA.
This story said, “Oh, it’s insecure.” It’s not insecure; it’s just another way of using SMS 2FA. It’s just not the best way. You can still use 2FA. And on top of that, it’s just about making it very, very difficult for the attackers to access your details. It’s not always hack-proof. There’s no such thing as being completely, 100% hack-proof. It just doesn’t exist because any method can kind of make you vulnerable. For example, clicking on the wrong link that looks legit.
So it’s not about preventing attacks completely because that’s almost impossible, and if that worries you, well, that’s kind of the world we live in. If that worries you, then maybe you should just never use websites ever again, never go online again, and I don’t know how that is possible now, but just, that’s how it works. So nothing’s hack-proof, but it’s about limiting them. It’s about making it as difficult as possible for the hackers to attack.
Let’s just say, if a hacker is right there beside you and says, “I’m going to attack the database and I’m going to access your account,” would you feel more comfortable if you have just a standard password that you’ve used different places, or would it be better for you if you have a strong, unique password and you’re using 2FA, two-factor authentication? You know, that’s making it access secure as well and that’s another level, so I’d rather have the latter. I’d rather be access secure.
Yeah, it takes time to set up number one, and it requires a few extra seconds for you to log in because not only you use your email address and then your password, but you need the code as well. But it’s a few seconds extra time to process it. I think that’s worth it. I think, just to have a higher level of defence, it’s worth spending extra few seconds to just log in. It’s totally worth it.
Even if it’s not guaranteed, you’re still making it very, very difficult for the hackers to kind of get into your account, and you know what? There are a lot of people out there who don’t really take it seriously. They don’t really think about creating that level of defence, which is making the difficult possible, and that’s mad. That’s crazy.
So, despite all the stories, despite the news about this so-called “insecure 2FA,” I will still use it. I will still recommend it. I’ve mentioned it before, many times, and I’m going to link to a post in the show note again, which I recommend that you read, about why it’s important and how you can set yourself up with that. Do it. Trust me. It’s really, really important.
So to round it up, Reddit, they got hacked, but it doesn’t mean that you should not do what’s recommended, which is to use 2FA amongst many other things. Use a password manager, use strong, unique passwords, make sure you click on the right links in the email and don’t click on anything dodgy. Be aware of using public WiFi; anybody can kind of snoop in. All these kinds of things as well. I hope that makes sense. I hope that helps because it’s really, really important to me, the whole area of cyber security to protect yourself online.
I hope that helps. Thank you for listening and I’ll see you next time. Take care.
Thank you for listening to this episode of This Week Online Today. I really do appreciate it, and I hope you find it useful. If you have enjoyed the shows, please do leave a review on iTunes. It would mean the world to me. I really would appreciate that. Thank you again.
You rock. And one more thing: I’d just like to remind you to do your thing because it matters, and I’ll see you next week.
Latest posts by Ahmed Khalifa (see all)
- ‘Atomic Habit’ – Book Review on How to Create Good Habits & Remove Bad Habits - 5th October 2019
- Why is My WordPress Site So Slow & How Can I Fix it? - 1st October 2019
- How to Critique Your Own WordPress Website Effectively Without Being Biased - 27th August 2019