2 thoughts on “What Really Caused the JPMorgan Chase Breach?”

  1. What exactly do you mean when you say that the cause of the breach “was the theft of that one employee’s login credentials?” If the login credential that was stolen was a password, wouldn’t two factor authentication have prevented the breach? Or do you mean that the employee was the victim of a man-in-the-middle attack, where the employee provided his/her one-time password to a phishing site, which then turned around and used it to access the bank’s records? If the latter, then I agree that two factor authentication based on OTP would not have prevented the breach.

    1. The article I cited mentions that username and password combinations were stolen from the Corporate Challenge website using a compromised certificate: http://dealbook.nytimes.com/2014/10/31/discovery-of-jpmorgan-cyberattack-aided-by-company-that-runs-race-website-for-bank/

      The combinations were then tested against other sites by hackers. It sounds like someone reused the same username/password combination on two different sites; a receipe for disaster.

      Just to be clear, I’m not trying to say two-factor authentication wouldn’t have helped. It might have stopped this particular line of attack. My remarks were mainly directed towards articles that made it sound like the data breach had only one cause. We simply don’t know enough about how the attack was carried out. The bank itself was reluctant to disclose details on this.

      A JPMorgan spokeswoman said “the hackers were unable to go directly from the Corporate Challenge website into the bank’s network.” If not, then how did the attackers get in? It would help if we knew more about how the attack was carried out.

      Ultimately, I think the New York Times got the specific issue of TFA correct: the attack might have been thwarted if TFA had been enabled. Without more information, it’s difficult to draw more conclusions.

      If I’ve missed some information, please let me know in the comments.

Leave a Reply

Your email address will not be published. Required fields are marked *