Remember this cyberattack on JPMorgan Chase? According to the New York Times, the intrusion may have been thwarted if the bank had installed a security fix that provided two-factor authentication to an overlooked server. The attack apparently began with the simple theft of the login credentials of a JPMorgan employee, but the newspaper gives no further details as to how those credentials were stolen.
Some articles appear to be misinterpreting what the NYT said about the attack. The NYT said the breach “might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network.” Yet, the titles of certain articles like this one (“A Simple Security Oversight was Responsible for the Massive JPMorgan Chase Hack”) are making it sound like two-factor authentication was the sole and definitive factor involved. Other similar titles include “JPMorgan Cyber-Attack A Result of Neglected Server,” “JPMorgan Data Breach due to Oversight of Simple Security Fix at Entry Point: Report,” and “JPMorgan Chase was hacked due to two-factor authentication blunder.”
The body of all of these articles, all of which cite the NYT, correctly point out that the lack of two-factor authentication was only a factor in the breach, rather than its direct cause, so why do these titles bother me? If the NYT is correct, then yes, it is true that if two-factor authentication had been implemented on that server, the breach may have been averted. However, this doesn’t mean that two-factor authentication (or the lack thereof) was the only cause, or even the direct cause. To say so is analogous to saying that a ship that had struck an iceberg sank because its water pumps failed to evacuate water fast enough. It is true that stronger pumps may have prevented the sinking, but the inadequacy of the pumps was not the direct cause of the sinking; the iceberg was.
Based on the best information available at the moment, the most direct cause of the breach was the theft of that one employee’s login credentials. This could have occurred via phishing, malware, or any number of other causes, but it was the loss of these credentials that ultimately enabled the attack. Had these login credentials not been stolen, the breach probably would not have occurred, whether or not two-factor authentication had been in place.
The larger point to take away from this incident is that security is not a magic wand that can be waved at problems to make them disappear. Two-factor authentication, for example, can be helpful in preventing and even alerting users to potential attacks in certain situations, but it is not a panacea. In 2005, Schneier wrote about 2 ways to defeat two-factor authentication: 1) Phishing combined with a man-in-the-middle attack and 2) Malware. In the JPMorgan case, the imperfect implementation of two-factor authentication allowed compromised credentials to be used, but the credentials should not have been stolen in the first place.
According to the NYT, JPMorgan spends $250 million per year on computer security. Yet, in the end, its systems were compromised due to the theft of a single employee’s login credentials. If the credentials were stolen by social engineering or somehow targeting the employee as opposed to the bank’s computer systems, it would illustrate a point Schneier made over a decade ago: “Only amateurs attack machines; professionals target people.” Thus, user education should be an important part of security. If the user doesn’t understand how to recognize a phishing link, for example, no amount of technical wizardry, including two-factor authentication, will be able to stop an attack.
What exactly do you mean when you say that the cause of the breach “was the theft of that one employee’s login credentials?” If the login credential that was stolen was a password, wouldn’t two factor authentication have prevented the breach? Or do you mean that the employee was the victim of a man-in-the-middle attack, where the employee provided his/her one-time password to a phishing site, which then turned around and used it to access the bank’s records? If the latter, then I agree that two factor authentication based on OTP would not have prevented the breach.
The article I cited mentions that username and password combinations were stolen from the Corporate Challenge website using a compromised certificate: http://dealbook.nytimes.com/2014/10/31/discovery-of-jpmorgan-cyberattack-aided-by-company-that-runs-race-website-for-bank/
The combinations were then tested against other sites by hackers. It sounds like someone reused the same username/password combination on two different sites; a receipe for disaster.
Just to be clear, I’m not trying to say two-factor authentication wouldn’t have helped. It might have stopped this particular line of attack. My remarks were mainly directed towards articles that made it sound like the data breach had only one cause. We simply don’t know enough about how the attack was carried out. The bank itself was reluctant to disclose details on this.
A JPMorgan spokeswoman said “the hackers were unable to go directly from the Corporate Challenge website into the bank’s network.” If not, then how did the attackers get in? It would help if we knew more about how the attack was carried out.
Ultimately, I think the New York Times got the specific issue of TFA correct: the attack might have been thwarted if TFA had been enabled. Without more information, it’s difficult to draw more conclusions.
If I’ve missed some information, please let me know in the comments.