Remember this cyberattack on JPMorgan Chase? According to the New York Times, the intrusion may have been thwarted if the bank had installed a security fix that provided two-factor authentication to an overlooked server. The attack apparently began with the simple theft of the login credentials of a JPMorgan employee, but the newspaper gives no further details as to how those credentials were stolen.
Some articles appear to be misinterpreting what the NYT said about the attack. The NYT said the breach “might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network.” Yet, the titles of certain articles like this one (“A Simple Security Oversight was Responsible for the Massive JPMorgan Chase Hack”) are making it sound like two-factor authentication was the sole and definitive factor involved. Other similar titles include “JPMorgan Cyber-Attack A Result of Neglected Server,” “JPMorgan Data Breach due to Oversight of Simple Security Fix at Entry Point: Report,” and “JPMorgan Chase was hacked due to two-factor authentication blunder.”
The body of all of these articles, all of which cite the NYT, correctly point out that the lack of two-factor authentication was only a factor in the breach, rather than its direct cause, so why do these titles bother me? If the NYT is correct, then yes, it is true that if two-factor authentication had been implemented on that server, the breach may have been averted. However, this doesn’t mean that two-factor authentication (or the lack thereof) was the only cause, or even the direct cause. To say so is analogous to saying that a ship that had struck an iceberg sank because its water pumps failed to evacuate water fast enough. It is true that stronger pumps may have prevented the sinking, but the inadequacy of the pumps was not the direct cause of the sinking; the iceberg was.
Based on the best information available at the moment, the most direct cause of the breach was the theft of that one employee’s login credentials. This could have occurred via phishing, malware, or any number of other causes, but it was the loss of these credentials that ultimately enabled the attack. Had these login credentials not been stolen, the breach probably would not have occurred, whether or not two-factor authentication had been in place.
The larger point to take away from this incident is that security is not a magic wand that can be waved at problems to make them disappear. Two-factor authentication, for example, can be helpful in preventing and even alerting users to potential attacks in certain situations, but it is not a panacea. In 2005, Schneier wrote about 2 ways to defeat two-factor authentication: 1) Phishing combined with a man-in-the-middle attack and 2) Malware. In the JPMorgan case, the imperfect implementation of two-factor authentication allowed compromised credentials to be used, but the credentials should not have been stolen in the first place.
According to the NYT, JPMorgan spends $250 million per year on computer security. Yet, in the end, its systems were compromised due to the theft of a single employee’s login credentials. If the credentials were stolen by social engineering or somehow targeting the employee as opposed to the bank’s computer systems, it would illustrate a point Schneier made over a decade ago: “Only amateurs attack machines; professionals target people.” Thus, user education should be an important part of security. If the user doesn’t understand how to recognize a phishing link, for example, no amount of technical wizardry, including two-factor authentication, will be able to stop an attack.