Three Breaches Two-Factor Authentication may have Blocked

April 28, 2015//SecureLink

Last Updated: May 30, 2018

Two-factor authentication should have been enabled on tesla, slack, and jp morgan systems
Misused credentials are at the heart of several highly publicized breaches. It’s critical to have policies and procedures around managing network credentials – for both employees and third-party vendors. However, managing credentials is only part of the battle. Identifying an authentication method that appropriate for you company is critical to network security. Enabling some multi-factor authentication process is necessary to ensure lost or stolen credentials don’t bring the house down. Two-factor authentication is quickly becoming the standard for many enterprises.

Two-factor authentication requires the presentation of two independent authentication factors. These components could be something the user has in their possession (key fob), something they know (password) or some physical characteristic of the user (fingerprint).

As an example, SecureLink requires (1) an authorized email address and password, (2) a unique access key emailed directly to the user. This second factor of authentication ensures the technician is still employed by the vendor, since a typical policy is to immediately remove a terminated employee from corporate email access.

We’ve seen a number of breaches on the past couple years, let’s take a look at some that could have been prevented by enabling two-factor authentication.

Tesla: How Tesla’s site, app, and Twitter feeds were attacked via AT&T

by Thomas Fox-Brewster (Forbes)

Over the weekend, Tesla’s site and a number of its Twitter profiles were hacked, including one belonging to co-founder Elon Musk. The famous car brand has released details of what went down, which included some sneaky social engineering on behalf of the hackers, who abused AT&T customer support. The FBI appears to have been brought in too.

Whilst visitors to the site would have noticed something odd, as they were redirected to a site apparently belonging to a hacker crew called “AutismSquad”, with some offensive sexual references to the breach, some drivers would have noted the hack too, as the Tesla Model S mobile app was also affected. The hackers were seemingly just mischief-makers. The page users were redirected to contained Twitter addresses belonging to people claiming not to have taken part in the attack, and on the hacked Tesla Twitter feed were promises of free cars to anyone who called a number, again belonging to someone who claimed to know nothing of the breach.

Full article

JP Morgan: Two-factor authentication oversight led to breach

by Lucian Constantin (ComputerWorld)

The attackers who stole information about 83 million JPMorgan Chase customers earlier this year gained a foothold on the company’s network because a server reportedly lacked two-factor authentication.

The attackers stole the login credentials of a JPMorgan employee and were able to access the server, despite the company’s practice of using two-factor authentication on most of its systems, the New York Times reported citing unnamed sources familiar with the internal and external investigations at JPMorgan.

Two-factor authentication combines the use of static passwords with one-time-use access codes generated by physical hardware devices or mobile apps.

The JPMorgan security team apparently neglected to deploy two-factor authentication on one of the company’s many servers, leading to the absence of a security layer that might have otherwise prevented the attack, The New York Times reported.

Following the initial intrusion, the attackers were eventually able to gain access to more than 90 servers at the bank, but didn’t manage to steal sensitive financial information before they were detected and blocked in August.

The attackers were able to compromise names, addresses, phone numbers and email addresses, along with information about which line of business the customers were affiliated with, JPMorgan said on its site in October.

Full article

Slack hack: A lack of preparedness?

by Tara Seals (InfoSecurity)

Slack, which was started by Flickr founder Stewart Butterfield in 2013, is a chat app for businesses that replaces intra-office email. It’s on many levels an aggregator, and plugs into other services like Twitter, Skype, GitHub and Dropbox. Companies like eBay, Sony, Yelp and NBCUniversal all use it to get things done among teams. It also continues to work on its video and voice functions to expand user engagement with the app.

Slack said that an intrusion in February that lasted about four days allowed hackers to obtain access to user names, email addresses and passwords, and any other information that users may have optionally added to their profiles to integrate with other services, like Skype IDs and phone numbers. No financial or payment information was accessed or compromised.

“Now Slack users are left wondering if their personal information was stolen and how they might be affected,” said iboss Cybersecurity CEO Paul Martini, in an email. “This further highlights the need for all organizations—both startups and established companies—to invest in post–infection software that can quickly identify security breaches and prevent valuable data theft.”

In the wake of the incident, Slack has released two-factor authentication and a kill-switch. The password kill-switch for team owners allows for both instantaneous team-wide resetting of passwords and forced termination of all user sessions for all team members (which means that everyone is signed out of your Slack team in all apps on all devices).

Full article

View this video to see how you can control and manage vendor access.

Subscribe to the SecureLink Blog.
close close