Interesting news today on the JPMorgan Chase hack from earlier this year. Apparently, while Chase had implemented 2FA in general, they didn’t complete the coverage on all servers and services. The attackers were simply able to steal someone’s credentials and gain access to that server to launch their internal attack.
While phishing attacks will always be a problem, banks know that the best mitigation is to use 2FA so there is no way to actually gain access without the token and the password/PIN for the account. But just as obvious is that this needs to be implemented on more than just external systems. By leaving a system available that was not updated, they provided a way in, bypassing all the benefits of 2FA.
As mentioned in this post, security is all about trade-offs, but simple, easy-to-use 2FA should be a standard part of any conversation. While it can’t prevent phishing attacks themselves, it prevents them from being useful. GreenRADIUS is a simple, secure solution for implementing 2FA, making phishing attacks a threat no more.