JPMorgan Chase hack due to missing 2-factor authentication on one server

JPMorgan Chase was among five banks that were reported to have been hacked earlier this year, and details have emerged on how the hack took place.

When news first broke in August, it was believed that a zero-day Web server exploit was used to break into the bank’s network. Now, however, The New York Times is reporting that the entry point was much more mundane: a JPMorgan employee had their credentials stolen.

This shouldn’t have been a problem. JPMorgan uses two-factor authentication, meaning that a password alone isn’t sufficient to log in to a system. Unfortunately, for an unknown reason one of the bank’s servers didn’t have this enabled. It allowed logging in with username and password alone, and this weak point in the bank’s defenses was sufficient for hackers to break in and access more than 90 other servers on the bank’s network.