Other Voices

August 28, 2014

Don’t blame Russian hackers for lax security

Often, the breach comes when people fall for phishing scams.

“Russian hacker attack” is turning into a meaningless meme that travels from news site to news site every time there is a security breach of serious magnitude.

The current victims are JPMorgan and four other banks, and the Federal Bureau of Investigation and other federal agencies are looking into the Russian connection.

The hackers’ motive appears to be retaliation for Western financial sanctions, rather than filthy lucre. Who knows, they may even be in the employ of the Russian government — yet from the point of view of U.S. companies, that is irrelevant.

Blaming all serious cyber-attacks on the Russians or Chinese is at this point like accusing the rain when you leave the window open.

Doing so shifts attention to shady characters with funny accents from where it belongs: on the company employees or contractors at fault.

Sometimes these people act consciously, as National Security Agency contractor Edward Snowden did; mostly they have what is known as a low phishing IQ.

A phishing IQ is a person’s ability to determine whether a link in an email message is legitimate or a lure, clicking on which may result in a hacker takeover of the person’s computer.

According to Dell SonicWALL, the test’s designers, 6.1 billion phishing emails with fake links go out worldwide every month. My private and corporate mailboxes are full of them.

If I click on the email link, and especially if I supply my credentials, some hacker somewhere will do some simple checks on me and get access to my other accounts, especially if I use the same password for several sites.

Alternatively, my click will download a malware program to my computer and hackers will use it to steal information, send out spam and run denial of service attacks.

Corporate systems often include safeguards against phishing. Here at Bloomberg, for example, links to unknown sites will only open in a special, secure browser and some sites won’t open at all.

A secure site will prevent any malware from getting into the corporate network, but it will still let negligent users give away their credentials by entering them into phishing sites.

The simple rule of thumb is never to follow an emailed link, no matter who it appears to come from. If you are alarmed or acutely interested, go directly to your account at the service that may or may not have emailed you.

Apparently, someone at JPMorgan Chase & Co. did not follow that rule. The Wall Street Journal reports that “hackers appear to have originally breached JPMorgan’s network via an employee’s personal computer.”

Leonid Bershidsky is a Bloomberg View contributor based in Berlin.

Related content



Editor's Choice Videos