Would Two-Factor Authentication (2FA) Have Saved John Podesta’s Emails?
Over the past several weeks, I’ve heard different versions of this question a hundred times, and every security person I follow has taken the opportunity to remind everyone to turn on two-factor auth.
But, the short answer is, probably not.
Two-factor authentication makes logins much safer. I work on building 2FA because it is an incredibly important security tool, and nothing here changes my full endorsement of 2FA. You should go turn on 2FA today, especially for your emails.
But, while 2FA protects against a lot of different kinds of attack, John Podesta’s emails were compromised by a phishing attack, and it probably would have worked even if he had 2FA turned on.
We know that he was phished because the email that phished his Gmail account was included in the leak (talk about swagger).
In a phishing attack, the user gets an email that looks like it’s from Google, but is really from the attacker. In this case, Podesta got an email from no-reply@accounts.googlemail.com with the subject line “Someone has your password” and a link to change his password. The link goes to a web page that looks like a Google password reset form, but is actually the attacker’s website. When they type their password to log in, the form submits it to the attacker, not Google.
In basic phishing attacks, the attacker is sending emails with phishing links to tons of people all at once and then storing all of the passwords that they collect to sell or use later. Since 2FA codes expire, users with 2FA are protected against these attacks.
However, in a more sophisticated attack (like the one that would target a high profile person like John Podesta), an attacker can also get the target’s 2FA code and then use it to log in immediately. If they’re clever, they can also redirect their target back to the real Gmail site when they’re done and make it look like the target simply mis-typed their password.
It’s possible that John Podesta just happened to get caught by a broad, basic attack which turned into a big deal because of his status, but it’s more likely that the person who sent this email knew who they were sending it to and were capable of the more sophisticated attack. If that’s true, he still should have had 2FA turned on, but it wouldn’t have kept his email safe.
So the moral of this story is still that you should turn on 2FA for your email, but also that phishing is a really dangerous and effective attack.
