The tone of this article was really, like, interrupted by a prolific use of "likes."
I wish it were so simple to hand-wave all security risks. Mr. Levine's ability to find a MySQL tutorial was quite impressive, but his dismissal of very real security concerns is childish. It's like saying cars are known to crash, so quit crashing cars. It's so, like, simple!
I love reading Matt Levine's writing; I enjoy the humorous tone. A bit of Louis CK for the financial world. But I didn't get that he was dismissing the security concerns. I read it as he was dismissing the idea that some aspects of the hacking could have been more easily thwarted. For example, two factor authentication is a relatively straightforward protection. Now he may have been underselling how complex it is to implement, but I would have to agree that items like two factor authentication are relatively straight forward tools at this point.
2 factor authentication has nothing to do with this, though, and would do absolutely nothing to protect against this occurrence or similar ones. 2 factor authentication is great in certain situations... but only when your code is operating correctly. If someone has achieved arbitrary code execution (even if only at the SQL layer) it's game over. 2FA won't save you.
I think you got distracted from the point by all the likes. Granted, they make it easy to get distracted.
The thrust of the article seems to be that it was the people in charge of these myriad wire systems who were disregarding the security risks, demonstrably to their detriment. As he states:
"But I feel like part of it has to be that the people in charge of those databases, like me until today, had a disenchanted view of the financial world. These systems didn't hold the nuclear launch codes. They held press releases -- documents that, by definition, would be released publicly within a few days at most. Speed, convenience and reliability were what mattered, not top-notch security."
... which is essentially the refrain for every major, embarassing security breach: speed, convenience, and reliability trump security concerns.
We have year after year of examples of innocuous systems being compromised to form elaborate weapons (at a seemingly increasing rate year-over-year), but security is still not a maximum priority. And the reasons are as Levine notes: speed, convenience, and reliability over security.
The gist is that he, knowing absolutely nothing about security, could figure out the exploit.
His finance audience doesn't want to know the details of the security problems, nor do they need to. However, it's valuable for them to realize how this information is just sitting around on a company DB for anyone who can Google "SQL injection" to steal.
I appreciated the tone of the article. I found it very easy to read. Though I agree the "likes" were a bit over the top. There were several times he used "like" and I mentally paused as if it were a comma only to realize he was using the word to compare two things.
I wish it were so simple to hand-wave all security risks. Mr. Levine's ability to find a MySQL tutorial was quite impressive, but his dismissal of very real security concerns is childish. It's like saying cars are known to crash, so quit crashing cars. It's so, like, simple!