Hackers Entered JP Morgan Network Through Simple Security Hole

1 comment

The cyberattack at JP Morgan in August could have been prevented by a simple security update: adding two-factor authentication to one of its servers that didn’t have the added security layer, according to the New York Times.

“The oversight is now the focus of an internal review at JPMorgan that seeks to identify whether there are any other unguarded holes in the bank’s vast network, several of the people briefed on the matter said, adding that, internally, the episode is seen as an embarrassment,” the Times said in its report. “The relatively simple nature of the attack — some details of which have not been previously reported — puts the breach in a new light.”

The attack was originally reported to affect about 76 million customers and small businesses. The number has reached 83 million and hackers received access to sensitive customer data, although no widespread fraud has been seen yet.

“The bank maintains that the damage to customers was limited to the theft of email passwords, home addresses and phone numbers,” according to the NYT. It is still not known where the attack originated.

Two-factor authentication is a simple security measure that can thwart many attacks. Just having a stolen password is not enough when this measure is in place since a second one-time password is needed to gain access. Hackers stole an employee password at JP Morgan and had simple two-factor authentication been installed on all servers, this could have been prevented.

When the WHIR reported on the cyberattack in October, we spoke to security expert Andrew Avanessian, EVP of Avecto Consultancy & Technology Services. He said then that simple security measures likely could have prevented the attack and that there are generally commonalities between the kinds of breaches at companies like JP Morgan, Target and Home Depot.

Implementing simple security measures such as two-factor authentication, administrative privileges and blocking all programs that aren’t whitelisted takes care of most potential security holes. These are among some of the suggestions made by the Council on Cybersecurity.

Protecting customer data has always been important, but now possibly even more so. Earlier in December, a Minnesota US District court judge ruled that Target can be sued for negligence due to the 2013 security breach. Several banks that want to file suit against the company for the malware incident scored a victory when the judge sided with them. This ruling sets a precedent that could put service providers at great risk if they don’t take every possible measure to protect customer data.

“A large part of the problem, security experts say, is that it has become nearly impossible for banks of JPMorgan’s size to secure their networks, particularly as they integrate the networks of companies they acquire with their own,” said the Times article. “This has been a particular headache at JPMorgan, where it is still not uncommon for the name ‘Bank One’ — a lender JPMorgan merged with a decade ago — to pop up in a web URL.”

This indicates simply being a large organization is not necessarily an advantage, and may actually be a disadvantage when it comes to cybersecurity. In May, the New York State Department of Financial Services released a report stating that financial institutions of all sizes experienced attempted or actual intrusions over the past three years.

Security breaches are on the rise this year with several major companies experiencing hacks of varying severity using a variety of methods. JP Morgan, Kmart, Dairy Queen, Home Depot, Xbox, ICANN and Sony have all been the target of hacks designed to obtain sensitive data.

Turnover may also affect the security of an institution. The attacks at JP Morgan came after the bank’s chief information security officer left earlier this year along with other top security specialists, leaving the security team short on leadership for months. JP Morgan just hired Greg Rattray to fill this position in June.

Add Your Comments

  • (will not be published)

One Comment

  1. DoktorThomas™

    Not only is JP not your kind of bank, but contrary to empty advertising they obviously don't care about anyone's security except their own. It would be a cold day in Hell, MI before I'd go to JPM for anything. Check out: http://demonocracy.info/infographics/usa/derivatives/bank_exposure.html (no association, no financial benefit) and see JPM's 1.77 trillion dollar (uncovered) exposure. Big banks are not where you want your money--well, actually you should not want US (fiat) money, you should demand real wealth in your transactions. With friends like big banks, who needs enemies? The The Federal Reserve, The Treasury department, the US fed.gov are all playing Russian roulette with your future. Nothing they say is factual and their fiscal assurances are all empty. In the end, they have collectively put The People's wealth on the hook for their extravagances, while living big--real big. Nothing has changed from past irregularities and unsoundness; the US is bankrupt (the debt, which Senators and Congressman are not personally responsible for, far exceeds the value of all property held by the citizens--the quintessential definition of bankrupt). That has not changed and the idiots in D.C. continue to spend like it is someone else's money without regard to commonsense nor sound fiscal policy. They are spending trillions and trillions while not funding important infrastructure and other citizen important issues--no (faux) global warming is not one of the issues; that is a back door attack on citizens to increase your tax load while "not increasing taxes", just like the unAffordable Care Act (socialistic grab of more than 16% of economy by the fed.gov). In short, politicians, all politicians, are playing you, The People, for a fool. Perhaps, based on your lack of attention, you deserve what is coming ... ... ... ... ©2014 DoktorThomas™. All rights reserved. This material may not be used, published, broadcast, rewritten, paraphrased, forwarded, nor redistributed without written permission. All statutory use exemptions/exceptions specifically revoked by author. Protected by Amendment, Federal law and international treaty. For educational use only--not intended as legal, medical, accounting, tax, financial or other advice; for readers to use as such violates TOS and may entail imposition of financial penalty and other sanctions. Limited license granted for this one exclusive use on thewhir.com.