JPMorgan data breach likely due to basic security lapse

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.todayonline.com/tech/jpmorgan-data-breach-likely-due-basic-security-lapse

The computer breach at JPMorgan Chase earlier this year — the largest
intrusion into a United States bank to date — might have been thwarted if
the bank had installed a simple security fix to an overlooked server in its
vast network, said people who have been briefed on internal and outside
investigations into the attack.

Big corporations such as JPMorgan spend millions — US$250 million (S$331
million) in the bank’s case — on computer security every year to guard
against increasingly sophisticated attacks such as the one on Sony
Pictures. But the weak spot at JPMorgan appears to have been a very basic
one, the people said. The attack against the bank began last spring, after
hackers stole login credentials, these people said. Still, the attack could
have been stopped there.

Most big banks use a double authentication scheme, known as two-factor
authentication, which requires a second one-time password to gain access to
a protected system. But JPMorgan’s security team had apparently neglected
to upgrade one of its network servers with the dual password scheme, the
people briefed on the matter said. That left the bank vulnerable to
intrusion.

The oversight is now the focus of an internal review at JPMorgan that seeks
to identify whether there are any other unguarded holes in the bank’s vast
network, several of the people briefed on the matter said.

The relatively simple nature of the attack puts the breach in a new light.
In August, when Bloomberg News first reported on the attack, which
ultimately compromised account information for 83 million households and
small businesses, the bank’s security experts and the Federal Bureau of
Investigation feared a sophisticated adversary. It is not known where the
attack originated.

The bank maintains that the damage to customers was limited to the theft of
email passwords, home addresses and phone numbers. “These criminals
accessed customer contact information, but no account information,” said Ms
Patricia Wexler, a bank spokesperson. “We have seen no evidence of fraud as
a result of this.”

The revelation that a simple flaw was at issue may help explain why several
other financial institutions that were targets of the same hackers were not
affected nearly as much. To date, only two other institutions have suffered
some kind of intrusion, but those breaches were said to be relatively minor
by people briefed on the attacks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!