The biggest U.S. banking breach of all time came down to the smallest of details.
The New York Times, citing sources close to the ongoing investigation of the JPMorgan data breach, said hackers found a server unprotected by two-factor authentication to break in using a stolen user name and password combination. JPMorgan disclosed in August that it was investigating a “computer hacking attack” along with the FBI and Secret Service.
The oversight exposed data belonging to an estimated 76 million consumer households and seven million businesses, and worse for the financial institution’s bottom line, neatly hurdled JPMorgan’s staggering $250 million IT security budget.
The expanse of the breach was disclosed in October in a Securities and Exchange Commission (SEC) filing; JPMorgan disclosed that the hackers had made off with user contact information, including names, phone numbers and email addresses. Account numbers, passwords, user IDs, dates of birth and Social Security numbers were also at risk, but were not stolen, according to the SEC filing.
Hackers had access to close to 100 servers between June and August before security teams cut off the attackers’ access. The hacks were linked to Russian or Eastern European crime gangs.
Two-factor authentication is recommended by the Federal Financial Institutions Examination Council (FFIEC) in order to prevent fraud and data theft in cases where passwords are lost or stolen. With two-factor authentication, a user logs in with their chosen user name and password, and then must use a second form of authentication such as a software or hard token, or PIN sent to a mobile phone or landline to complete authentication to a bank account.
While two-factor isn’t foolproof, it could be enough to frustrate hackers anxious to avoid getting caught in the middle of an attack, to move on to a softer target. The JPMorgan hackers apparently found one overlooked server to strike gold.
Hackers found a server unprotected by two-factor authentication to break in using a stolen user name and password combinationTweet
“Taking inventory of all network entry points and checking twice after upgrading is another way to ensure that no server or app or login gets left behind when it comes to implementing cybersecurity tools,” said a report at Duo Security, an authentication firm. “Because, what’s the point of using a security solution if it’s only implemented on part of your environment?”
The JPMorgan break-in also demonstrates, again, that hackers don’t need to drop zero-day exploits to penetrate even well-resourced enterprises.
“We know attackers pursue access though all kinds of means including phishing. We know attackers are stealing and using credentials, in particular administrative credentials or accounts,” said Trey Ford, Global Security Strategist, Rapid7. “Until companies divorce the belief that users and accounts are the same thing, and begin monitoring account usage, vigilantly searching for compromised account usage, this trend of breaches will continue.”