Bank Security Breach Leads to A Hacker’s Roadmap
Update from Dealbook/NYTimes.com:
Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.
JPMorgan Chase & Co. reports another data breach of 76 million households and 7 million small and medium-sized businesses, according to PCWorld.com.
While no financial or account data was accessed, personally identifiable information (PII) was accessed, including names, addresses, emails and phone numbers. They report that changing your password is unnecessary (although it couldn’t hurt), and that they haven’t seen unusual amounts of fraud connected to the breach as of yet.
A few months ago, JPMorgan Chase customers were also targeted in a phishing campaign of 150,000 emails that sought to steal credentials by redirecting users to a spoofed web login, in addition to exploiting common application vulnerabilities to install malware on user machines. For more on that, read JPMorgan Chase Hack: Four Ways to Steal Your Credentials.
While much of the investigation is still underway with minimal details released, a NYTimes.com article states that oversea hackers accessed more than 90 bank servers, starting in June of this year.
Although financial data is safe for now, the article points out that hackers made off with an inventory and roadmap of the bank’s internal applications and programs that run their infrastructure, which is the first step to mapping out a massive attack. Armed with this knowledge, attackers can potentially leverage any known vulnerabilities of these specific apps and programs, which is obviously worrisome.
That means it’s possible this was just a recon mission to scope the scene and get an idea of what they’re up against. It’s also possible they could be selling off this information to bidders; a hacker’s roadmap is considered a valuable asset in the stolen data market.
The Wall Street Journal also reports that “several people familiar with the investigation and bank security said the data accessed appears to be related to J.P. Morgan’s marketing functions rather than its banking operations.” Meaning, they also could be gearing up for another massive phishing email campaign, using the email addresses and contact info they accessed.
ATM, Wire Transfers & Online Banking Security
Other attacks on banks and financial information include attacks on ATMs, ranging from physical card skimmers to using default passwords and publicly-available ATM operating manuals to reach the operator’s mode of the machine with administrative rights. Read more about this in Hard-Coded & Default Passwords: Gateway for Massive Attacks.
Several other lawsuits against banks involved unauthorized wire transfers of large amounts of money, stating that the banks didn’t have proper security in place for online banking as required by the FFIEC (Federal Financial Institutions Examination Council), including the use of two-factor authentication for certain banking activity.
That activity includes sensitive communications, high-dollar value transactions or privileged user access, like that of network administrators. Specifically, single-factor authentication, or just the use of a username and password isn’t considered secure enough for these actions. Learn more in Two-Factor Authentication for Bank Wire Transfers.
Common banking Trojans that credentials include Zeus and Neverquest - Phishing attacks lead to their install, allowing them to search for financial terms and banking sites that users type into their browsers, then relays login info back to the attackers’ command and control (C&C) server.
Attackers can also remotely control the user’s computer using VNC (Virtual Network Computing), a desktop sharing system that allows them to log into banking sites, transfer money, change login credentials, write checks and more.
While this can disguise their activity by using the user’s original login and machine, one way to combat this is with transaction-level two-factor authentication, which will alert the user via their smartphone if an attacker tries to transfer money. The user can then reject and report the fraudulent attempt to their administrators with the help of their two-factor solution. Find out more in The Current State of Online and Mobile Banking Security.
JPMorgan Chase has released a cyber security advisory to customers that assures them their money is safe, as they are not liable for any unauthorized transactions to their accounts that they report in a timely fashion.