JPMorgan Chase Breach: 83 Million Records Breached by Lack of Two Factor
The New York Times DealBook sources reported that the JPMorgan Chase breach of the summer that affected 76 million households and 7 million businesses was caused by a single oversight - the lack of two-factor authentication on one of their servers.
As the article stated, “the largest intrusion of an American bank to date might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network.” Although the company reports a cybersecurity budget of $250 million annually, and they’ve reported doubling that in remediation, the simple and very affordable implementation of two-factor authentication wasn’t in place at the time of the attack.
The Federal Financial Institutions Examination Council (FFIEC) recommends using two-factor authentication in their guide, Supplement to Authentication in an Internet Banking Environment (PDF) in order to protect financial institutions and banking activity from this very type of attack that allowed intruders access to nearly a hundred servers on JPMorgan’s network, armed only with a username and password.
As the NYTimes.com emphasizes, the initial fears (as always, when first reported in the media) were that a “very sophisticated” attack had hit the bank, but, as always, in nearly every major public breach, the hackers just found a way to steal a password - which could happen to any type of organization, big or small. And as always, in nearly every breach reported in the media, all they care about is who did it (usually some international state-sponsored cyberterrorist supreme).
But honestly, it really doesn’t matter who did it - chances are, anyone could do it. It doesn’t take a lot of technical skill to send a phishing email or social engineer your way to a pair of administrator credentials. The best line of defense is just that - defend yourselves proactively by putting basic security in place. It doesn’t take millions of dollars or fancy equipment or training, and it’s as easy as using an app on your smartphone to protect servers, apps, databases, sensitive data and more.
While Reuters and the Times are referring to the technology as “double-factor” or “dual passwords,” or, as FastCompany.com reports, “two-step protocol;” it’s important from a security perspective to point out that a second factor of authentication should be sent over a different channel than the first (known as out-of-band authentication). The FFIEC recommends it to protect against malware attacks:
Out-of-band authentication means that a transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., telephone) in order for the transaction to be completed. Out-of-band authentication is becoming more popular given that customer PCs are increasingly vulnerable to malware attacks.
One example is the use of a mobile app to send the second form of authentication via a push notification, or the use of a one-time passcode sent to a user’s phone via SMS. Learn more about the different authentication methods available with two factor.
Taking inventory of all network entry points and checking twice after upgrading is another way to ensure that no server or app or login gets left behind when it comes to implementing cybersecurity tools. Because, what’s the point of using a security solution if it’s only implemented on part of your environment?