A Thing
The Green SheetGreen Sheet

Friday, October 10, 2014

JPMorgan breach gets complicated

First it was reported that the recent JPMorgan Chase & Co. data breach was limited to JPMorgan. Then it came out that the breach may have targeted a few other big banks. Now it is being widely reported that the hack may have targeted 13 other financial institutions (FIs) as well, including Citigroup Inc., HSBC Bank USA N.A. and E*Trade Financial Corp. The source of the attack is apparently still unknown.

In the case of the JPMorgan breach, customer information pertaining to 76 million households and 7 million small businesses was compromised, according to an 8-K filing the bank made to the U.S. Securities and Exchange Commission on Oct. 2, 2014. JPMorgan claimed that the data compromise, which reportedly began the previous June and only came to light in July, was limited to names, addresses, phone numbers, and email addresses, and did not include financial account details, such as Social Security and credit card numbers, or the user IDs and passwords that would provide online access to those details.

On the Chase.com website, JPMorgan provided cardholders with further information about the breach, noting that the compromise affected its online banking portals, Chase.com and JPMorganOnline, as well as its mobile apps, ChaseMobile and JPMorgan Mobile. The fraudsters also compromised "internal Chase data used in connection with providing or offering services, such as the Chase line of business the user is affiliated with," JPMorgan said.

The bank is not offering its customers credit/identity theft monitoring because of its claim that no financial information was breached. Both the FBI and the U.S. Secret Service are investigating the incident.

Growing in sophistication

Most of the recent big breaches have occurred at national retailers like Target Corp. and Home Depot Inc. But the JPMorgan breach, with its tentacles extending to other FIs, highlights a troubling aspect of the data breach threat landscape – that even the largest and most technologically sophisticated financial services firms are not immune.

Michele Borovac, Vice President at cloud-control company HyTrust, is not surprised by the size and scope of the breach. "Data is the new currency, and clever thieves have figured out how to breach the perimeter security measures most companies have relied on," she said. "These breaches continue to show similarities to those experienced by Target and Home Depot: hackers gain access to privileged administrator accounts and then can continue on as 'authorized' users, allowing them to bypass traditional detection systems and gain unfettered access to data."

Hackers are able to gain access to networks by doing their research. "Typically, targeted attacks take a multipronged approach where the attackers go after numerous points of entry," said Adam Kujawa, Head of Malware Intelligence at the research arm of the anti-malware firm Malwarebytes. "For example, they will gain intelligence on the physical and digital presence of the target’s servers and any kind of entry way through a direct or indirect route."

Hackers then conduct intelligence gathering activities to target individual servers or unwilling accomplices to finagle their way into systems. Kujawa said fraudsters may dupe a company contractor to infect a system with malware loaded onto a USB thumb drive.

"At the same time, they may take a different approach in going after employees by utilizing social engineering tactics to either infect the employee’s personal systems or by convincing the employee that the attacker is actually an official of the targeted company," Kujawa added. "This can result in the employee giving up credentials or even unwillingly infecting the target network with backdoor malware to give the attacker a way in."

Getting defensive

According to Martin Walter, Senior Director at cybersecurity firm RedSeal Networks, another problem facing the retail and financial services industries is that hackers have time and money to plan and execute attacks, while IT departments are always on the defensive. "This confronts customers with a catch 22 situation in which the IT department has to be agile and quickly respond to demands of the changing business landscape, but at the same time, maintain airtight network security in a growingly complex IT infrastructure," he said.

As the JPMorgan breach and related incidents showcase, fraudsters are also able to replicate successful attacks. "As the recent broadside of attacks across multiple financial companies shows, attackers find one weapon, then quickly re-use it, target after target, looking for anyone who has left that specific defensive gap," said Dr. Mike Lloyd, Chief Technology Officer at RedSeal Networks. "This forces defenders to coordinate – both externally, sharing information between erstwhile competitors, and even internally, since any weakness anywhere in the organization can be found and exploited in minutes."

Walter believes the solution to the data breach onslaught involves network segmentation to limit fraudsters' wiggle room if they do get inside a system. Borovic added a piece of advice that seems oddly fitting for the increasingly complicated task of securing systems – that businesses should assume that they have already been breached.

"To defend themselves, companies need to realize the attackers are already inside their networks, and introduce new strategies to control, authorize and contain the breadth of what a privileged insider can do," Borovic said. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing