GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

How to network like an industry leader - Part 1

News

Industry Update

Is Apple Pay secure enough?

Top three changes in PCI DSS v3.0

JPMorgan breach gets complicated

Features

Blazing a path for the unhappily banked

What to do when you've been choked

Wearables show payment potential

Views

Checks 'don't get no respect'

Patti Murphy
ProScribes Inc.

Education

Street SmartsSM:
EMV: A silver bullet in fraud prevention?

Tom Waters and Ben Abel
Bank Associates Merchant Services

Evaluating acquirer relationships

Alex Nouri
EFT Direct

Cascading, overlapping contracts for ISOs, agents, sub-agents and downlines

Adam Atlas
Attorney at Law

The hope and hype of merchant clubs

Dale S. Laszig
DSL Direct LLC

Company Profile

Mozido

New Products

Remedy for patient payments

Navicure Payments
Navicure Inc

Analytics for mainstream merchants

MainStream Insights
MainStream Merchant Services Inc.

Inspiration

Spin good yarns to boost sales

Departments

Readers Speak

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

October 27, 2014  •  Issue 14:10:02

previous next

JPMorgan breach gets complicated

First it was reported that the recent JPMorgan Chase & Co. data breach was limited to JPMorgan. Then it came out that the breach may have targeted a few other big banks. Now it is being widely reported that the hack may have targeted 13 other financial institutions (FIs) as well. The source of the attack is apparently still unknown.

In the JPMorgan breach, customer information pertaining to 76 million households and 7 million small businesses was compromised, according to an 8-K filing the bank made to the U.S. Securities and Exchange Commission on Oct. 2, 2014. JPMorgan claimed that the data compromise, which reportedly began the previous June and only came to light in July, was limited to names, addresses, phone numbers, and email addresses, and did not include financial account details, such as Social Security and credit card numbers, or the user IDs and passwords that would provide online access to those details.

On the Chase.com website, JPMorgan provided cardholders with further information about the breach, noting that the compromise affected its online banking portals, Chase.com and JPMorganOnline, as well as its mobile apps, ChaseMobile and JPMorgan Mobile. The fraudsters also compromised "internal Chase data used in connection with providing or offering services, such as the Chase line of business the user is affiliated with," JPMorgan said.

The bank is not offering its customers credit/identity theft monitoring because of its claim that no financial information was breached. Both the FBI and the U.S. Secret Service are investigating the incident.

Growing in sophistication

Most of the recent big breaches have occurred at national retailers like Target Corp. and Home Depot Inc. But the JPMorgan breach, with its tentacles extending to other FIs, highlights a troubling aspect of the data breach threat landscape – that even the largest and most technologically sophisticated financial services firms are not immune.

Michele Borovac, Vice President at cloud-control company HyTrust, is not surprised by the size and scope of the breach. "Data is the new currency, and clever thieves have figured out how to breach the perimeter security measures most companies have relied on," she said. "These breaches continue to show similarities to those experienced by Target and Home Depot: hackers gain access to privileged administrator accounts and then can continue on as 'authorized' users, allowing them to bypass traditional detection systems and gain unfettered access to data."

Adam Kujawa, Head of Malware Intelligence at the research arm of the anti-malware firm Malwarebytes, said, "Typically, targeted attacks take a multipronged approach where the attackers go after numerous points of entry. For example, they will gain intelligence on the physical and digital presence of the target’s servers and any kind of entry way through a direct or indirect route."

Hackers then conduct intelligence gathering activities to target individual servers or unwilling accomplices to finagle their way into systems.

Getting defensive

According to Martin Walter, Senior Director at cybersecurity firm RedSeal Networks, another problem facing the retail and financial services industries is that hackers have time and money to plan and execute attacks, while IT departments are always on the defensive. "This confronts customers with a catch 22 situation in which the IT department has to be agile and quickly respond to demands of the changing business landscape, but at the same time, maintain airtight network security in a growingly complex IT infrastructure," he said.

Fraudsters are also able to replicate successful attacks. "As the recent broadside of attacks across multiple financial companies shows, attackers find one weapon, then quickly re-use it, target after target, looking for anyone who has left that specific defensive gap," said Dr. Mike Lloyd, Chief Technology Officer at RedSeal Networks. "This forces defenders to coordinate – both externally, sharing information between erstwhile competitors, and even internally, since any weakness anywhere in the organization can be found and exploited in minutes."

Walter believes the solution to the data breach onslaught involves network segmentation to limit fraudsters' wiggle room if they do get inside a system. Borovic added a piece of advice: businesses should assume that they have already been breached.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems