It’s what may have stopped Apple’s iCloud photo dump in September. It’s what technology veteran Steven Sinofsky suggests would have fortified Sony Entertainment. And now, a lone JPMorgan Chase server lacking two-factor authentication may have provided the entry point for hackers to gain unprecedented entry into the private networks of the largest bank in the United States.
As we reported in October, a privacy breach discovered in July compromised the bank accounts of 83 million JPMorgan Chase customers, spilling out customer names, addresses, phone numbers, and email addresses. No social security numbers or financial data was said to be compromised.
On Tuesday, the New York Times reported that a lone overlooked server in its gigantic network was the root of the problem, according to sources briefed on the investigations who chose not to have their identities revealed. While the bank spends $250 million on computer security every year, hackers were able to procure the login credentials for a single JPMorgan employee.
The attack should have been thwarted there, however: JPMorgan and other banks typically use two-factor authentication—which requires a second, spontaneously generated password to log in to a system—to protect their networks. The hackers in this case, though, were able to identify a server that had not been upgraded to a two-step protocol, and used their login credentials to gain access.
As I’ve reported previously, what makes the intrusion so scary is banks are among our most heavily fortified institutions. Never mind movie studio gossip and awful movies. If banks aren’t immune to sophisticated hacking schemes, who is?
“The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization on the planet,” Steve Hultquist, chief evangelist at RedSeal Networks, told Fast Company in October. “They are well aware of both the defenses necessary and the importance of protecting against concerted, automated attacks.”
[h/t: New York Times]