advertisement
advertisement

A Server Lacking Two-Step Verification Provided Entry Point For JPMorgan Chase Breach

Hackers were able to exploit a lone vulnerable server in the bank’s $250 million security system.

A Server Lacking Two-Step Verification Provided Entry Point For JPMorgan Chase Breach
[Photo: Flickr user Prayitno]

Two-factor authentication.

advertisement
advertisement

It’s what may have stopped Apple’s iCloud photo dump in September. It’s what technology veteran Steven Sinofsky suggests would have fortified Sony Entertainment. And now, a lone JPMorgan Chase server lacking two-factor authentication may have provided the entry point for hackers to gain unprecedented entry into the private networks of the largest bank in the United States.

As we reported in October, a privacy breach discovered in July compromised the bank accounts of 83 million JPMorgan Chase customers, spilling out customer names, addresses, phone numbers, and email addresses. No social security numbers or financial data was said to be compromised.

On Tuesday, the New York Times reported that a lone overlooked server in its gigantic network was the root of the problem, according to sources briefed on the investigations who chose not to have their identities revealed. While the bank spends $250 million on computer security every year, hackers were able to procure the login credentials for a single JPMorgan employee.

The attack should have been thwarted there, however: JPMorgan and other banks typically use two-factor authentication—which requires a second, spontaneously generated password to log in to a system—to protect their networks. The hackers in this case, though, were able to identify a server that had not been upgraded to a two-step protocol, and used their login credentials to gain access.

As I’ve reported previously, what makes the intrusion so scary is banks are among our most heavily fortified institutions. Never mind movie studio gossip and awful movies. If banks aren’t immune to sophisticated hacking schemes, who is?

“The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization on the planet,” Steve Hultquist, chief evangelist at RedSeal Networks, told Fast Company in October. “They are well aware of both the defenses necessary and the importance of protecting against concerted, automated attacks.”

advertisement
advertisement
advertisement

About the author

Chris is a staff writer at Fast Company, where he covers business and tech. He has also written for The Week, TIME, Men's Journal, The Atlantic, and more

More