The simple way JPMorgan got hacked

Posted by Ian Kar on December 23, 2014

The JPMorgan hack that took place earlier in the year was one of the biggest data breaches in history -- affecting 83 million household and small business accounts. But, according to the New York Times, the breach could have been easily avoided. 

The Times reports that JPMorgan failed to update a network server to two-factor authentication -- an added security layer that generates a second, one-time, password and is usually sent to an email address or a mobile phone. The method is widely used by financial institutions and technology companies like Google, Apple, Twitter, and Facebook.

While JPMorgan maintains no fraud has occured because of the hack, millions of customers still lost sensitive personal data. 

Without two-factor authentication, hackers gained access to the login and password information for an employee at the bank, and then used that to enter JP Morgan's network. Two-factor authentiation would usually stop the hackers before they could enter the network. In fact, similar attacks were launched against other banks, says the NYT, but were thwarted because they had this additional security layer. 

It seems that JPMorgan is "embarrassed" by the oversight, which makes sense. Adding two-factor authentication is a simple upgrade for most IT divisions. This just shows how important compliance and due dilligence is for companies -- especially for financial instutions, which are under heavy scrutiny when it comes privacy and security.

At Trustev we have spent a lot of time on compliance, to gain ISO 27001 certification, and it's tedious. A lot of lockdown and hoops to jump through, with two-factor authentication everywhere. But it's worth it, especially with an area as sensitive as antifraud technology.

Testing security protocols is usually tedious work, but the benefits outweigh the potential headaches that come if you don't take the time to test your systems. JPMorgan is doing that now, looking throughout its security systems for flaws. However, the damage is already done and the company has already lost the trust of millions of customers. 

When it comes to security, it's better to be safe than sorry.

Topics: fraud, banking, hacking