Investigation started to determine cause of oversight

Dec 23, 2014 10:40 GMT  ·  By

The cyber-attack targeting JPMorgan Chase bank this summer that impacted 76 million households and seven million small businesses was possible because two-factor authentication (2FA) was not enabled on one of the servers in the network, new details in the investigation reveal.

JPMorgan Chase is a financial institution known to spend huge amounts on the security of its infrastructure and the information it holds. However, it appears that the entry point in the attack disclosed by the media in August was a single server that did not have 2FA enabled.

Lack of server 2FA support was an oversight

The attack vector is nothing out of the ordinary: the attackers managed to get their hands on the log-in credentials of one employee, giving them the opportunity to explore the network and devise methods to move silently across it.

2FA is a simple security measure that requires the user to provide a second, temporary code, in order to access an account, in addition to the regular username and password pair. The code is generally delivered to a physical device in the possession of the user and entered in the log-in interface.

According to information from New York Times, the failure to upgrade that specific server was an oversight that is currently being investigated internally by the bank.

Prior to this finding, it was believed that a zero-day vulnerability had been used to gain access to the protected systems, which included more than 90 servers. This was based on the fact that other financial institutions hit in the same period showed signs of intrusion consistent with leveraging a previously unknown security bug.

Customer financial info was not exposed

Even if the attackers managed to take advantage of a basic flaw and spent two months inside the network of JPMorgan Chase, they were not able to compromise financial information about the customers of the bank. It is possible that, had they been provided more time, they could have found their way to the sensitive data.

In this regard, the security standards implemented by the bank proved to be efficient; but some data was exposed, though, and it consisted of names, home addresses, phone numbers, and email addresses of the affected parties; this data can still be used in cybercriminal activities.

Also, the perpetrators got a list of the applications and programs installed on standard JPMorgan Chase computers. As a consequence, the digital assets need to be replaced, an operation that cannot be completed in a short time, which gives cybercriminals the possibility to find vulnerabilities and exploit them.

During the initial stage of the investigation, it was suspected that the attack was state-sponsored, with a finger pointed at Russia, but this possibility was ruled out in October.

What is currently known about the attackers is that they used at least one computer located in Brazil. This does not mean that at least one of them is a citizen of the country since connections can be routed through different machines in the world, and this is standard procedure in the case of cyber-attacks.

JPMorgan Chase breach (5 Images)

Initially, attackers gained access to a single server
One server was not upgraded to support 2FA security measureFBI is involved in the investigation
+2more