A server that lacked two-factor authentication was the gateway hackers used to breach JPMorgan Chase this year, according to a report.
According to The New York Times, sources familiar with the breach investigation revealed that the attack against the bank began after hackers stole the login credentials of a JPMorgan employee. It remains unknown where the attack originated.
While two-factor authentication is common in many environments, JPMorgan’s security team failed to upgrade one of its network servers with the security scheme – a mistake that left the bank open to intrusion, according to the report. The oversight is reportedly now part of an internal review at the company.
“Compromised credentials have been a factor in the vast majority of breaches including Sony and Target, based on the information that has been shared to-date,” said Trey Ford, global security strategist at Rapid7. “Once an attacker has a privileged credential, they can usually access sensitive data and escape most incident detection solutions because they appear as a valid user to those detection solutions. This is how attackers are staying undetected in organizations for days, months and sometimes even years.”
After the network was compromised, the attackers were able to pivot around and access more than 90 servers at the bank. In the end, the hackers compromised data on 76 million household customers and seven million businesses, including email addresses, names and telephone numbers. According to JP Morgan, no private financial information was taken before the attack was detected in August.
According to the New York Times, the breach was uncovered in the aftermath of the bank discovering that the same group of hackers had breached a website for a charitable race sponsored by the bank.
“Hearing that a server did not have two-factor enabled is not a shocker – although it really should be by now,” said Christopher Martincavage, senior sales engineer at SilverSky. “Recent security stories over the past few months have highlighted the compromise of sensitive information due to this same issue.”
“What I find fascinating is that for months they were able to gain access to more than 90 servers,” he said. “Two-factor is not the only problem at JP Morgan, it was just the first door kicked in. Two-factor methods can be stolen just like outdated login credentials…Organizations need to follow a layered approach. Assume security systems will be evaded. Create controls to detect activities when others fail. Yes, it’s upsetting to see that outdated authentication was used gain access into the network. It’s more frightening to think they accessed the network for months without being detected.”
