It's not uncommon for cyber criminals or other attackers to hack their way to an organization's data via a forgotten machine sitting on the target's network, but you wouldn't expect that to happen at a major financial institution. That is apparently exactly what led attackers to infiltrate JPMorgan this year in a breach that escalated because the bank neglected to institute strong, two-factor authentication on one of its servers, according to a new report.
The New York Times reported this week that sources briefed on investigations into the cyberattack on JPMorgan last spring say the big hole that led attackers to the data was the lack of two-factor authentication of one of the bank's network servers. The attackers ultimately stole information on 83 million households and small businesses including email addresses, home addresses, and phone numbers.
Many details of the hack are not yet known publicly, but the initial attack started with the attackers grabbing the credentials of a JPMorgan employee, according to the new report. The lack of a second factor of authentication in one of the bank's network servers left the bank open to the data theft.
The initial attack vector has not been made public, but an obvious possibility would be a phishing email or some other common way to dupe the bank's users and get a foothold into the network. Once the bad guys can pose as a legitimate user, they attempt to move around the network and steal information under the radar.
"Until companies divorce the belief that users and accounts are the same thing, and begin monitoring account usage, vigilantly searching for compromised account usage, this trend of breaches will continue," says Trey Ford, global security strategist at Rapid7. "Once an attacker has a privileged credential, they can usually access sensitive data and escape most incident detection solutions because they appear as a valid user to those detection solutions."
The JPMorgan hackers were able to access more than 90 of the bank's servers, but were detected before they got to sensitive customer financial information, sources in the Times article said. The NSA is also assisting the bank in ensuring its network is more tightly locked down.
"These latest revelations underscore a difficult truth: It is effectively impossible to keep track of every possible hole in a modern network," says Steve Hulquist, chief evangelist at RedSeal.