JPMorgan Chase was among five banks that were reported to have been hacked earlier this year, and details have emerged on how the hack took place.
When news first broke in August, it was believed that a zero-day Web server exploit was used to break into the bank's network. Now, however, The New York Times is reporting that the entry point was much more mundane: a JPMorgan employee had their credentials stolen.
This shouldn't have been a problem. JPMorgan uses two-factor authentication, meaning that a password alone isn't sufficient to log in to a system. Unfortunately, for an unknown reason one of the bank's servers didn't have this enabled. It allowed logging in with username and password alone, and this weak point in the bank's defenses was sufficient for hackers to break in and access more than 90 other servers on the bank's network.
The intrusion lasted several months, starting in spring and only being stopped in mid-August. Sources briefed on the FBI's investigation of the attack told NYT that customer financial information wasn't compromised. The ongoing intrusion was only discovered when JPMorgan noticed that a server used to run the website for its Corporate Challenge charity race had been broken into.
It's unclear why one server was left without two factor authentication enabled, though NYT notes that JPMorgan's network is a complex agglomeration of numerous legacy systems that have accumulated over the years as the bank has bought and merged with other banks. This makes managing and securing the network more difficult than it might otherwise be.
reader comments
51